DNS for Your Security Strategy
Whether consciously or unconsciously - every organization is dependent on the Domain Name System (DNS). DNS enables people to find your website, shop on your eCommerce app, and send you an email. It therefore not only makes a decisive contribution to your business but also to the entire Internet.
Hence,
it is also understandable that DNS servers have become a popular target for
cybercriminals:
- 82% of all companies were victims of
a DNS attack in the past year.
- 63% of all companies have
experienced downtime on their applications due to a DNS attack.
- Widespread DNS hijacking was reported
in 2017 and 2018 targeting multiple
industries in 12 different countries.
- 80% of malware uses DNS to connect
to a command and control (C2) server to steal data and
spreading malware.
If
your company only blacklisted Fully Qualified Domain Names (FQDNs) to prevent
DNS-based attacks, you should read on. Malicious actors and attack vectors
are becoming more and more sophisticated - so your security should be too.
Common
DNS Attack Vectors
As
such, your DNS servers are not always the target of DNS-based attacks. Instead,
the functionality of the DNS protocol is often misappropriated so that the
attacker can smuggle sensitive data out of your environment.
In most cases, when a user on your network accidentally visits a malicious
website, malware is installed on the connected machine. As soon as this
computer is infected, it uses the DNS to establish a connection to the C2
server and to act based on further instructions. Once an attacker
has gained a foothold in your environment, the potential for malware to spread
is significantly increased.
Other
common DNS attack vectors include:
- Domain hijacking: This can include Include
unauthorized changes to DNS records and/or domain registrars, which
consequently redirect traffic from the original server to a new (mostly
malicious) destination.
- DNS flood attack: This is a Distributed
Denial-of-Service (DDoS) affects the availability of DNS servers.
- DNS spoofing (cache poisoning): Attackers use weak
points in the system and try to smuggle malicious data into the cache of a
DNS resolver.
- DNS tunneling: As soon as a computer
is infected, the malware misuses the DNS to steal sensitive data and
obtain instructions from the attacker's C2 server.
A DNS
attack recently reported by SecureList illustrates
the scale of the challenge:
“In
mid-May [2020] Israeli researchers reported a new vulnerability in DNS servers
lurking in the DNS delegation process. This vulnerability exploitation
scheme was known as 'NXNSAttack'. The hacker sends a request to multiple
subdomains of a legitimate recursive DNS server within the authoritative zone
of his own malicious attack server. The malicious server then delegates
the request to a large number of fake DNS servers within the target domain
without specifying their IP addresses. As a result, the legitimate DNS
server sends queries to all proposed subdomains, whereupon the data traffic
increases by 1620 times. "
Why Is DNS so Vulnerable?
The functionality of DNS is critical, but it also poses many security vulnerabilities
risks:
- 24/7
Internet access is required for DNS. As a result, efforts are
generally made to avoid any interruption in DNS operations, even during
security checks.
- Most
DNS queries are not restricted and can therefore pass through security devices. This creates a potential target.
- Some
organizations try to ward off DNS attacks by blacklisting “bad domain names”. However, attackers circumvent these restrictions by using
Domain Generation Algorithms (DGA). These allow the attackers to create and rotate thousands of domains to keep the C2 intact between the customer and the server, even if some of the domains are blocked.
- Manually
blacklisting a steadily growing number of malicious domains involves considerable administrative effort.
How to Protect a System from DNS Attacks
To
counter this growing threat, Palo Alto Networks has introduced a new feature: DNS security. This is used in combination
with the functions of the anti-spyware provided by the "Threat
Prevention" license. The new function uses a cloud service that is
updated in real-time from various feeds. In this way, the data traffic
from already known malicious domains can be detected, but also from those
domains that were created by a Domain Generation Algorithm (DGA domains).
The
DNS security function takes important information about known malicious domains
from various, trustworthy threat intelligence feeds. This information is
then used in combination with machine learning and predictive analysis to
dynamically identify and block access to domains created by DGA.
As
soon as a client sends a request to a malicious domain, the next-generation
firewall from Palo Alto (with configured DNS security) intercepts the data
traffic and compares the DNS request with the information in the cloud
database. If the request is displayed as corrupt in the cloud database or
if DNS tunneling is suspected, it can be deleted automatically. On the one
hand, this interrupts the connection and, on the other hand, an administrator
learns that there is a device on the network that may require additional
verification.
To improve your security protection you need to install good antivirus software.

No comments:
Post a Comment