In today’s BYOD world, securing the DNS is crucial
By Benjamin Cher October 21, 2015
- Increasing number of devices hindering security efforts
- Surge in malicious domain creation by malware in Q2 2015
THE millennial workforce is leading the Bring Your Own Device (BYOD) charge, but there has been a lack of security policies to deal with it, according to a SolarWinds survey.
Against this device profusion and lackadaisical security backdrop, cybercriminals are looking to infiltrate networks via the Domain Name System (DNS).
DNS is the protocol which translates Internet domain names like DigitalNewsAsia.com (that humans recognise), into Internet Protocol (IP) addresses, which are a string of numbers like 18.104.22.168 that computers recognise.
According to the latest Infoblox quarterly DNS Threat Index, in the second quarter of 2015, DNS threats increased by 58% year-on-year to a record high of 133. The baseline for the index is 100, the average over the eight quarters of 2013 and 2014.
The BYOD trend brings even more devices into an organisation, which makes security against these threats tougher to enforce, said Infoblox chief executive officer Jesper Andersen.
“In general, the more BYOD you have, the less control companies have on whether malware enters their perimeter or not,” he told Digital News Asia (DNA) in Singapore.
“Some companies insist on massive client-side security measures, which a lot of employees don’t want, preferring to use a guest network instead,” he added.
The BYOD vulnerability is being exacerbated by the Internet of Things (IoT) trend, which will see billions of smart devices connected to networks.
“It’s not a question of if, it’s when and it’s already there,” Andersen said.
Attacking the phonebook
DNS is important to the way we interact online, but DNS security only came into prominence after incidents that highlighted the need to protect it, according to the Santa Clara, California-based company.
“DNS is the phonebook of the Internet,” Andersen (pic) said. “It rose to widespread awareness as an important service with publicity around Distributed Denial of Service (DDoS) attacks.”
In a DDoS attack, threat actors deliberately overload a server with bad DNS queries, taking down the server and denying service to normal users.
However, “DDOS attacks are not as bad as things like the cache poisoning of DNS servers, where threat actors take over a server and redirect users to a spoofed website,” Andersen said.
“Customers will then leave login credentials and credit card details which will be stolen,” he added.
Paying more attention to the DNS structure is now becoming more important than ever, as every piece of malware or ransomware needs to connect to its Command and Control (C&C) server, and does so through a DNS query, according to Andersen.
“The latest one over the last year is data exfiltration using DNS – threat actors can steal information without making HTTP calls,” Andersen said.
“They take the information and encode it into a DNS query header, and may even open a new domain name on the fly to receive the information without needing to respond with an IP address,” he added.
To stop such attacks, security companies still look at shuttering IP addresses. The traditional perimeter defence posture is powerless against such attacks because it cannot detect them, according to Andersen.
Andersen said that Infoblox has done over 700 DNS security assessments for companies globally, and found over 85% of them have malware and ransomware present.
“CryptoLocker is the one we find pretty often,” he said, referring to the ransomware that encrypts all files in an infected computer, with the cybercriminal behind the attack demanding payment to decrypt the files for use.
Generalised and specialised
Companies today are beginning to realise that there is no panacea, and that a good foundation for security lies in processes, procedures and tools able “to do the usual and the specialised,” according to Andersen.
“No one vendor can solve all the security problems,” he said.
“Companies need both general security products as well as specialised security products to give themselves the best chance of protecting their networks,” he added.
A DNS firewall is one of these specialised security products – it can detect and prevent DNS queries originating from malware within the network.
Also, the increased acceptance of BYOD opens up a new attack vector, via the mobile device. This, coupled with the usual phishing techniques, increases the threat to networks.
“Companies can try to be ahead of employees by sandboxing downloaded apps, but this is still insufficient,” Andersen said.
“Now threat actors have added a layer for malware to be honeypot- or sandbox-aware – [such malware] will not exhibit any malicious behaviour when it detects that it is in a sandbox or honeypot,” he added.
A sandbox is a security mechanism that is separate from the network, used to execute code to see what happens. A honeypot is another security mechanism, one that detects, deflects, or counteracts malware by setting itself up as a ripe target.
Employee education remains important, according to Andersen, who added that one of the reasons for the huge increase in Infoblox’s DNS Threat Index was phishing attempts that fool careless or unaware users into giving away information.
“The index is growing, that means we are in a planting phase – threat actors are trying to take over servers and devices,” Andersen said.
“The reason why the index went up to its record high is because of phishing attacks,” he added.
Spearphishing emails are very sophisticated, and threat actors make the emails look as genuine as possible. Even Infoblox has not been spared.
“My corporate controller got an email that looked like it came from me, asking him to approve an expense,” Andersen said.
“He double-checked with me, and I told him I didn’t send him that email,” he added.
Finally, the IT teams at organisations need to work together, as DNS security is often overlooked by the security ops (operations) team, while DNS is the top priority for the network ops team, according to Andersen.
“Network ops and security ops are typically separated,” Andersen said. “There is a need to bridge the gap.”
Infoblox tackles DNS security, eyes Malaysian market
Malaysia’s domain registrar MYNIC breached … again
Malaysian sites hit by DNS poisoning
For more technology news and the latest updates, follow us on Twitter, LinkedIn or Like us on Facebook.