Editor’s question: How can organisations prevent DNS attacks?

Editor’s question: How can organisations prevent DNS attacks?

How can organisations prevent DNS attacks?

EfficientIP, a leading specialist in DNS security for service continuity, user protection and data confidentiality, has announced the results of its 2019 Global DNS Threat Report, sponsored research conducted by market intelligence firm IDC.

Over the past year, organisations faced on average more than nine DNS attacks, an increase of 34%.

Costs too went up 49%, meaning one in five businesses lost over US$1 million per attack and causing app downtime for 63% of those attacked. Other issues highlighted by the study, now in its fifth year, include the broad range and changing popularity of attack types, ranging from volumetric to low signal, including phishing, 47%, malware-based attacks, 39%, and old-school DDoS, 30%.

Also highlighted were the greater consequences of not securing the DNS network layer against all possible attacks. No sector was spared, leaving organisations open to a range of advanced effects from compromised brand reputation to losing business.

Romain Fouchereau, Research Manager European Security at IDC, said: “With an average cost of US$1m per attack and a constant rise in frequency, organisations just cannot afford to ignore DNS security and need to implement it as an integral part of the strategic functional area of their security posture to protect their data and services.”

DNS is a central network foundation which enables users to reach all the apps they use for their daily work. Most network traffic first goes through a DNS resolution process, whether this is legitimate or malicious network activity.

Any impact on DNS performance has major business implications. Well-publicised cyberattacks such as WannaCry and NotPetya caused financial and reputational damage to organisations across the world. The impact caused by DNS-based attacks is as important due to its mission-critical role.

The top impacts of DNS attacks damaged reputation, business continuity and finances

Three-in-five, 63%, of organisations suffered application downtime, 45% had their websites compromised and one-quarter, 27%, experienced business downtime as a direct consequence.

These could all potentially lead to serious NISD (Network and Information Security Directive) penalties. In addition, one-quarter, 26%, of businesses had lost brand equity due to DNS attacks.

Data theft via DNS continues to be a problem. To protect against this, organisations are prioritising securing network endpoints, 32%, and looking for better DNS traffic monitoring, 29%.

We asked three industry experts from Kaspersky in Africa, Palo Alto Networks and Akamai how organisations can best prevent DNS attacks. 

Riaan Badenhorst, General Manager of Kaspersky in Africa

The continued evolution of digital has resulted in a cyberthreat landscape that is becoming increasingly difficult to navigate, with cybercriminal activity growing in numbers and sophistication.

Cybercriminals are using a variety of different types of attacks to target victims, making it critical for a business to not only understand the threat landscape, but to also keep on top of it.

A type of attack vector that remains popular and easy to exploit, is that of Domain Name Server (DNS) attacks, poisoning or spoofing.

This is a type of cyberattack that exploits system vulnerabilities in the domain name server to divert traffic away from legitimate servers and directs it towards fake servers. The code of a DNS attack often occurs via spam emails. These emails attempt to frighten users into clicking on the supplied URL, which in turn infects their device.

Banner ads and images, both in emails and untrustworthy websites, can also direct users to this code. Once infected, a user’s computer or device will take them to fake websites that are spoofed to look like the real website, which exposes them to risks such as spyware, keyloggers or virus worms.

This type of attack redirects traffic bound for the target corporation’s servers to a cybercriminal’s own machines.

As a result, visitors to a company website are taken to fake resources that look authentic but have no filters or protection systems.

Such attacks pose several risks to a business, one of the most concerning being data theft.

Financial services websites (such as banking), as well as online shopping websites, can easily fall victim to this type of attack and this could result in passwords and credit card or personal information being compromised.

Furthermore, such attacks pose a massive risk to the internal workings and processes of an organisation. If fake servers are successfully created, the victim organisation loses contact with the outside world. Mail is hijacked and typically phones as well, given that many businesses make use of IP telephony.

This greatly complicates both internal response to the incident and communication with external organisations – DNS providers, certification authorities, law enforcement agencies and so on.

Eliminating DNS attacks or cache poisoning can be difficult, as cleaning an infected server does not rid a desktop of the problem and clean desktops connecting to an infected server will be compromised all over again.

However, being fully prepared for such attacks, leaning on cybersecurity threat intelligence and a strategy aimed to ensure that a business is focused on prevention, detection, responding and prediction, is key.

Furthermore, dedicated cybersecurity training for a business and its employees around the reality of such attacks and how to be a human firewall to these, plays an important role.

Richard Meeus, Security, Technology and Strategy Director, Akamai

The Domain Name Service (DNS) has been around for so long that it is almost taken for granted. However, without it, much, if not all, of the world’s Internet experience would be dead in the water.

It’s ubiquitousness means that it can be easily leveraged for malicious intent if not checked and protected. The infamous DDOS attack against a major DNS provider in 2016 that forced many organisations completely or partially offline e.g. Netflix, CNN, BBC, Visa – highlighted how vulnerable and integral, in equal measure, DNS is to how the world operates online.

Not only is DNS frequently the target, it is also the delivery vector for many types of attacks. As DNS uses UDP (connectionless) it is an easy and effective way to bounce and amplify attack traffic off many Internet-based DNS servers against, for example, your web server.

This involves swamping your site with unwanted traffic that needs to be handled by your Internet connections, routers and firewalls that ultimately are overwhelmed and forcing you offline – not just your websites, but any other associated Internet traffic, from emails to VPNs.

But DNS is not just restricted to being utilised for large, headline grabbing DDOS attacks. It is also leveraged for data exfiltration, being used as a carrier to piggyback data from within compromised networks to Command and Control servers located on the other side of the planet.

As DNS is often unchecked, especially leaving an organisation, this is a simple but effective way to syphon off critical data without being detected.

Lastly there is the integrity of the DNS itself. Consumers blindly query these servers for the IP address for their favourite sites and assume that the answer is going to be correct.

Man-in-the-middle attacks – where the DNS request is intercepted between the client and the DNS server, and supplying false IP addresses and routing traffic to rogue and malicious sites, is an example of an attack where the DNS’ integrity can be compromised.

Features such as DNSSEC allow the user to receive a digitally signed record from the DNS server ensuring them that the data is valid.

DNS is key to the interaction with the Internet and unless your records are resilient, redundant and secured there will always be a risk of compromise.

In addition, just as many organisations check traffic entering their network, they should equally apply the same level of integrity to DNS queries leaving their network.

Haider Pasha, Regional Chief Security Officer (CSO), Emerging Markets

As a protocol invented over three decades ago, Domain Name Service (DNS) was not created with cybersecurity in mind. And since its inception, we have seen a growing number of attacks abusing its inherently trusting nature, from DNS floods and hijacking to tricking DNS registrars.

According to Palo Alto Networks Unit 42 threat research team, almost 80% of malware uses DNS to initiative command-and-control connections.

Therefore, there are no quick fixes when we try to secure DNS today and the risks associated with it are practical as well as reputational when a company’s website goes down, especially if their business depends on it.

Organisations need to have a clear security policy that specifically looks at DNS and address the risks.

In my view, you need three things to achieve a well-defined DNS security policy – governance, awareness and tools.

Governance begins by understanding who in your organisation is responsible for DNS. Some believe DNS security is the responsibility of the security team whereas others would rely on the networking department.

In either instance, the key challenge is that these teams often don’t talk to each other. Therefore, step one is to identify who is responsible and make sure the teams are communicating regularly via a clear process.

Employee awareness is essential as people will ultimately make mistakes. Training should consist of various components including running simulation exercises, such as email phishing simulations customised to various departments.

These exercises should be engaging, measurable and ongoing endeavours, and not treated as an annual ‘tick-the-box’.

As for tools, there are two different kinds to consider. There are the things you can do with the investments you have already made (focus on basics) and there are new investments you may want to consider in order to enhance protection for DNS.

Some examples of basic functionalities include DNS server hardening, encrypted communications (such as TLS) and two-factor authentication. Your DNS server should be dedicated to the DNS service and not have other types of protocols that can potentially open up ports on the server.

Another common practice includes restricting DNS zone transfers and consistent patch management as you perform regular audits.

For enhanced DNS protection, consider partnering with a provider that can help predict and block malicious domains in real-time.

At Palo Alto Networks, our DNS Service uses Machine Learning to analyse and block malicious queries, including the likes of Domain Generated Algorithms (DGAs) which is commonly used by malware.

Securing DNS is a vital part to keeping your organisation safe. Once you’ve followed the basics, make sure you have assessed any remaining risks with the right tools and awareness campaigns.

Browse our latest issue

Intelligent CISO

View Magazine Archive