Cybercriminals look for any chink in your corporate armor to use against your business. The Domain Name Server (DNS) is one such chink used by cybercriminals to enter the broader corporate network to carry out malicious attacks. The DNS has become a trusted stalwart in working life, facilitating the use of cloud apps across the modern enterprise's disparate, hybrid working conditions. As such, the DNS has a central position in the working life and access to cloud apps of an organization. This positions the DNS as an ideal target for cybercriminals. A report from NISC (Neustar International Security Council) found that a DNS attack had hit 72% of organizations.
Here, TitanHQ looks at five ways attackers misuse a DNS to cause havoc and how DNS filtering can stop DNS attackers.
Five DNS Attack Types That Let Cybercriminals Wreak Havoc
Here are five of the top ways that cybercriminals misuse a DNS to circumvent security:
DNS protocol weaknesses are the focus of a DNS Tunneling attack; this focus on the underlying communication framework makes a DNS Tunneling attack very difficult to detect. In this type of DNS attack, the attacker manipulates the DNS protocol to 'funnel' malware into the corporate network. To begin, the attackers must register a domain, e.g., mybad.com, and use this site to host the tunneling malware. To initiate the DNS Tunneling attack, the attacker must install malware on a victim's devices, using various tactics, including phishing and credential theft, to do so. Once that initial malware is installed, the DNS Resolver requests the malicious IP address. The DNS Resolver then routes the DNS query back to the server under attacker control and then back to the website hosting the tunneling malware. This happens as if the requests are legitimate and opens a tunnel that the attackers can exploit to their heart's content. Ransomware attacks sometimes have a DNS Tunneling component in the attack chain.
It is worth noting that DNS Tunneling is not prevented using traditional security tools, as DNS requests can pass in and out of firewalls.
A DNS Flood attack is a lot like a DDoS attack. This attack is linked to internet-connected devices, including cameras, printers, and digital assistants. These devices are infected with botnet malware and then used to flood (and overwhelm) targeted DNS servers. The Mirai botnet attack is an example of a DNS Flood attack. Often, the bot malware is initially installed via phishing scams, poor password security, or unprotected ports.
DNS Cache Poisoning (DNS Spoofing)
DNS Cache Poisoning, sometimes known as DNS Spoofing, is a technique attackers use to redirect users to malicious websites. The DNS resolver is targeted by attackers who 'poison' the cache by injecting false information. Unfortunately, DNS Resolvers are not designed to verify a cache. Any incorrect data will remain in the DNS Resolver until the live (TTL) setting is manually removed, or it expires. Again, one of the reasons that DNS Cache Poisoning can happen is because the protocols allow it. DNS servers use the protocol UDP (User Datagram Protocol), which is not designed to verify the user or sender of a request. This vulnerability in UDP makes the protocol open to spoof header data making the request look like it comes from a legitimate server. This makes it difficult to detect.
Hijacking a DNS server is the 'full-Monty' version of DNS attacks. The attack begins with a highly believable spoof website that looks exactly like the targeted organization's site. This spoof website typically spoofs a login page where phished users eventually end up. Initially, spear phishing is used to steal the login credentials of an individual with admin access at the DNS provider of the target company. Once in control of the target's DNS, the attacker can change the DNS records for the target website or app login page. When users attempt to access the website, they will be redirected to the spoof login page, where their login credentials will be harvested.
Like any other app or device, a DNS server is at risk of a zero-day vulnerability. A zero-day vulnerability is a critical issue as it is unknown and has yet to be patched. An example was the Windows DNS Server Remote Code Execution Vulnerability, which has since been patched. Another recent zero-day flaw, tracked as ICS-VU-638779, allows an attacker to carry out a DNS poisoning attack.
How to Use DNS Filtering to Stop Cybercriminals
DNS attacks may come in many forms, but they can be stopped using DNS filtering. A Domain Name System works by mapping a human-readable domain name, such as TitanHQ.com, to a machine-readable address (IP address), such as 220.127.116.11. It is worth noting that there are usually several IP addresses associated with a website, reflecting the highly distributed name of the DNS system.
A DNS Filter breaks the chain of events that lead to a DNS attack. It achieves this by blocking malicious URLs so that even if an employee clicks a phishing link or is redirected to a malicious website, the malicious website will not be opened. This breaks the chain of events from phishing to fake websites to stolen credentials to malware infection that DNS attacks help to facilitate.
However, as seen with zero-day DNS threats and the complex nature of DNS attacks, having a static blocklist of malicious URLs is not enough to stop dynamic DNS threats. An advanced DNS filtering solution must be enhanced using intelligent technologies. DNS filtering solutions such as WebTitan DNS Filter use multiple layers of threat detection and prevention mechanisms. Machine learning algorithms are fed massive amounts of data from a threat corpus from hundreds of millions of end-users. This provides the algorithms with the intelligence to detect and predict emerging threats. AI-powered DNS Filters are dynamic enough to respond to evolving lists of dangerous URLs that are not yet officially blacklisted. In a fluid and evolving landscape, where the DNS server and its vulnerabilities are open to attack, it is vital to have an intelligent approach to close down DNS threats.
DNS layer threats are insidious, often difficult to detect, and designed to get deep inside your corporate IT infrastructure. However, by using AI-powered DNS filters to dynamically address evolving threats, even the most complex of DNS attacks can be stopped.
To see how intelligent DNS filtering works, check out WebTitan DNS Filter and sign up for a free demo.
Protect cyberattacks with WebTitan DNS Filter. See how WebTitan works to stop cybercriminals from compromising your business. Start free trial.
Start Free Trial