Cybersecurity is not like the typical cat-and-mouse game people think it is. Enhancing an organisation’s capacity to mitigate threats heavily relies on the crucial role of security operations teams. The shift towards a ubiquitous work environment has substantially expanded the attack surface, rendering traditional methods of threat detection and response inadequate. Consequently, teams find themselves confronted with the formidable task of prioritising and swiftly responding to challenges, all while grappling with limited visibility into the nature of the problems at hand.
In many ways, cybersecurity professionals often find themselves akin to chess players who relentlessly safeguard their King on the board, unable to anticipate their opponent’s next move. The pressure is constant, the clock is ticking, and the demand for detecting, responding to, and mitigating these issues quickly never stops.
One source of this pressure is the Domain Name System (DNS), an essential part of the internet we rely on every day. The DNS converts domain names into IP addresses — allowing users to be directed to the right website and other internet resources. As it is a crucial component in IT networks and the broader internet that we use today, security teams face the uphill task of protecting their organisation’s DNS, due to the wide range of potential attacks.
Simply put – the ubiquity of DNS makes it a honeypot for cyberattackers. Hackers are now launching extremely ingenious, complex DNS attacks at massive volumes, bypassing cybersecurity defences and causing significant damage. A common DNS risk is lookalike domains used for phishing attacks, which are fraudulent domains that mimic legitimate ones in order to trick users into divulging sensitive information or downloading malware. A recent Infoblox-commissioned report found that the cost of a successful DNS attack now exceeds US$1 million in losses.
Given the fundamental role DNS plays on the internet and its susceptibility to exploitation by cybercriminals, how can we enhance our understanding and refine our strategies to safeguard this critical component?
Digitalising critical industrial ecosystems
With Industry 4.0 well underway, digitalised industrial ecosystems have created more attack surfaces. In 2022, threats against operational technology (OT) systems were among the major trends making headlines. OT systems are used to manage critical infrastructure and industrial operation, such as water and wastewater management, oil and gas monitoring, and energy production — systems that enable our livelihood. Given our heavy reliance on these systems, it is no surprise that they are extremely appealing targets.
The integration of industrial internet-of-things (IoT) devices and software services are also increasing, connecting industrial OT systems to IT networks for real-time collaboration. The increased connectivity allows internet access to industrial systems, making them vulnerable to malware or threats that can ultimately infiltrate the network.
Protecting the distributed IT networks in industrial operations today is a massive undertaking. Hackers are getting more creative and innovative in bypassing enterprise security by tunnelling for access control and data extraction quietly and patiently — like a tunnel-boring machine building a train line underground.
Balancing business practicalities
Organisations typically design air-gapped networks (i.e., IT networks without direct access to the public internet) to separate the user networks from the isolated and protected networks connected to highly valuable data assets. This is to balance the security requirements of the business with operational practicalities.
One overlooked concern is when an air-gapped network is connected only to local DNS servers. In some cases, these local DNS servers may unknowingly be linked to public servers with internet access. This is especially true in today’s work environment, where remote capabilities demand users to connect to relatively unsecured networks.
Misconfigurations in DNS implementation to support remote working can unintentionally put air-gapped networks and high-value data assets at risk. Hackers use these DNS servers as a means of transferring malware or other programs to cripple key infrastructure, disable services, conduct surveillance, and extract valuable data.
The burden cannot be solely left to the security operations teams. How we work today significantly alters the cybersecurity landscape, and security teams deserve the tools and resources to respond in supporting the changing ways we work.
Reframing detection and response workflows
With hackers becoming more elusive and sophisticated in their methods of attack, our defence strategy should not solely focus on incident prevention. Instead, we need to assume that breaches will occur and build a detection and response system to identify threats early and respond quickly.
DNS detection and response is an approach that combines protective DNS capabilities, DNS-based threat intelligence, and device context and integrations to prevent attacks that may go unnoticed by others, identifying and stopping attacks at an earlier stage to protect businesses comprehensively, and enhance overall security effectiveness. How do you implement a DNS detection and response solution?
First, elevate your DNS server as a protective DNS solution to block phishing, malware, domain generation algorithms, C2 access, and data extraction programs from infiltrating critical IT networks.
Next, companies can implement tools such as DNS threat intelligence to detect malicious activity early in the threat cycle when cybercriminals are setting up their infrastructure, enabling proactive identification of potentially suspicious domains that could pose future threats.
Finally, mapping DNS queries to user/device activity using IPAM to identify the source of the incident and automating remediation actions through ecosystem integrations, while also sharing core network data with the security operations centre (SOC) team.
In summary, a DNS detection and response system is a valuable component of a comprehensive cybersecurity strategy, providing early threat detection, improved incident response capabilities, and enhanced overall security.
