The Domain Name System (DNS) plays an essential role in resolving IP addresses and hostnames. For organizations, it ensures that users reach their desired sites, servers, and applications. While it is a fundamental base for a functioning Web, this system is open to abuse.
Attackers prey on DNS weaknesses, to direct site visitors to malicious pages, instead of the sites they want. Companies need to adopt countermeasures if they wish to ensure the safety of site visitors.
Larger enterprises have begun protecting their DNS infrastructure by gathering relevant threat intelligence, enforcing security policies, and automating redundant tasks. But smaller ones have yet to follow.
This post highlights the growth of DNS-based attacks over time, and how organizations can protect stakeholders against them.
DNS-Based Attacks: Volume Increases Annually
A 2019 DNS threat report from Cisco shows an increase in both the number of DNS attacks and the damage they cause in the past year.
Here are a few statistics:
- More than 80% of organizations surveyed said they suffered a DNS attack.
- Costs incurred due to these breaches rose by 49%; with an average cost per attack above US$1M.
- The most targeted sector overall was financial services. Media and telecommunications sector were most affected by brand damage. While government agencies suffered most from the theft of sensitive data.
Organizations that are victims of DNS-based attacks often take only a reactive stand to incidents. They may shut down affected processes and applications. But slowing down or even stopping operations isn’t a solution.
Instead, surveyed organizations cited these approaches to dealing with DNS-based threats:
- 64% employ DNS analytics solutions to identify compromised devices.
- 35% work with both internal threat intelligence and internal analytics on DNS traffic.
- 53% consider machine learning (ML) useful to pinpoint malicious domains.
Counteracting DNS-Based Attacks
A proactive approach to DNS security is essential. Implementation of zero-trust initiatives by monitoring internal and external traffic, labeling all activity that is untrustworthy by default in real-time, etc.
Some helpful immediate actions organizations can take to prevent DNS attacks include:
- Gather and analyze internal threat intelligence: To safeguard companies’ data and services, apps and platforms must be designed to perform real-time DNS analysis of attack attempts. There are several companies and free solutions that provide this, one example is Recorded Future and Cisco Umbrella.
- Configure their DNS infrastructure to adhere to security requirements: Companies should combine DNS security with IP address management (IPAM), to automate security policy management. Both systems should be regularly updated, follow a uniform format, and be easy to audit.
- Enable DNS traffic visibility across the entire network to accelerate security operations center (SOC) remediation: Employing third-party data feeds and APIs as additional threat intelligence sources allows real-time threat detection, increased security information and event management (SIEM), making software and unified threat management (UTM) more effective. One of my personal favorites is the open source system Maltrail.
Increased DNS attack volume and sophistication emphasises the importance of fortifying organizations’ DNS infrastructure. Without securing the DNS system, no security solution or policy implementation can defend networks against threats.