We were excited to publish a new white paper with Dark Reading earlier this spring that provides an in-depth overview of the state of DNS security, and why it’s a topic that has moved to the center of the cyber security conversation. Understanding DNS Threats and How to Use DNS to Expand Your Cybersecurity Arsenal is a collection of articles, originally published in Dark Reading, that outline the proliferating threats targeting the domain name system (DNS). It also gets to the heart of the DNS technologies, techniques and best practices that security teams are deploying to better protect users and network infrastructure from malicious attacks.
The goal of proactive DNS-layer security—such as using DNS data to mitigate threats that other defenses may miss—is to block threats before they hit the enterprise network or endpoints. In recent years, as DNS attacks have proliferated, there have been several important technological advances that are helping organizations significantly strengthen their overall security posture.
The first, eponymous, article in the paper—authored by longtime Dark Reading writer and editor Jai Vijayan—looks at how phishing, malware, and ransomware attacks routinely exploit techniques like DNS beaconing to communicate with C2 servers and DNS tunneling to covertly deliver payloads and exfiltrate data from enterprise networks. To hide phishing and malware-hosting sites, threat actors often use domain-generation algorithms and DNS fast-flux (rapidly swapping out IP addresses associated with a domain) to churn out new domain names faster than static enterprise blocking tools can keep up.
These types of attacks have become so commonplace in recent years, that a survey that analyst firm IDC conducted last year found 87% of organizations had experienced a DNS attack — mainly phishing, malware, and distributed denial-of-service (DDoS) — over the previous 12 months. Seventy-six percent of respondents viewed DNS security as critical to their threat mitigation efforts.
Vijayan cites John Yeoh, global vice president of research at the Cloud Security Alliance (CSA), saying that “as enterprises become more Internet-facing and cloud becomes the dominant form of computing, DNS is the front line for accessing data and information.”
DNS Name Server Hijack Attack Exposed Businesses, Government Agencies
The second piece in the paper, from Kelly Jackson Higgins, Editor-in-Chief at Dark Reading, recounts how security researchers at Wiz.io found a “novel” class of DNS vulnerabilities in AWS Route53 and other DNS-as-a-service offerings. With one simple registration step, they were able to set up a fake DNS instance that collected sensitive information on dozens of corporate and government customers.
All told, they got traffic from more than 15,000 different AWS customers and a million endpoint devices, all after registering a phony AWS name server as ns-852.awsdns-42. net, the same name as an actual AWS name server. The attack took advantage of a gray area in the DNS infrastructure: an unintended and unexpected consequence of the combination of traditional, old-school DNS technology on some Windows machines and today’s cloud DNS service features. Traditional DNS client software is old—some of which was written 20 years ago — and not built for cloud-based enterprise infrastructures, but instead for trusted internal enterprise domains.
The researchers say they can’t confirm whether any attackers employed this weakness in the DNS, but they sounded the alarm that it could also exist in other DNS providers’ services. “It’s important for all DNS providers” to ensure they’re not leaving their customers exposed via this vulnerable DNS setup, said Ami Luttwak, co-founder and CTO of Wiz.io as well as a former member of Microsoft’s cloud security team.
Researchers Connect Complex Specs to Software Vulnerabilities
The third article in the paper takes a look at six common mistakes in implementing network software that have led to scores of vulnerabilities, highlighting the impact that complex design requirements and ambiguous specifications can have on software security. Written by Dark Reading Contributing Writer Rob Lemos, the piece recounts a presentation by two security researchers who spoke at 2021’s Black Hat Asia conference: Daniel dos Santos from Forescout and Shlomi Oberman from security consultancy JSOF.
“Because of the complexity of the DNS specification, vulnerability types that we have known about for 20 years are appearing in implementations of network stacks,” explained dos Santos. “The more complex the software or protocol gets, the more difficult the protocol is to implement, so we need to make them as least complex as possible, which is not always possible.”
Newer Generic Top-Level Domains a Security ‘Nuisance’
The fourth piece, also written by Jai Vijayan, is based on an examination of ten years of passive DNS data, which showed that the of the Internet’s top-level domains (TLDs)—for instance, “.com” and .org”—many newer TLDs may present more of a security nuisance for organizations than anything else.
From a security perspective, one concern with the growth in the number of TLDs over the past few years is that attackers have more opportunities for spoofing domains for phishing, cybersquatting, and other malicious activities. For instance, by registering a popular brand’s domain name on a newer generic TLD and sending phishing emails from there, an attacker might have more success in getting victims to part with credentials and other sensitive information. In a 2019 Proofpoint study, nearly 96% of organizations found an exact match of their brand-owned domain on other TLDs.
See More, Secure More, with DNS
The final article in the paper, authored by Infoblox’s Krupa Srivatsan, posits that security teams should be treating DNS as one of the key tools for getting full visibility over what they have in their network and what is happening on their network. She points out that next-gen firewalls, email security, endpoint security, and Web gateways are all crucial defense-in-depth tools to protect against various threat vectors. However, there are still gaps and open doors that allow attackers to infiltrate networks, propagate laterally, and steal data.
The Domain Name System is critical network infrastructure that’s needed for online connectivity. In fact, most malware, including ransomware, also relies on DNS for connecting to their command-and-control (C2) servers to download encryption software and other malicious tools onto the compromised device. And they can use DNS to exfiltrate data as well, bypassing DLP and other data defenses. The fact that many security tools don’t inspect DNS is unfortunate as it provides attackers a “free ride” to evade existing security defenses and carry out their campaigns.
Knowing what’s on the network is the first step toward protecting what’s on the network. In today’s world of physical data centers, multi-cloud deployments, direct-to-Internet branches, BYOD and IoT/OT systems, full visibility seems almost a utopian concept. But there are network assets you already own that can help provide you with that visibility. You guessed right: DNS, along with DHCP and IP address management (IPAM) referred to collectively as DDI.
The DHCP server can identify system characteristics, such as device type, MAC address and OS version, while IPAM maintains this data along with extensive metadata that it can collect from other sources, providing a single, on-demand resource for networking and security teams.. And real-time network discovery functions provide a valuable secondary device detection and data collection service to keep the IPAM data as complete and accurate as possible.
This information becomes super critical for threat investigation or incident response because of the context it can provide about the users and devices involved. Moreover, DNS provides a trail of evidence of threat activity to tell you exactly what a given asset has been doing in the last hour, day, week, or month, which can be invaluable in a world where breaches can often be measured in months.
So, whether your goal is seeing and stopping more highly evasive threat activity, or speeding investigation and response, you own it to yourself to take a look at what DNS and other core network services have to offer.