October is Cybersecurity Awareness Month. This year’s theme is “Secure Our World”, with an emphasis on the actions everyone can take to improve the security of what we do on the internet and the data we put out there. You will hear recommendations ranging from individual-focused reminders to not reusing passwords to tried and tested enterprise-focused best practices. Sometimes overlooked in all of this great information is the power, simplicity, and pervasiveness of the Domain Name System (DNS). Not only can it be a valuable tool for stopping attacks dead in their tracks, but it can also be used to prevent attacks from happening in the first place. Since DNS is used by individuals, multi-national organizations, and everyone in between, it can be used as a tool to improve the security for everyone. DNS is so important that governments around the world are exploring options to provide protective DNS to their citizens.
What Is So Important About DNS Anyway?
Most people describe DNS as the phonebook of the internet (or even the Yellow Pages of the internet if they are old enough). DNS is much more than that though. Whenever a new domain name is registered, that information is stored in DNS. When that domain is set up to host a new website or send out emails, that information is configured in DNS. As that information changes over time, those changes are also reflected in DNS. All of this happens in the background, and most users never know it happens. Bad actors thrive on staying hidden in the shadows, but their actions leave footprints in DNS. As much as they try to hide, they must use DNS for their attacks to work. In fact, five of the seven steps in the Cyber Kill Chain use DNS in one way or another. These DNS footprints are visible, if you know what to look for.
Infoblox Threat Intel looks for these footprints in billions of DNS events every day. We find lookalike domains that spoof your bank, phishing domains with randomly generated names, and active domains that appear to be dormant to hide in plain sight. We find domains registered one at a time and clusters of domains all registered at once, all through DNS. Notably, we have identified and tracked numerous Traffic Distribution Systems (TDSs) that have operated largely undetected for years. Bad actors like Vextrio Viper, Savvy Seahorse, and Vigorish Viper use networks of as many as a hundred thousand domains to serve victims with personalized attacks ranging from cryptoscams to malware. Using a complex system of redirects, user identification, and a little randomness, TDSs are designed to confuse victims and researchers alike. Conventional methods for investigating these attacks face considerable challenges, but using DNS allows us to see past all these tricks to understand what is really going on.
Figure 1 – Most tools attempt to identify and defend against active attacks. DNS provides the opportunity to identify and block attacks while bad actors are still making preparations, before the attack.
Defense-in-Depth With DNS
If you have spent any time reading about cybersecurity, you have probably heard of the many acronym-laden tools that exist in that space. Tools like NGFW, XDR, EDR, and SASE are used to secure organizations and their data. These tools play an important part in security, but all of them rely on detecting and stopping an attack after it has started. Furthermore, many of these tools primarily focus on malware, which must be identified and analyzed to develop an effective defense. Since the malware landscape is always changing, these tools will always be one step behind. While DNS complements these tools, it is unique in that it provides the opportunity to stop attacks before they ever begin (see Figure 1).
At its most basic, DNS can be used to prevent the domain name of a malicious website resolving to an IP address. If a user’s computer can’t get the IP address, it can’t send that message containing their credit card information to the bad guy and it definitely can’t download that malware. Although this may be all that a user sees happening, or may even care about happening, DNS is far more important, and far more powerful than just blocking bad domains. It can be used proactively to find suspicious domains before they are active and before they are seen in a network during an attack.
When a bad actor registers a new domain name, it is visible in DNS. If you know what to look for, you can find suspicious domain registrations. Maybe the contact information is the same as other domains you know to be bad or the domain name itself isn’t normal. When a bad actor changes the IP address of a domain, we can look to see if the IP address has a history of being malicious. It might be that none of these events are suspicious by themselves, but in combination, there may be a pattern we’ve seen before in other malicious domains. In contrast to other tools and approaches, none of this requires analysis of malware or seeing the domain in an attack. It can be done while the bad actor is preparing the domain before they launch the attack.
These DNS-powered investigations don’t just find individual domains here and there, though. They can be used to find clusters of domains all at once. Once you begin to pull the thread of something suspicious, patterns and trends comprising thousands of domains can appear. The same tools and services that allow companies to operate on a large scale also allow bad actors to operate on a large scale. In fact, an entire industry of cybercrime supply chain providers has emerged so bad actors can outsource operations and focus on their attacks. Vextrio Viper and Vigorish Viper are perfect examples. Both actors offer affiliates use of their TDSs for a fee. Using DNS, we identified, tracked, and blocked both TDSs. This effectively blocked not only the Vextrio and Vigorish campaigns, but also all the campaigns of every one of their affiliates.
DNS Matters for Everyone
While bad actors are always trying new tactics, there are some that always work. Because they always work, they use them against everyone. People using their laptop to get on the web at the local coffee shop are victims of the same attacks and lures used against employees at muti-national corporations. Fortunately, DNS plays a role in these attacks, and it can be used to stop them. Whether it is a simple protective DNS service for your laptop or an enterprise-grade DNS solution, everyone can use DNS to secure their part of the world.
To learn more about how Infoblox Threat Intel uses DNS to secure our world, go to https://www.infoblox.com/threat-intel/.
