DNS attacks – the forgotten vector that will cost millions

In the dawn of the Fourth Industrial Revolution, data truly has become the new oil with large tech groups holding an insurmountable, and still growing, quantity of data. This growth of data has called for control.

The EU’s new General Data Protection Regulation (GDPR) is readily approaching in May 2018. It has a global impact on any organisation who wants to do business in Europe, particularly those holding data on European citizens. Failure to comply with this regulation could be catastrophic for businesses, resulting in fines of up to €20 million, or 4% of global revenue, whichever is higher.

>See also: Securing DNS against threats from the Internet of Things

However, compliance doesn’t need to get IT executives stressed out. To avoid such hard-hitting fines, the easiest way to become compliant is simple: enhance security.

Data can be protected in many ways, but the one that is often neglected is data exfiltration via the Domain Name System (DNS). As seen in the WikiLeaks hack, the DNS protocol is a notoriously weak link of the internet which is often easily exploited by cyber criminals. DNS-based attacks have become a significant risk that must be considered in preparation of GDPR.

Data pickpocketing

While most security systems in use block obvious data transfer mechanisms, common internet protocol like DNS are often left unsecured due to the large amount of traffic that needs to be inspected. Attackers are handed a loophole; one where connections to arbitrary servers aren’t blocked.

A Global DNS Threat Survey conducted by EfficientIP reveals 76% of respondents were subjected to at least one DNS attack in the past year, with 28% suffering data theft. “In less than a year, GDPR will come into effect, so organisations really need to start rethinking their security in order to manage today’s threats and save their businesses,” commented David Williamson, CEO of EfficientIP.

>See also: DNS-based attacks ‘cost businesses more than $2M annually’

Data can be extracted from your network using DNS in two ways. For both, the attacker will own software that can encode your data and then use various DNS techniques to transmit data to remote servers.

The first option involves embedding blocks of encoded data within requests to an attacker’s own DNS server. Whilst being a slow way of extracting data, it’s certainly effective and worthwhile to the hacker when it comes to valuable details like national insurance numbers or passwords. The second approach is called DNS tunnelling, which offers attackers a command and control channel for their tools. Tunnelling is also a relatively fast way of extracting data, with one known attack delivering 18,000 credit card numbers a minute to an attacker’s server.

The thieves hide in the crowd

Most organisations already use data loss prevention tools and next generation firewalls which lock down the easiest routes out of your network, forcing attackers to explore and experiment with other protocols and take advantage of those, like DNS, that aren’t blocked by traditional security software.

More importantly, exfiltrated data can be easily hidden amongst the normal operation of a DNS service. Many common internet services use DNS, which means that most DNS servers are constantly busy, handling millions of queries every second.

>See also: Telecoms industry and DNS attacks: attacked the most, slowest to fix

Moreover, in a world where usage of BYOD and public Wi-Fi are prolific, access to DNS by devices we don’t know and don’t manage are an everyday occurrence. Requests used for DNS exfiltration often go unnoticed as they are hidden in the vast volume traffic, especially when they can be spaced out over time to appear like normal traffic.

How to chain-lock networks

So how can DNS infrastructure be protected? Traditional monitoring techniques have a risk of blocking legitimate traffic and slowing applications. The decentralized architecture of the global DNS service makes it impossible to know every server in use.

Security needs to be embedded in the heart of DNS, its servers. This allows for deep inspection of DNS traffic, analysing payloads and traffic to prevent any malicious workloads entering and staying in the network. Once malicious DNS traffic is identified in your network, organisations can apply fixes to mitigate the attack.

Keeping on top of DNS security will make GDPR compliance easier, as it not only reduces the risk of potential breaches, but helps timely reporting if data has been stolen. Abiding by this upcoming regulation means reporting breaches to the appropriate data protection bodies within a strict 72 hour period. This requires a log of all DNS data, especially if new techniques have been used to exfiltrate data or even shut down services. Those logs need to be regularly explored to find previously undiscovered advanced persistent threats in the organisation’s network.

>See also: The growing cyber security threat to the UK education sector

Working with large DNS logs can be like finding a needle in a haystack. In order to perform log file analysis at this scale without placing user data at risk, a modern DNS server that’s able to identify attacks quickly or in real-time, using real-time transaction analysis is required. This provides the option of blocking data exfiltration as soon as it is spotted by the DNS server analysis tools.

Using the right lock

Security instruments are rendered useless as attackers take advantage of DNS exfiltration to get around your security perimeter, so what can be done to ensure DNS doesn’t risk GDPR compliance?

Instruments are needed that operate inside DNS servers, analysing DNS traffic and identifying outliers, enabling an organisation to locate suspicious clients that are tunnelling data out their network over DNS. Once malicious DNS traffic is spotted, countermeasures can be put in place to block exfiltration – and protect the network from other attacks which can take advantage of this critical protocol.

>See also: Hackers take down DNS infrastructure of Brazilian bank

This is a world where hackers are becoming more sophisticated, the range of potential attacks wider and the cost to launch them has become cheaper. The ease of access to malware means organisations should expect more attacks on their networks.

GDPR obliges companies to be as secure as possible, with significant penalties for failure. That requires doing much more than protecting databases, but protecting every part of IP networks as well.


Sourced by Herve Dhelin, marketing director at EfficientIP

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...