This month we share another blog from our technology partner Akamai on the topic of recursive DNS. Targeted threats such as malware, ransomware, data exfiltration, and phishing are increasing in volume yet many organizations have a blind spot when it comes to the Domain Name System (DNS).
Although every action on the Internet relies on recursive DNS, many security organizations fail to install corresponding safeguards. Cybercriminals have been only too happy to exploit this security vulnerability. We think it’s worth understanding more about this relatively unprotected threat vector and how you can gain full DNS visibility and control.
DNS Lookups Explained
We all know what happens whenever anyone or anything tries to access a resource on the Internet. It all starts with a DNS request that translates a URL (www.akamai.com) into an IP address (220.127.116.11):
Now if we dive a little deeper into the DNS request flow we can see the requester make a request to the recursive DNS infrastructure of either their ISP or their enterprise. In other words, recursive DNS infrastructure recurses the DNS hierarchy to return the proper IP address of the intended domain name to the requester.
Without getting into the DNS hierarchy the recursive DNS infrastructure ultimately gets its answer from the authoritative DNS infrastructure. Bottom line – authoritative DNS provides responses to recursive DNS with the IP resolution of the intended resource.
As far as this post is concerned recursive DNS sees all requests for resources on the Internet.
This obviously makes it a critical piece of enterprise and ISP infrastructure. It also makes recursive DNS the perfect control point to apply policy. All before IP connection and file download and execution.
Applying Policy to Recursive DNS Requests is a Good Thing
Now, why would I want to apply policy to recursive DNS requests? For that, we need to look at the current threat landscape. As we also all know the volume of malware and its sophistication keep increasing. This deluge of advanced threats has led to an unprecedented increase in the number of breaches over the last few years.
Advanced threats, such as malware and ransomware, frequently share common characteristics. These threats are often designed to bypass existing defences using unique, sophisticated techniques to exploit vulnerabilities, and to use external command and control systems to control and monitor malware while potentially exfiltrating data.
In response to the fast evolving enterprise threat landscape, activereach now offers a proactive malware, phishing and data exfiltration mitigation solution that can be trialled for 30 days. See our DNS Security page to find out more.
Mean Time to Identify Data Breach Incidents is Too Long
As a whole, enterprises seem to struggle to effectively deal with the bombardment of advanced threats. Threats that are often built to bypass traditional defences by using rapid evolution and using less protected threat vectors such as DNS. It is clear that most enterprises don’t have an answer for these sophisticated threats that generally cost them 10’s of millions of dollars to clean up. The fact that it still takes over six months for most organizations to identify a data breach speaks volumes.
As covered earlier if we think about malware or ransomware or phishing or even accessing the Internet they generally start with the same thing: a DNS lookup. Whether that is to get an IP address for a malware’s command and control infrastructure, or for exfiltrating data as part of the DNS request, or just an employee trying to access an app that he or she isn’t supposed to. It all starts with a DNS lookup that goes to the enterprise’s recursive DNS infrastructure.
Getting back to the point of why I would want to apply policy to recursive DNS requests, you can start to see how a proactive approach to defending against advanced threats using cloud-based recursive DNS and threat intelligence starts to make sense. It is early in the kill chain which makes near instant global policy pushes combined with always up to date threat intelligence even more effective.
Why DNS visibility is important
It all starts with DNS visibility. Since all external enterprise DNS lookups pass through the enterprise’s recursive DNS resolvers, the enterprise can get visibility into all external Internet traffic destinations to figure out for example what SaaS apps or unmanaged IoT devices someone in the enterprise is using.
It is also about control. The enterprise has the visibility; now they can also add controls such as applying an acceptable Internet usage policy, whether that’s for guest wifi or to stop employees accessing sites they aren’t supposed to.
Lastly combining DNS visibility with threat intelligence can help proactively mitigate enterprise threats before they even reach the enterprise. This is done by stopping access to malicious malware and phishing domains. For example, domains that are generated by an algorithm, or whose reputation isn’t what it needs to be, because it is likely delivering malware or redirecting to an exploit kit.
We can also stop the malware communicating with its command and control infrastructure using recursive DNS combined with threat intelligence. Whether that’s to receive instructions or even DNS based data exfiltration – where sensitive info is included in the domain request and captured by the attacker’s DNS server.
Ultimately it is worth remembering that cloud-based recursive DNS combined with threat intelligence can provide an additional layer of visibility, control, and security to an enterprise.
For more information visit our page on DNS Security or call activereach on 0845 625 9025.
This article was first published on the Akamai blog on 26 April 2017.