Domain name systems (DNS) has been undergirding the internet for more than four decades — and still it’s a daily pathway for cyberattacks. Considering how long security pros have had to create a better way to secure it, DNS security continues to lag, posing a significant security risk today. It remains responsible, at least to some extent, for a significant portion of cyber-attacks.

There’s a wide array of attacks based on DNS available to bad actors, including DDoS attacks, malware, phishing and domain theft. Attacks like these have the potential to cause significant disruption to an organization. Though there are many examples to draw from, the Google Cloud and  ChatGPT outages are some of the most high-profile current incidents. Almost every aspect of modern malware uses DNS in some way.

Let’s examine ways that criminals are leveraging DNS currently and, crucially, what a security team can improve upon to maintain the upper hand.

Three main cybercriminal tactics

The average user combats five malicious DNS queries daily, according to DNSFilter’s annual security report. That comes out to a yearly total of around 1,825 malicious queries for each user. Year over year, there was an increase in detection of malware (40%) and phishing attempts (106%). Bad actors rely on social engineering, phishing and malicious web links to conduct their ransomware attacks. According to CISA, in fact, 9 out of 10 cyberattacks start via a phishing attack. If that’s not enough to wake people up to the reality of the need for DNS defense, probably nothing will.

It’s possible to spot trends by taking a look at some of the main tactics that cybercriminals are currently using, such as:

• Phishing with phony Office365 pages — An analysis revealed that criminals often use Office365 as a lure. They create realistic-looking fake pages that unsuspecting victims willingly click on, which leads to the spread of malware and more.
• Redirection — It’s a common occurrence for people to get redirected via traffic distribution systems. These are well-known or long-standing domains that send people to a malware landing page. This could be a fake website or casino, for instance, or an actual OneDrive page that has links leading to a fake Office365 phishing login page. The criminal is relying on the standard user behavior of checking the OneDrive URL not the second URL.
• A revolving door of domain names — Researchers witnessed the strange phenomenon of daily domain name changes that are based on a newly registered (one-day-old) domain name. The purpose is still unclear, but the tactic involves a new kind of server that employs the same range of IP addresses but also random domains that look like someone just smashed their hands onto a keyboard. This may happen many times a day. Over 100 organizations in our network have experienced this tactic.

What drives DNS security challenges?

For criminals, DNS represents an easy target. Though you might assume that security is built into DNS at this point, you would be wrong. It’s still standard practice to not monitor, encrypt or secure DNS. The creator of DNS was going for speed and reliability, not security. For over 40 years, security teams have essentially ignored this integral and universal aspect of the internet, even though it’s used in most attacks and breaches.

Another DNS security challenge is the fallibility of humans. People tend to rush through their online transactions and don’t always stop to check the links they click on or the email sender’s address. This is the underlying reason for the ongoing success of phishing attacks.

Cybercriminals are becoming more sophisticated with the help of AI and other emerging technologies. They can personalize phishing emails with AI, which makes them seem more legitimate and helps them evade spam filters. And they can use AI to automate actions such as checking for vulnerabilities in DNS servers and configurations. In these ways, bad actors can efficiently find targets and focus on exploiting their weaknesses.

Reclaiming control of DNS 

Typically, DNS is not the focus of security teams. They are trying to fix more immediate problems like users clicking a bad link and getting phished or downloading ransomware that infects the network. But as our data shows, it’s critical to pay attention to DNS. The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) advocated for this position three years ago.

Their recommendations are beginning to catch on. Around the world, organizations are adding DNS security solutions to their arsenal — especially due to the “work from anywhere” trend. When employees are dispersed, security teams must protect not only the corporate network but all the endpoints that remote staff use, too.

A prevention, detection and response strategy is what’s needed. Security teams need the proper tools — specifically, AI and automation. Malicious actors use these technologies, and good actors can also use them for actions like checking every domain that users access. They can also use machine learning-driven domain categorization to find zero-day threats, which stops threats before they can enter the network.

Cyber hygiene is also part of DNS security. Companies should train employees so they are more cyber-aware and know what bad links look like, so they don’t click on them. Since people are usually in a perpetual hurry, it’s important to provide ongoing education so that cyber hygiene becomes ingrained.

Secure DNS, more secure company

Organizations should have been securing their DNS for decades — and now the need is extreme, as statistics and guidelines from the likes of CISA and the NSA demonstrate. Attackers’ use of AI and automation, along with the foibles of human nature, create security risks, but defensive teams can use those technologies to protect the network. They can also keep training current for all employees. This two-pronged approach will enable companies to confidently face whatever comes at them.

https://www.securitymagazine.com/articles/100736-defeating-current-dns-based-attacks