This article originally appeared in Dark Reading on July 26, 2019.
Security teams are laser-focused on protecting the crown jewels. And while they are pretty good at evaluating the security within their own environments, the outside world can be tougher, with new and emerging threats from the broader Internet born every day.
In fact, crimes from the Internet are on the rise, according to the FBI’s “2018 IC3 Annual Report.” The report found that Internet-enabled theft, fraud, and exploitation not only remain pervasive, but also were responsible for a whopping $2.7 billion in financial losses last year.
Of particular interest for cybercriminals is the Domain Name System (DNS), which plays a central role in orchestrating all Internet and application traffic. Threats and attacks against it are growing in frequency, with a recent example being the attack on secure, cloud-based messaging app Telegram.
Ultimately, it is up to enterprises to implement the necessary best practices to protect their networks and end users, according to Brian Zeman, COO of NS1. But first they need to better understand the landscape.
DNS: A Vehicle for Phishing
DNS is the fundamental vehicle used in phishing attacks, according to Paul Griswold, executive director, product management & strategy, X-Force threat management at IBM Security. As such, when organizations accept the DNS that comes from their Internet service providers, they should realize it isn’t always “clean,” he says.
“A lot of times it’s something people just don’t think about. DNS is there. It’s provided by the ISP, and there’s not necessarily thought [about] all the different ramifications that can come from that,” Griswold said.
Companies that aren’t paying attention to their domain assets are more likely to see security risks, adds Mike Bittner, digital security and operations manager at The Media Trust.
“Not enough companies are fully managing their domain registries and, in some cases, even letting them go parse,” he says. “That’s where a lot of DNS attacks begin. They are repurchased, and the domain is used to actually compromise the DNS servers.”
Vulnerable Web Applications
While security pros tend to first think about phishing or DNS attacks as the most prevalent threats originating from the Internet, other, less obvious threats come from vulnerable Web applications, Bittner says.
“It’s the fact that security is not being implemented with an internal application, and the lack of security in Web applications is at the root of this problem,” he says.
Threats that originate from the Internet are compounded by the proliferation of devices connected to it. Every connected device is another attack vector for malicious actors, not to mention that Web applications are all too frequently given to users with a litany of vulnerabilities, Bittner says.
Additionally, drive-by downloads – malware that is downloaded from compromised websites – are occurring more frequently via JavaScript not only in third-party code, but through malicious websites. Victims have nothing more to do than navigate to a seemingly clean site that has been compromised. Without even clicking, they are automatically redirected to a ransomware site, Bittner explains.
“Your employees are on these sites, too,” he says. “This is happening in your network. If your home page is delivering JavaScript that eventually causes a drive-by download and you’ve got BYOD policies, that’s a phone on your network that has incurred another download.”
Some Preventative Measures
According to the “IDC 2019 Global DNS Threat Report,” commissioned by EfficientIP, three in five organizations suffered application downtime and one-quarter experienced business downtime. In order to maintain business continuity and avoid the hefty price tag associated with brand damage, organizations are well-advised to implement security measures to protect against attacks from the Internet.
“Organizations need to deploy threat intelligence, brought from advanced DNS analytics, to enhance the ability to detect infected devices and malicious behaviors,” says David Williamson, CEO of EfficientIP. “Threat intelligence is an essential tool for timely attack prevention across the network, as well as for protecting data confidentiality.”
In addition, redundancy ensures that if one network falls under duress, another will subsume the queries for both of them. That ensures no query goes unanswered, according to NS1’s Zeman.
“It is important to have redundancy at every level of a server infrastructure, including the DNS host,” Zeman says. “Deploy a secondary DNS network.”
Zeman also recommends taking the following precautionary steps to protect the enterprise against threats from the broader Internet:
- Borrow a page from the cloud computing playbook and leverage a managed DNS solution with a globally distributed, anycast network that ensures high availability.
- Reinforce the authenticity of DNS query responses by implementing Domain Name Security Extensions (DNSSEC) across all zones in your control.
- Because DNS is a mission-critical service, administrative access to DNS management should be tightly controlled. Make sure to use strong password enforcement, two-factor, or multifactor authentication, and role-based access controls.
- When using zone transfers, whitelist the transfer IP addresses of your secondary providers and leverage TSIG (Transaction SIGnature) to sign the transfers with a private key and limit exposure.
All told, DNS can have a major impact on business continuity.
“Businesses have now recognized the importance of protecting the DNS as the vital first line of defense for overall network security, DNS attacks are still damaging,” EfficientIP’s Williamson says.