Thursday, April 1, 2021

Don't Forget Your DNS When Planning Your Security Strategy

DNS for Your Security Strategy

Whether consciously or unconsciously - every organization is dependent on the Domain Name System (DNS). DNS enables people to find your website, shop on your eCommerce app, and send you an email. It therefore not only makes a decisive contribution to your business but also to the entire Internet.


DNS for Your Security Strategy | Antivirus Software


Hence, it is also understandable that DNS servers have become a popular target for cybercriminals:

  • 82% of all companies were victims of a DNS attack in the past year.
  • 63% of all companies have experienced downtime on their applications due to a DNS attack.
  • Widespread DNS hijacking was reported in 2017 and 2018 targeting multiple industries in 12 different countries.
  • 80% of malware uses DNS to connect to a command and control (C2) server to steal data and spreading malware.

 

If your company only blacklisted Fully Qualified Domain Names (FQDNs) to prevent DNS-based attacks, you should read on. Malicious actors and attack vectors are becoming more and more sophisticated - so your security should be too.

 

Common DNS Attack Vectors

As such, your DNS servers are not always the target of DNS-based attacks. Instead, the functionality of the DNS protocol is often misappropriated so that the attacker can smuggle sensitive data out of your environment.

In most cases, when a user on your network accidentally visits a malicious website, malware is installed on the connected machine. As soon as this computer is infected, it uses the DNS to establish a connection to the C2 server and to act based on further instructions. Once an attacker has gained a foothold in your environment, the potential for malware to spread is significantly increased.

Other common DNS attack vectors include:

  • Domain hijacking: This can include Include unauthorized changes to DNS records and/or domain registrars, which consequently redirect traffic from the original server to a new (mostly malicious) destination.
  • DNS flood attack: This is a Distributed Denial-of-Service (DDoS) affects the availability of DNS servers.
  • DNS spoofing (cache poisoning): Attackers use weak points in the system and try to smuggle malicious data into the cache of a DNS resolver.
  • DNS tunneling: As soon as a computer is infected, the malware misuses the DNS to steal sensitive data and obtain instructions from the attacker's C2 server.

 

A DNS attack recently reported by SecureList illustrates the scale of the challenge:

“In mid-May [2020] Israeli researchers reported a new vulnerability in DNS servers lurking in the DNS delegation process. This vulnerability exploitation scheme was known as 'NXNSAttack'. The hacker sends a request to multiple subdomains of a legitimate recursive DNS server within the authoritative zone of his own malicious attack server. The malicious server then delegates the request to a large number of fake DNS servers within the target domain without specifying their IP addresses. As a result, the legitimate DNS server sends queries to all proposed subdomains, whereupon the data traffic increases by 1620 times. "

 

Why Is DNS so Vulnerable?

The functionality of DNS is critical, but it also poses many security vulnerabilities risks:

  • 24/7 Internet access is required for DNS. As a result, efforts are generally made to avoid any interruption in DNS operations, even during security checks.
  • Most DNS queries are not restricted and can therefore pass through security devices. This creates a potential target.
  • Some organizations try to ward off DNS attacks by blacklisting “bad domain names”. However, attackers circumvent these restrictions by using Domain Generation Algorithms (DGA). These allow the attackers to create and rotate thousands of domains to keep the C2 intact between the customer and the server, even if some of the domains are blocked.
  • Manually blacklisting a steadily growing number of malicious domains involves considerable administrative effort.

 

How to Protect a System from DNS Attacks

To counter this growing threat, Palo Alto Networks has introduced a new feature: DNS security. This is used in combination with the functions of the anti-spyware provided by the "Threat Prevention" license. The new function uses a cloud service that is updated in real-time from various feeds. In this way, the data traffic from already known malicious domains can be detected, but also from those domains that were created by a Domain Generation Algorithm (DGA domains).

The DNS security function takes important information about known malicious domains from various, trustworthy threat intelligence feeds. This information is then used in combination with machine learning and predictive analysis to dynamically identify and block access to domains created by DGA.

As soon as a client sends a request to a malicious domain, the next-generation firewall from Palo Alto (with configured DNS security) intercepts the data traffic and compares the DNS request with the information in the cloud database. If the request is displayed as corrupt in the cloud database or if DNS tunneling is suspected, it can be deleted automatically. On the one hand, this interrupts the connection and, on the other hand, an administrator learns that there is a device on the network that may require additional verification.

To improve your security protection you need to install good antivirus software.

No comments:

Post a Comment

What Is a ListentoYouTube Virus and How to Remove This?

On the off chance that you were searching for an approach to convert YouTube videos to MP3, you may have discovered the ListentoYouTube viru...