Zero Trust strategy discussions are all the rage these days among enterprise security teams. The problem is that every enterprise is implementing ZT differently and many CISOs are struggling trying to find the ideal approach for their business.
Most security executives agree that authentication and role management is where ZT strategy must start. After all, with a massive number of amorphous frontdoors, identifying who is knocking with a high degree of confidence is essential. After all, if authentication doesn’t work well, an argument can be made that the rest of cybersecurity defenses mean relatively little.
But the second step should be hardening the ability to detect and track an attack in realtime, regardless of how the attackers got in and what they are initially attacking. To do that, few technologies work better than DNS. In an enterprise multi-cloud environment, DNS is one of the few technologies that can see all activity, from on-prem to the cloud/clouds, from remote locations to headquarters, from road warriors to overseas supply chain partners.
Everything on your networks will need to use DNS services. That includes on-prem, cloud, iOT/iiOT, mobile, remote sites, partner networks and contractors. If you have multiple cloud environments–and what enterprise today doesn’t?–it is critical to have a cybersecurity element that can seamlessly track them all, along with everything else. iOT is particularly problematic, but DNS handles it well.
VISIBILITY IS CRITICAL
DNS delivers a better-centralized visibility and control of all computing resources, including users and servers in a micro-segment, all the way to an individual IP address. Because most traffic goes through DNS resolution first, it is an important source of telemetry providing detailed client information, helping to detect anomalous behavior, and protecting east-west traffic between micro segments. DNS security can also continuously check for, detect, and block Command and Control (C&C) connections and attempts to access websites that host malware. For all of these reasons, DNS security is a core enabler of a robust Zero Trust strategy.
Most importantly, DNS is an absolute Zero Trust control point where every internet address can be scanned for potentially malicious behavior as identified by integrated threat intelligence. DNS security provides a single point of control to administer and manage all of your environments. This provides one DNS security administration point for all of your security stacks, which can easily be integrated with SOAR and other critical cybersecurity ecosystem controls.
That is what makes the following fact so mystifying: Most CISOs and CIOs don’t include DNS controls. In and of itself, that omission makes achieving a true Zero Trust environment far more difficult, if not impossible. It’s sad that so many enterprises have not yet included DNS, DHCP, and IPAM (DDI) controls and data, administration, and management within their cybersecurity strategy and yet, here we are. These capabilities have typically defaulted to a mix of ISPs, on- AND off-premises local hardware, and multiple disparate cloud-based capabilities. These disparate and separate DNS capabilities generally have no integration with cybersecurity threat intelligence, web filtering, or other important defensive capabilities. Most of these have no integrated support for the most common cyberthreats, distributed denial of service (DDoS) attacks, nor provide the necessary visibility.
Visibility (aka the single pane of glass) is crucial today, as well-equipped SOCs deliver a massive number of kinds of intelligence to their analysts. And during an active attack, those analysts have a handful of minutes–sometimes seconds–to understand what is going on, to figure out the best way to defend the enterprise and to then act on that strategy.The analyst simply doesn’t have the time to review multiple screens to try and piece together what is happening. Many attackers are superb today at breaking in and doing their damage and getting out quickly. That’s true regardless of whether the attacker is planting malware (ransomware anyone?) or copying and exfiltrating specific files.
Organizations must always be in control of, and have complete visibility to, DNS traffic. DNS traffic must be resolved by servers controlled by the organization, not external resolvers over which the IT team has no control.
FACTOR IN DOT AND DOH
DNS over TLS (DoT) and DNS over HTTPS (DoH) are two new versions of DNS designed to encrypt the communication between DNS clients and recursive DNS servers. These have solved a longstanding gap where DNS queries were transmitted unencrypted.
If an organization’s DNS servers support DoH/DoT, that’s best practice—all traffic, including DoH/DoT, should be routed to those servers. If an organization is routing DoH/DoT traffic to external unauthorized DNS resolvers, bypassing internal DNS servers, then their security team loses visibility and control of the DNS traffic, which will lead to the exposure of many security gaps.
As a best practice rule, organizations should not allow individual applications and devices to bypass internal DNS infrastructure. Such access to unauthorized external DoH/DoT resolvers should be blocked at firewalls and gateways, forcing DNS resolution to internal resolvers. Looking forward, every organization should plan on implementing internal DNS infrastructure that supports DoT/DoH.
SEVERAL ATTACK TECHNIQUES LEVERAGE UNPROTECTED DNS
There are a multitude of ways that cyberattackers can leverage unprotected DNS services. The following MITRE ATT&CK techniques and sub-techniques explicitly define how cyberattackers will target and use DNS services. The Tactic represents the goal the attacker is trying to achieve. The Techniques and Sub-Techniques represent the different ways that cyberattackers can achieve the goals and objectives of the tactic. Mitigation of these techniques require comprehensive DNS security solutions.
| TACTIC – GOAL OF ATTACKER | TECHNIQUES USING DNS | SUB-TECHNIQUE USING DNS |
| Reconnaissance | T1590 Gather Victim Network Information | .001 Domain Properties |
| .002 DNS | ||
| .004 Network Topology | ||
| .005 IP Address | ||
| T1598 Phishing for Information | .003 Spearphishing Link | |
| Resource Development | T1583 Acquire Infrastructure | .001 Domains |
| .002 DNS Server | ||
| T1584 Compromise Infrastructure | .001 Domains | |
| .002 DNS Server | ||
| T1608 Stage Capabilities | .002 Upload Tool | |
| Initial Access | T1189 Drive-by Compromise | |
| T1190 Exploit Public-Facing Application | ||
| T1566 Phishing | .002 Spearphishing Link | |
| Execution | T1204 User Execution | .001 Malicious Link |
| Credential Access | T1557 Adversary-in-the-Middle | |
| T1040 Network Sniffing | ||
| Command and Control | T1071 Application Layer Protocol | .004 DNS |
| T1132 Data Encoding | ||
| T1568 Dynamic Resolution | ||
| T1573 Encrypted Channel | ||
| T1008 Fallback Channels | ||
| T1105 Ingress Tool Transfer | ||
| T1572 Protocol Tunneling | ||
| T1090 Proxy | .001 Internal Proxy | |
| .002 External Proxy | ||
| Exfiltration | T1030 Data Transfer Size Limits | |
| T1048 Exfiltration Over Alternative Protocol | .001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol | |
| .002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | ||
| .003 Exfiltration Over Unencrypted Obfuscated Non-C2 Protocol | ||
| T1041 Exfiltration Over C2 Channel |
Zero Trust is going to require Security and IT to entirely rethink every element of every one of their environments. That is going to likely take years and an avalanche of resources. But it is absolutely necessary. When was the last time your network was entirely examined and new appropriate security measures put in place?
Yes, certain security defenses have been added to many of those environments, but that merely leaves old outdated mechanisms in place. That’s the most frustrating cybersecurity reality: Old security defenses, including those that were state-of-the-art back when they were installed, today can become a security hole. That happens when an attacker leverages an app that none of your current team even knew was there.
As long as you rebuilding all of your defenses, it’s critical to include DNS tracking. Any tracking that is not comprehensive and consistent through all of your environments is just asking for trouble.
