DNS Security: a Must-Have under NIS 2
NIS 2 is Raising the Bar on Network Security
The EU Network and Information Systems Directive (“NIS 2”), which aims to improve cybersecurity resilience across the EU, is scheduled to be implemented into EU Member State law on 17 October 2024. For a comprehensive overview of the NIS 2 requirements, see our previous blog.
Ahead of this date, the European Commission has adopted the NIS 2 Implementing Regulation which sets out in further detail some of the technological requirements which entities subject to NIS 2 are expected to comply with. The requirements of the Implementing Regulation form the baseline of compliance across the EU, and we expect them to be supplemented with further technical details and guidance in the coming months.
Of particular relevance to legal, compliance and cybersecurity practitioners working for entities subject to NIS 2 are the requirements of the Implementing Regulation on DNS security. Article 6(7) of the Implementing Regulation requires that “the relevant entities shall . . . apply best practices for the security of the DNS”.
The European Union Agency for Cybersecurity (ENISA) will help define what constitutes “best practice for the security of the DNS” and we look forward to collaborating with them in that endeavor.
Infoblox has been providing DNS and DNS security solutions for over 25 years and has performed countless numbers of DNS health and security assessments in organizations across the globe. Based on our experience we expect the best practices to focus on three key areas:
- Securing the DNS Platform;
- Securing the DNS Protocol; and
- Implementing DNS as a Cyber Security Control.
Securing the DNS Platform.
Cyber security regulations are increasingly focused on operational risk and digital resiliency. This includes the resiliency and availability of critical infrastructure. DNS is a foundational networking service which users and applications rely on. Any loss of service due to denial-of-service attacks or even misconfiguration can have devastating consequences. It is expected that NIS 2, like other regulations, will focus heavily on ensuring that regulated entities have a robust and resilient DNS architecture that is accounted for in business continuity plans and processes.
In Infoblox’s experience, many organizations have not proactively assessed the robustness of their DNS deployments, leaving them exposed to significant operational and cybersecurity risk. Regulated entities are likely to need to undertake a DNS architecture assessment to address risks such as insufficient patch management or architecture resiliency before instituting processes to proactively maintain the DNS infrastructure.
Securing the DNS protocol
As highlighted by the U.S. Cybersecurity and Infrastructure Security Agency (CISA),1 DNS is widely abused by threat actors to facilitate a broad range of attacks ranging from ransomware to phishing. Implementing DNS without appropriate security protections has been proven to be an effective means to exfiltrate data out of networks, as most cyber security infrastructure allows DNS traffic to facilitate web browsing.
Similarly, threat actors know that to execute phishing campaigns to target an organizations’ employees or even their consumers, using “lookalike” domains that impersonate the brand leads to a far greater success rate. As a result, organizations who have failed to secure their public facing domains or register those that users expect they own can lead to devastating consequences. Infoblox research suggests that all sizes of organizations are being targeted with Infoblox detecting 25,000 new lookalike domains every week.
Given the prevalence of threat actor abuse of the DNS protocol and domains it is widely expected that NIS 2 and other regulations will drive regulated entities to formalize a strategy and process to secure their external facing, authoritative domains.
Implementing DNS as a Cyber Security Control
According to U.S. cybersecurity official Anne Neuberger, “using secure DNS would reduce the ability for 92% of malware attacks … from a command-and-control perspective, deploying malware on a given network.”2 Given that DNS platforms have, in effect, a front row seat to what malware is operating on a network it seems logical to integrate DNS into any cyber security defense strategy.
Protective DNS refers to a DNS service that intercepts requests from clients to resolve malicious DNS domains. By using threat intelligence optimized for DNS platforms, it provides a highly scalable and pervasive security control that is simple to deploy and based on the industry-recognized DNS standard.
The UK National Cyber Security Center service much like the US government version operated by CISA PDNS, has become a core pillar in government cyber security strategy. With the DNS4EU initiative in the European Union, the use of Protective DNS has become an accepted DNS best practice which is already adopted by not only governments but also public and private sector organizations.
Infoblox performs DNS security assessments and security workshops that can help organizations transform their DNS architecture into a robust cyber security enforcement platform.
***
If you believe your organization can benefit from this, please reach out to your local Infoblox account team or register to attend an Infoblox security workshop using the link here.
For a comprehensive overview of the DNS Security best practices that we anticipate for NIS 2 requirements, check out this Whitepaper.
Footnotes
- https://www.cisa.gov/resources-tools/services/protective-domain-name-system-resolver
- https://cyberscoop.com/nsa-secure-dns-service-pilot-defense-industrial-base/