Businesses Are Bleeding - The Global State of DNS Attacks by Marcus Bowring

Even non-security focused individuals with the most basic understanding of network technology are aware of how everything connected to the Internet uses an IP address, and how DNS is part of the process of connecting. DNS is the core foundation of how people interact with the Internet and how many business products work. But why are organizations not investing in strengthening their cyber resilience when DNS attacks are more rampant than ever? 

Businesses, especially in 2019, have observed a dramatic increase in sophisticated attacks, hitting every industry, causing billions in damage, not to mention the brand damage, the disruptions in services and business operations, and harmful data breaches (talking about you, Equifax). So with 2020 looming, let’s walk through this year’s battlefield to prepare adequately for what’s coming next.

DNS Security Matters

Being an older and stable function of the internet, DNS can be a lower priority for cybersecurity professionals, but the threat landscape is continually evolving. With DNS attacks increasing, it’s important to be proactive about what you can do to prevent such attacks.

A recent cyber security survey has shown DNS attacks are on the rise, and the results show that the majority of mid-market businesses and enterprises will be targeted this coming year. It’s also important to understand that the role of ethical hackers is becoming an even more vital part of this landscape to help protect organizations from digital assaults. They have a role outside of organizations, can adopt the mindset of cyber criminals and see weakness where business teams don’t.

The DNS Threats

Given the critical and deeply entrenched nature of DNS, it is now more vital than ever to be aware of the latest potential threats and their impacts.

There are many modern types of DNS attacks. The basic Distributed Denial of Service (DDoS), which intentionally floods your system with requests until it is overloaded, is common but easily mitigated (if from a single source), but directly leads to downtime. 

Other attacks such as Cache Poisoning and DNS Tunneling can make it appear to users that your systems are still functioning correctly, whilst in reality their private data is being stolen, or malicious code is being executed, due to your DNS system being exploited.

These are merely a few popular DNS attacks amongst a vast array of countless malicious attacks currently recognized. 

They can all have mass detrimental effects to your brand and bottom line, but by being more aware and prepared, it is possible to stop them before they do serious damage.

How could this affect your business?

According to the 2019 IDC DNS Survey, 82% of companies experienced a DNS attack, and the frequency of attacks is increasing and worse than previous years. To be blunt, every business is at risk of being affected.

63% of these organizations suffered application downtime, each attack caused $1.07 million in damage costs on average, and the average number of attacks for each company was 9.45!

The importance of uninterrupted operation of DNS for modern networks must not be underestimated. Aside from enabling all clients access to every app, “any DNS performance impact has major business implications…this is being widely recognized by businesses, who are starting to leverage DNS for their security strategy via threat intelligence, policy control and automation”, states EfficientIP’s CEO, David Williamson. But will that be enough?

What companies are at risk?

No matter what type of business you are in, the research has indicated real impacts for all industries across the board, and potentially all organizations are open to some form of service disruption, reputation damage and financial impact.

The most targeted being the financial services industry, with 88% of respondents in the last year alone confirming they experienced disruptions due to DNS attacks.

Worryingly, government organizations have had the highest occurrence of sensitive information being stolen, at 19%, although such data breaches should be a serious concern for all businesses too.

45% of those in the retail industry have been shown to have cloud service downtimes, causing the most business losses at a staggering figure of 35%.

The financial impact to utilities organizations has been shocking, with a quarter of the attacks costing them more than 1 million dollars each time.

Manufacturing, telecoms, healthcare, education, retail and other sectors have also all been victims of attacks, no industry is safe.

In the US, across all industries, almost half of these attacks (48%) result in a loss of greater than half a million dollars, for every single attack breach.

It’s not you, it’s a numbers game

In our experience, the motivation of hackers is not always straightforward, and their targets are not just the biggest corporations or government institutions, but very frequently small to medium businesses and online services with weaker security that have less dedicated teams and resources to stay on top of the latest attack vectors with zero ability to preemptively detect attacks. 

The IDC’s data shows no system is immune from attack; all systems are being targeted indiscriminately. It doesn’t matter how small or large, private or popular your system is, they have all been shown to be potentially vulnerable and actively targeted.

Hackers do not always have specific targets or care who they focus on and hurt, but often simply scan a vast IP range or mass list of domains until they find one (or more) with outdated or unsecure systems they can exploit.  It’s a numbers game. Their methods can yield much more for them if they brute force as many systems as possible, skip the better secured networks, to quickly identify and pick off the weak stragglers lagging behind the rest. By focusing their efforts on the easiest opportunities to infiltrate DNS, hackers’ successful attack results are maximized. The greater the number of victims, the more distress is quickly caused to a greater number of CEOs, System Administrators and users.

Unethical hackers and government sanctioned parties targeting the most popular organizations or biggest payoffs per attack make the news headlines, but anyone with an internet facing system who has ever analyzed their system logs is likely aware that all organizations are already attempted targets, even the small website servers.

If there is no particular system or asset fixated on for attack, it’s preferable for many hackers to target the smaller or less suspecting organizations for the easiest opportunities, maximizing disruption, downtime and damage caused to these types of business.

The trope of your security only being as good as your weakest link most definitely applies to cyber security, but it goes far beyond your own systems. It is also prudent for your entire network to be more secure than other networks, or other similar services that may be being targeted simultaneously, such as your competitors. 

From a holistic perspective, if a hacker were to conduct industry-wide malicious activity, targeting all companies across your industry indiscriminately, but a competing company had overall weaker DNS security than yours, the less prepared systems have more potential to be more frequently targeted (and thus repeatedly breached) instead of yours. 

Survival of the Fittest

In essence, if your security systems are more robust and better protected than your competitors, your competitor becomes the weakest, most viable target. If hacker resources are more focused on the weakest link (in this case your competition) this may draw less attention on your systems and naturally result in fewer attack attempts, and reducing associated costs and downtime. And vice versa, if your network is low-hanging fruit in terms of weak spots, attacks are more likely to target your business and skip the competition.

Are you ready?

What can be done to prepare your systems again potential DNS threats? Using ethical hackers and thoroughly testing your systems is best to maintain them, and the IDC research report should further confirm how vital these services are becoming to protect your data and operations.

There are simple but effective steps that can be done.

Standard security solutions such as secure web gateway, next-generation firewall, data loss prevention (DLP), and intrusion prevention systems (IPS) are not designed to ensure DNS service availability and integrity.

Prevention is better than a cure

Security countermeasures have historically been focused on workarounds that further interfere with the operations and limiting of damaged services. Remediation based solutions more often than not shut down processes and connections, disable at least some (if not all) apps, or shut down the server completely.

Given the level of damage suffered, awareness of the critical importance of DNS security must improve. Instead of fixing damage from attacks after an attack, companies who have put predictive security measures into effect are finding them to be very valuable solutions. More than half of surveyed organizations found high value in machine learning for malicious domain detection, and 64% are now using DNS analytics for compromised device detection.

What should your business be doing to avoid being impacted?

All businesses likely have some level of security protocol in place already. However, an increasingly high number of successful attacks are being reported and devastating losses to many companies’ reputations and bottom line still occurring. The majority of existing policies are not enough and much more needs to be done. 

Proper operation of DNS is not being implemented, and acting on this must be a top priority for all businesses, to protect your users, apps and data.  To secure these assets, it is essential that solutions tailor-made to your network are considered and properly implemented. 

Consider moving to a “Zero Trust” network architecture pattern. This removes the reliance for security to be based on trusted perimeter zones, users and devices. Instead it uses advanced automation to detect threats at the most granular level. As well as reviewing existing policies, there are immediate steps all organizations can take.

Prioritize these three immediate recommendations to put in place:

1. Implementing internal threat intelligence, to protect your enterprise data and services.

- Using real-time DNS analytics helps detect advanced attacks such as DGA malware and zero-day malicious domains.

2.  Make use of DNS for ensuring security compliance.

- Integrating DNS with IPAM helps automate management of security policies and keep them current and auditable.

3. Accelerate remediation by leveraging DNS’s unique traffic visibility in your network security ecosystem. Allows qualified security events to be sent to SIEMs.

Takeaway

As 2019 is winding down, it’s clear that cybersecurity is not a set and forget practice. Most businesses are aware of the importance of protecting their networks, but more vigilance is needed to keep up with the advancing attack intelligence. Ethical hackers and cybersecurity professionals are on the forefront of these developments, and should play a significant role in protecting every business and organization.

Want to know more details? Check the full report at: https://www.efficientip.com/us-companies-costs-dns-security/

About the Author

Marcus Bowring is a self-proclaimed geek based in Australia, who has been forever passionate about discussions on cyber security, AI, ethics, the future and good food. He lives these topics, and can even occasionally be convinced to write about some of them.