Gartner predicts that enterprises will spend $96 Billion on cyber security this year, up 8% from their spend in 2017. That's a big chunk of change. To put it into context, that spend is in the same ballpark as the individual GDPs of Venezuela, Sri Lanka and Puerto Rico in 2018.
Despite this, enterprises are struggling to cope with the tsunami of threats they face every single day. The creation and distribution of advanced, targeted threats is now being executed on an industrial scale and pretty much every aspect of the security kill chain is available as a service - with money back guarantees and online support. In addition, the well-publicized security skills shortage means that getting the talent to manage the vast array of security solutions that an enterprise now has in its security stack, is a challenge in itself.
However, despite the increased investment in security, there's seldom a week that passes when an enterprise is not making headlines about leaking information such as customer names, email addresses or credit card details.
It's clear, threats have become a lot more complex and the threat landscape is constantly evolving. However, what I'd like to suggest is that most enterprises are not yet proactively protecting a very obvious threat vector: Recursive DNS (rDNS). Leaving it unprotected is a bit like protecting your home with alarms, cameras, sensors and so on and then leaving the back door unlocked with a big sign in your garden that says, "Try Here".
The bad guys know that DNS is usually left to exit an enterprise with no controls in place - open up port 53 on your firewall and just let it go. What's the harm in that - it's just DNS, right? Smart bad guys know that's the case, and so they develop malware that leverages the fact that DNS is unprotected. Moreover, they know many of the current security solutions rely on blacklists and can't cope with threats where hundreds of constantly changing domains are used to launch and control the attack.
So how is rDNS being exploited? Here are a few examples:
Domain Generation Algorithms (DGAs): DGAs produce hundreds of new domains every day that are extremely short lived. Each domain can become the Command & Control server that controls the malware.
Fast Flux: Fast Flux is used by botnets to hide various types of malicious activities behind an ever-changing network of thousands of compromised hosts acting as proxies. Fast Flux networks are mostly used to make communication between malware and its Command & Control servers more resistant to discovery.
DNS Data Exfiltration: DNS data exfiltration uses the DNS protocol as an asynchronous file transfer protocol.
The malware that's been installed on the endpoint device slices the sensitive data into small chunks and uses DNS to send the data to the DNS server controlled by the bad actors.
In addition, the vast majority of threats also leverage DNS. For example, phishing links or malware links in an email will use DNS to direct the request to the phishing page or the malware drop page.
So how do you proactively protect your rDNS traffic to ensure that you have visibility and control into these types of threats?
Adding a DNS security control layer over and above what other security layers you have already deployed is quick and simple, but incredibly effective in blocking these types of threats and much more. And that blocking happens right at the first step before any IP connection is made and further away from your network perimeter.
Typically, all you need to do is make a quick change to the configuration of your current rDNS setup, for example altering a couple of IP addresses on Microsoft Active Directory. Once that happens, every rDNS that you users or devices make, is checked to determine if the requested domain is safe or malicious. If it's safe, the request proceeds as normal; if it is malicious it's blocked. Most importantly, there's typically no complex software to install and manage, no hardware to install and maintain, and users are oblivious to the change.
Akamai Enterprise Threat Protector is such a service.
Now of course, the effectiveness of this type of service in what it determines to be malicious is hugely important. Akamai has an unprecedented view of what is happening on the internet and we are leveraging that to deliver up-to-the minute threat intelligence. You can read about how we build our threat intelligence in this blog post.
In part two of this blog, I will talk about how you can check the effectiveness of your existing defenses with a free 30-day security threat check, and share what we typically uncover when an enterprise activates Enterprise Threat Protector.