Vulnerabilities still leave DNS—and businesses—wide open to attack
Encryption and other protection measures actually may make security more difficult
By Evan Schuman, ThirdCertainty
It is easy to instantly create a new domain on which to base a Web page, thanks to a core component of the Internet, called the Domain Name Service, aka DNS.
For that reason, DNS is more popular with cyber attackers than ever. Cisco’s 2016 Security Report, made public Tuesday, finds that 91.3 percent of all malware validated as “known bad” took advantage of how DNS works in order to spread.
Even worse, Cisco found that many of what it dubs “rogue DNS resolvers” are being routinely activated by IT staffers, apparently without them knowing it. The function of a DNS resolver is to send you to the correct numerical IP address associated with a textual domain name. A rogue DNS resolver deliberately sends you to the wrong site, often a look-alike site supporting a malicious scam.
Upcoming webinar: Outsourcing your cybersecurity program—managing vendor relationships
Bad guys are using rogue resolvers and hastily created domain names to aid and abet the command and control of botnets; to establish download sites for malware; and to host pages booby-trapped to deliver phishing attacks and malware.
“DNS has not traditionally been a tightly controlled resource in an organization,” says Jason Brvenik, a principal engineer within Cisco’s security business group. “Malware uses DNS because it’s ubiquitous and it’s convenient.”
Cyber attacks pivoting off DNS manipulation have increased in popularity because criminals are able to create fresh domains very rapidly, and use them for only a brief time. Google and the antivirus companies are on the lookout for malicious Web pages and quickly quarantine them. But once a bad domain gets on a blacklist, the bad guys simply shift to a newly created replacement.
So while identifying a bad domain is comparatively simple, maintaining a current list of all of the wayward names out there is very difficult.
“It’s not an easy thing to get right,” said Craig Williams, a senior technical leader at Cisco. “Creating and maintaining the list is the challenge, but I do think people are now taking this seriously.”
Complicating matters is the fact that DNS has come to be used for a lot more than basic routing to the correct Web page. For instance, online advertisers have come to use DNS to send customers to Web pages promoting a product or service, sometimes repeatedly—to the point of trapping the Web surfer.
“The DNS resolution path is hotly contested,” says Paul Vixie, CEO of Farsight Security. “ISPs all over the world interfere with correct DNS responses flowing toward their access customers, either for data mining purposes, or to do ad insertion, or to do ad substitution.”
Williams agreed and goes a step further. Cisco’s threat report outlines how excessive use of encryption can foul transparency and make security harder.
“You should never encrypt things like ads and the body of news stories. It just blinds you to things, completely blinds you,” Williams says. Because mundane story text is being encrypted, IT gatekeepers are no longer suspicious when they see an ad coming through encrypted.
More on emerging best practices:
ProtectWise cloud ‘camera’ detects network data breaches
SMBs should start with simple solutions to manage security risks
Cyber insurance rises to meet increasing security challenges