by Sam Greengard, writer, Security Roundtable, February 19, 2019

It’s 5:30pm and you’re still at work going through the last batch of emails. You’re feeling a bit overwhelmed after a long day—you want to get home to dinner—when you see an e-mail from a co-worker that looks important. It has your name in it, the graphics look authentic and the wording sounds legit. You click a link to view a document but immediately notice something is amiss. Instead of going to mnocorp.com, you’ve arrived at mmocorp.com. And just like that, you have encountered a DNS exploit.

You’ve been tricked into clicking a link to a site that is now downloading malware onto your computer and into the company’s network. This could result in anything from a data breach to ransomware that spreads across your entire organization. “It’s a tactic that is incredibly easy to fall prey to and the results can be devastating,” says Rick Howard, chief security officer at Palo Alto Networks. 

The term DNS stands for Domain Name System. It’s the underlying address framework that directs traffic across the Internet and delivers users to websites. It transforms obscure codes and symbols—the actual numerical IP address—into an address with a name. 

However, savvy hackers and attackers exploit vulnerabilities in the DNS framework to shut down systems, inject malware and perform other exploits. These methods continue to advance and affect mobile systems as well as conventional web browsers.

DNS attacks can be tricky  

DNS attacks come in a few variations. A common method—a link in an e-mail that has been set up as a phishing or spear-phishing attack—relies on a slightly misspelled name or other visual deception to steer a user to a website that inserts malware into a computer. 

Other DNS exploits rely on human error. “An attacker will often create websites that have very similar DNS names to a legitimate site and then rely on people making a typo when entering a URL into the browser,” says Paul Hill, a senior consultant at SystemExperts, an independent security consulting firm. Some refer to this method as “typosquatting.”

Cyberthieves also trick DNS registrars into changing records to redirect traffic to an IP address they control. Although many of these domains become known quickly—and are either shut down or blacklisted—some manage to get through. “This may result in users accessing a ‘trusted site’ that is under control of an untrusted party,” Hill points out. 

In addition, Howard says that activists and hacktivists launch attacks on sites and attempt to take them down by flooding them with illegitimate traffic. Nation states might also enter the picture. This type of DNS amplification attack strengthens the force of a distributed denial of service (DDoS) attack.  

Addressing DNS security risk

Regardless of the specific approach in DNS attacks, organizations can take basic steps to protect their assets. First, it’s critical to use a DNS cybersecurity solution that addresses known offenders and blacklists them. This is a highly effective way to block phishing and spear-phishing attacks. 

Hill says that organizations can also benefit by creating secure connections. Traditional DNS queries and responses travel over unencrypted connections. This makes it easier to eavesdrop and spoof. By encrypting traffic through a method called Transport Layer Security (TLS) and using certificates, it’s possible to diminish the odds that an attack will succeed.

Other methods can also aid in the battle against DNS attacks. One popular approach is to train employees to spot illicit sites by hovering their mouse over a URL and inspecting it. Some companies also use simulated phishing attacks to raise awareness. These exercises help people spot fake messages. In some cases, Howard says, they can reduce clicks on bad links by an order of magnitude. “But you still can’t prevent some people from clicking on bad links, which is why you need a multi-layered approach and the right DNS software,” he explains.

Additional steps include security tools that quarantine messages based on specific words or phrases, a greater use of encryption and endpoint security, and rethinking procedures—including authorizations. While these may not stop a DNS attack from taking place or a network from becoming infected by malware, it can aid in thwarting additional phishing and spear-phishing, and prevent specific transactions from taking place. Howard adds: “Blocking domain names that are known to be bad is the best protection of all. Hackers can’t break into a system when they are blocked.” 

When reputation is on the line

DNS attacks pose a serious threat to reputational risk. The European Union’s General Data Protection Regulation (GDPR) introduced stringent breach reporting requirements for organizations doing business in the European Union. Australia, as well as states such as California, are introducing new privacy regulations and reporting requirements. This adds potential visibility and regulatory scrutiny to a DNS attack. It exposes a company to investigations and penalties. 

What’s more, businesses are increasingly required to take into account state-of-the-art technology and use this as a standard when determining risk. This means they can be held accountable for failing to upgrade their defenses to meet the regulation. 

Then there are also responsibilities to shareholders. DNS attacks that lead to major damage can cost a company millions of dollars and put senior executives directly in the firing line. They may be held responsible for damages. The cost of fixing the problem is often compounded by lost sales and eroded trust for an e-commerce platform, if the site is down for any period of time. A 2017 study conducted by Ponemon Institute found that the average data breach now costs a company $3.9 million.

There are no quick fixes. Typosquatting and other techniques that exploit misspellings, typos and variations on actual top-level domains will continue to pose a threat. Although the problem would vanish overnight if every company registered domain names with an encrypted certificate, this isn’t going to happen. Consequently, it’s critical for your organization to include DNS attacks in its overall risk management strategy.

DNS attacks represent both a practical risk and a reputational risk. Executives can take aim at the problem through a coordinated approach that involves security tools, training and a governance framework that promotes trust. When executives address all three components, it’s possible to build a more coordinated and holistic defense.

Here are a few examples of how DNS attacks are engineered (fake URLs are frequently embedded in links that do not automatically display the actual address):

Misspellings

Google.com -> Goggle.com

Microsoft.com -> Microosoft.com

Apple.com  -> Aqqle.com

Domain confusion

www.bankoftheworld.com/newproduct  -> www.newproduct/bankoftheworld

www.airline/newflight.com  -> www.airlines/newflight.com

Country code and top-level domain abuse

www.rusticwinery.com  -> www.rusticwinery.co

www.securityaces.com  -> www.securityaces.cm