Why Securing the DNS Layer is Key to Protecting your Organization from Phishing and Malware Attacks

Posted by Trevagh Stankard on Tue, Jul 20th, 2021

Like email “DNS has been around for more than 20 years and is a ubiquitous part of the technology stack, 

You use DNS, so does malware.

“DNS has an important role to play because it underpins the network activity of all organizations. And because around 90% of malware uses DNS to cause harm, DNS potentially provides visibility of malware before it does so.”

In addition to providing organizations with an opportunity to intercept malware before it contacts its command and control infrastructure, DNS visibility enables organizations to see other indicators of compromise such as spikes in IP traffic and DNS hijacking.

“Being able to track and monitor DNS activity is important as it enables organizations to identify phishing campaigns and the associated leakage of data. It also enables them to reduce the time attackers are in the network and spot new domains being spun up for malicious activity and data exfiltration,” said Reed.

Research conducted by EfficientIP states that 79% of organizations were impacted by a DNS attack last year, costing them an average of $924,000 (£782,000). 

Even though DNS attacks are skyrocketing, experts fear that many organisations are ignoring this and failing to take appropriate steps to protect themselves. Jake Moore, security specialist at ESET, says: “DNS-based cyber attacks are among the most common, but despite this, DNS gateways are often left unprotected. The DNS layer of a network is always on and therefore often overlooked. 

“Moreover, when a business’s DNS gateway is attacked, companies can’t shut down entire businesses due to the repercussions of not functioning, which could result in a loss of even more money. Unless the DNS is flooded, causing a DDoS [distributed denial of service], companies will do what they can to keep business as usual.” 

But what should organizations be doing to prevent and mitigate these attacks? Moore says analyzing the behavior of each user can offer a good representation of what is happening and help businesses to detect threats because the majority of network traffic goes through DNS. “Such threats must, in turn, be surveilled in detail, which can lead to a successful zero-trust strategy,” he says.

“At RiskIQ, we find most organizations are unaware of about 30% of their external-facing assets. That can be websites, mail servers, remote gateways, and so on. If any of these systems are left unpatched, unmonitored or unmanaged, it presents an opportunity for compromise and further potential exploit, whether that is towards company assets, or other more valuable infrastructure such as DNS servers are dependent on the motives of the attacker and the specifics of the breached environment.”

Fieldhouse says DNS, DHCP and IP address management (DDI) is crucial to a zero-trust approach. “DNS traffic can be routed seamlessly, and blocked, depending on specific criteria, to protect company data from threats,” he says. “DDI solutions integrate with the vast majority of applications that organizations use to function, which ensures uniform control. 

“After the initial infection, ransomware initiates DNS lookups to contact C&C [command and control] and download additional payloads,” says Vissamsetty. “DNS filtering and blocking can potentially stop ransomware attacks at the initial payload stage. Targeted attacks can evade DNS filtering, so it is recommended to have zero-trust data access controls to prevent and minimize the impact of ransomware.”

By enabling DNS protection, you can filter out phishing sites altogether. That means if an employee opens and clicks on a phishing email, the link in the email won't work.

Domain Greylisting

Phishing sites are generally set up on newly registered domains. And they're likely taken down early on in the domain's life as people catch onto the fact that these sites are a threat. That's where domain greylisting comes in. 

Domain greylisting is the act of blocking newly registered domains to protect users from possibly malicious sites. With a DNS Filter, you can block domains for the first 30 days after they've been registered. This is generally enough time for a domain to be discovered as a threat and subsequently taken down.

A major component of most phishing campaigns is a phishing website page. For example fake bank login pages, like this one, weekly:

This type of mimicry is known as "website spoofing" or "domain spoofing." But other phishing pages may be acting as a completely fake company without any imitation.

Phishing websites like the one above might be found in emails (as mentioned above), malicious ads, search results, or even linked from trustworthy pages.

Read Guide: Pillars of the Modern MSP Security Technology Stack

One such digital asset is the DNS. When someone is able to take control of a company's DNS, they can compromise anything that connects to it. Domain names and DNS, as assets, define who a brand is and where people find it online. Once a brand's site is hijacked, users don't know they're connecting to a server controlled by the hackers.

In the internet age, security by design doesn't always work because the internet is INSECURE by design, and this problem might be intensified in the new norm post-COVID-19. Under a traditional network security practice, security is achieved by preventing and detecting intrusion of the network that is secured by millions of dollars worth of security investment. In the new norm, all employee devices have become the end-point assets connecting to the network, and they now reside outside the network. The problem of network security doesn't exist within your network anymore, it has increasingly become an inter-network security issue.

A new paradigm is needed to look at phishing attacks, one that looks at it from an inter-network security perspective. From this angle, phishing is also known as a DNS abuse. DNS abuse is defined by the Internet Corporation for Assigned Names and Numbers (ICANN) as "intentionally deceptive, conniving, or unsolicited activities that actively make use of the DNS or the procedures used to register domain names. This includes issues such as spam, phishing, malware, botnets, and pharming (such as DNS hijacking), and has become one of ICANN's highest priorities in 2021.

DNS is not sexy. There are movies about hacking, corporate espionage, distributing malware to infiltrate a nuclear facility, but never a movie about DNS. Most probably consider the administration of DNS a very low-level task. However, when DNS goes wrong, hackers can direct employees to a malware site, steal critical trade information, and gain access to company servers. When any of these happens, the CEO is going to ask the CIO, and the CIO is going to ask IT colleagues — WHY? The vast majority of DNS and domain issues are not zero-day attacks; no one can say they don't know about DNS attacks, and there are absolutely no excuses for an incident.

Read Guide: How to Reduce the Risk of Phishing and Ransomware

Since 2019, there have been some noteworthy security attacks, one example being the ‘Sea Turtle’ attack. The Sea Turtle hijackers pursued organizations that control top-level domains and exploited multiple vulnerabilities to gain access to the name servers for entire domains. They changed the DNS records for webmail servers, allowing them to intercept connections from users logging into webmail systems.

Take the first step to securing your organization from DNS attacks with WebTitan DNS Filter. WebTitan is an advanced web filter providing both protection from HTTP and HTTPS security threats as well as advanced DNS filtering control to businesses, MSP's and schools globally. Start WebTitan Free Trial and see results in less than 1 hour. Start Free Trial.