12 November 2020

Ronan David, vice president, strategy, EfficientIP

DNS attacks based on distributed, multi-vector and multi-stage assault modes have become highly sophisticated. Traditional security solutions such as firewalls, anti-DoS or IPS have not adapted to effectively ensure DNS availability and integrity.

They have proved to be insufficient against cyber-attacks such as data exfiltration via DNS, DNS hijacking, amplification and reflection attacks and DNS flooding. Even worse, they present a high risk of blocking legitimate clients.

Considering the multiple threats posed by DNS attacks, it is important for companies to implement robust network security strategies. In order to ensure business continuity, DNS attacks require adaptive counter measures that go beyond just blocking. Traditional security solutions have proved to be insufficient against new attacks, mostly because they are not purpose-built for DNS functions so do not analyse the traffic at the DNS transaction level.

When it comes to ensuring network security, there are a number of procedures companies can adopt to mitigate the threat of DNS attacks. It is important that a modern DNS security system is agile enough to adopt its DNS protection mechanisms to mitigate the risk of blocking legitimate clients, whilst simultaneously safeguarding data and ensuring DNS service integrity and continuity to legitimate clients.

Companies must acknowledge that everything should be considered to be a potential threat to their network operations and more importantly to data confidentiality within their company. DNS Guardian provides a possible solution to this as it helps to protect data confidentiality. DNS Guardian separates the two DNS functions, cache and recursive, in order to dramatically strengthen and improve the security framework. Each function is protected separately, allowing an uninterrupted service to be provided, even when one function is targeted by an attack.

By analysing transactions at the heart of the DNS server--which include queries, responses, fragments, recursions--threat visibility is enhanced well beyond known attack patterns and overcomes the limitations of signature-based protection systems that only offer limited peripheral traffic visibility. It is important for companies to have visibility into the infected devices and to identify the user associated with the device trying to exfiltrate data. Additionally, it is important to guarantee data integrity and continuity of web services for businesses, even during an attack.

Additionally, it is beneficial to a company’s data security to get instantaneous visibility on DNS services to improve remediation capacity with out-of-the-box statistics, delivering unequalled insights and reports on DNS traffic, without the need for additional appliances. DNS Guardian can offer a solution to this as it provides the most advanced DNS security solution on the market.

Moreover, the most effective way to address DNS-based data exfiltration is to build intelligent detection capabilities directly into the DNS infrastructure. Both sets of information gathered can then be sent to SIEM to provide enhanced reporting. As well as performing the critical functions of detecting and blocking data exfiltration attempts, lightning-fast remediation of the infected devices is necessary. This can be achieved by tighter integration between detection technologies and endpoint remediation solutions or NACs such as Cisco ISE to provide indicators of compromise when an endpoint is trying to exfiltrate data.

Analysing DNS traffic to develop internal threat intelligence is another key component of any modern data security strategy. DNS Guardian can help here as well: it detects zero-day malicious domains used by malware to communicate with external CnC servers (DNS tunneling) or exfiltrate data, and DGAs (domain generation algorithms). Identified malicious domains are dynamically shared between DNS Guardian appliances, delivering actionable predictive DNS security.