There is cruel irony in Domain Name System (DNS). By their very nature, Domain Name Systems make it simple and seamless for users to access websites and applications. But this very system is now finding itself to be the ultimate vulnerable point of origination for malicious cyber activity – and an unlikely hero in cyber security.
DNS is the switchboard for all internet requests. Every single client (human or device) connects to every app or service – whether internal or external to the organization – through a DNS request. That request is fulfilled by a series of DNS servers, working diligently to accommodate the DNS query to ultimately get you where you want to go.
Alas, all of this open relaying of requests across servers and DNS resolvers leaves the network exposed to hacking. Bear in mind, DNS was built for connectivity, not security. What’s more, DNS is, in effect, the lowest common denominator for all internet activity. So not only do all legitimate requests originate at the DNS level, so do all malicious activities.
From ransomware to internal bad actors, networks have proven themselves as the perfect gateway for all kinds of cyberattacks. Chances are, someone on your network has unwittingly clicked on a bad link or opened the wrong attachment. That’s how easy it is for malware to penetrate your organization and spread quietly from device to device.
DNS as Cyber Hero
As cybersecurity continues to concern CTOs, IT professionals everywhere add extra layers of defense to their technology stack to keep their organization safe– without success.
It’s a network architecture issue. Recursive servers sit between client devices and the network boundary. When filters and firewalls look back into the network, they can only see the last hop server. The internal DNS servers, internal IP addresses, and devices making DNS queries are essentially invisible.
That lack of visibility might be excusable if the number of internal queries was small. But it isn’t. The fact that a majority of network queries never even make it to external-facing security sensors exposes a significant weakness in the “set it and forget it” mentality associated with boundary-level security systems.
Consider your helpful DNS, already in place, uniquely positioned to foil unwarranted internet queries at their source. Together with firewalls and other protection strategies, utilizing DNS records has now become part of the modern arsenal in cybersecurity.
Analysing DNS traffic can keep your network safe if you know how to leverage it.
By providing important visibility into network activity, DNS data can inform:
- Who is on your network
- Who is trying to access what
- Aberrations in normal patterns of activity
- Identified gaps in security
Why is this visibility so vital? Because it equips you with information you can act on.
An analysis of log records often uncovers irregular network activities and enforces policies by blocking questionable DNS clients. Leveraging DNS in this way allows administrators to do more than simply see query logs – it allows them to gauge the intent of queries. With complete information about every query on the network, administrators can root out malicious patterns of behavior, identify patient zero or other infected devices.
Using DNS for security also provides the opportunity to apply security policies to DNS queries. Whether it’s done at the network boundary or at the client level, DNS-based security policies can be very targeted, allowing as much or as little leeway for queries to resolve as appropriate.
Compromised records cost companies millions of dollars each year, according to this security breach report; loss of reputation notwithstanding. The report also reveals that the average time to identify a breach is 201 days, and the average time to contain it is 70.
Leverage DNS data to reveal the identity and intent of those on your network. You’ll strengthen security and effectively protect your enterprise.
SUNBURST/Solorigate Situation Briefing
BlueCat leaders discuss how the malware attack via SolarWind’s Orion platform exploited DNS and how BlueCat Edge could have helped to detect it.
January 21, 2021: Learn more about how the SUNBURST/Solorigate malware exploited DNS to execute its attack.
Customer situation brief on SUNBURST/Solorigate
Learn more about the attack via the SolarWinds Orion platform and how BlueCat products use DNS to help protect customers against compromises like it.
On the road to platform hardening, consider a STIG
Security Technical Implementation Guides standardize security configuration on networks, servers, and devices. BlueCat uses them and you can, too.