One of the main problems with DNS attacks is the increasing cost of the damage they cause, as well as their rapid evolution and the diverse range of attack types. Data exfiltration over DNS is a major concern in corporate environments. In order to protect themselves, organizations are prioritizing the security of network endpoints and improving DNS traffic monitoring. We discussed this with Carlos Arnal, Product Marketing Manager – Endpoint Security at Panda.
Why do you think DNS attacks against companies have increased to such an extent?
Because it is a profitable type of attack for cybercriminals when it comes to achieving their aims, which range from financial profit to obtaining the main asset that companies today hold: data. To achieve this goal, some attacks aim to bring down certain platforms, such as a web page, saturating the resources of the system that hosts the service, and sending an avalanche of requests that cannot be processed. Other attacks try to modify IP addresses, replacing the IP of the legitimate server with a fake IP address, and thereby causing the user to connect to an illegitimate server so the attackers end up with the data, especially passwords and account details.
It should be noted, however, that these attacks are not only perpetrated by organized cybercrime gangs for financial gain; they are also carried out by attackers as a means of protest and web activism against government decisions or corporate activity. As we’ve seen in the past, this type of attack has caused temporary outages even for companies the size of Twitter, Tumblr, Spotify, The New York Times, or CNN. Finally, it is worth underlining that these attacks not only affect home-user systems, but also many digitalized services that are essential in our day-to-day business lives, often causing them to fail at critical times.
Do you think the pandemic has been a factor in this increase?
In the same way that the number of fraudulent domains, phishing emails, and other cybercrime tactics using COVID-19 as bait have increased, so have DNS attacks. And not just in number, but also in the amount of bandwidth and resources consumed, as well as their increased complexity. Although Internet providers and cloud-based endpoint security solutions have strived to deal with the increased traffic, given the sudden changes in system management and the need to reinforce endpoint protection outside the typical security perimeter -due to the increase in telecommuting- we have also had to combat DNS attackers , who have been all the more active during lockdowns, as recent studies indicate.
What are the main dangers and effects of these types of threats?
There are a wide range of DNS attack types against which companies should be taking preventive measures, each with its own peculiarities and equally concerning for businesses. Firstly, there are DDoS (Distributed Denial of Service) attacks on DNS servers .This consists of using a large number of devices to attack the target. DDoS attacks are often carried out by bots: infected systems whose owners are frequently unaware that their devices form part of a malicious network. It differs from DoS attacks in that, with DDoS attacks, each request comes from a specific IP, so it is a far more difficult type of attack to detect.
The second form of these attacks that most concerns companies is DNS data exfiltration. In this case, cybercriminals take advantage of the DNS to extract information using the DNS protocol, creating a tunnel to transfer information or even take control of computers. Firewalls and other traditional security solutions, while still useful, are insufficient in combating this threat, as they do not have the ability to detect, block, or remedy such attacks.
Another variant of these attacks to cause IT professionals most headaches is the zero-day attack. Here, attackers exploit a security hole in the DNS protocol or server software on the same day that vulnerability is discovered and before it has been patched. By sending a pre-formulated query to the server, attackers can block the system and cause serious problems for the targeted company.
The most effective way of avoiding these threats and protecting corporate networks and systems from their consequences is to implement advanced cybersecurity solutions such as Panda Adaptive Defense which provide centralized protection for all endpoints and servers, with automated EDR prevention, detection, and remediation.
Do you feel that, despite everything, there is more corporate awareness of how to resolve these attacks?
The economic impact of a DNS attack is too great to ignore the potential vulnerabilities that would enable it, so awareness against this type of attack and about the importance of cybersecurity in general is increasing among companies. Over the last year, organizations have suffered 34 percent more attacks, meaning an average cost of 950,000 euros (US$1.07 million) for one in five companies – according to IDC – causing application outages in 63 percent of cases. An insecure DNS system is in itself an open invitation for attackers to access a company’s information and reduce online service time. For this reason, it is vital for companies to invest as many resources as possible in implementing appropriate cybersecurity measures and solutions, particularly bearing in mind how widespread these attacks have become.
How can the use of DNS be improved and how can the Channel help customers to achieve this?
Panda Security offer four tips for combating DNS attacks:
- Patch management can be the most effective tool for protecting a business from vulnerabilities and the least expensive to run if set up efficiently. It is highly advisable to automate the discovery, planning, application, and monitoring of critical patches and updates for your organization
- Organization, thereby preventing vulnerabilities from being exploited by hackers to infiltrate systems. The result is a reduction in the attack surface, strengthening preventive and containment capabilities in the event of security incidents.
- Use tools for filtering the network traffic that computers send or receive in accordance with the type of network to which they connect. Such tools can provide maximum protection against DNS attacks through system rules, protection of programs and their communication, and a system for detecting intrusions and malformed traffic patterns.
- Implement an intrusion detection and prevention system (IDS/IPS) that monitors connections and alerts of unauthorized access attempts or misuse of protocols. By correctly setting up firewalls and an intrusion detection system (IDS), it is possible to reduce the attack surface and the extent to which devices are exposed, as well as preventing external communication of programs.
- Implement advanced cybersecurity solutions that centrally protect all workstations and servers, ideally, a solution that integrates traditional preventive technologies and innovative adaptive prevention, detection, and response technologies against advanced cyberthreats. This type of cloud solution should also include a web application firewall (WAF). Such a cloud-based web security application can be helpful in preventing and mitigating the effects of denial-of-service attacks.