Costly DNS Attacks on the Rise
While awareness of DNS security continues to grow, the cost, frequency and number of attacks remain high, while the pandemic and resulting hybrid work environments have resulted in huge disruption for organizations.
Research firm IDC’s 2021 DNS Security Survey confirms that nearly all companies (87% of those surveyed) have had their apps and services disrupted by DNS attacks.
Meanwhile, the average number of attacks per organization in the past 12 months rose to 7.6, with the average cost of each attack approaching $1 million. More than a quarter (26%) of organizations surveyed were the victim of data theft, up 10 percentage points from last year’s survey.
DNS Remains a Prime Target
DNS remains a prime target for hackers, as it enables them to gain entry into networks and access data for exfiltration.
John Bambenek, principal threat hunter at Netenrich, a digital IT and security operations company, explained that when it comes to the DNS threat landscape and its evolution, there have, in fact, not been so many changes.
“DDoS and DNS tunneling have been around a long time,” he said. “What has changed is that with the adoption of the cloud, ‘internal’ resources are really externally accessible and subject to those attacks.
That is what creates new opportunities for attackers to attack organizations.
Bambenek explained that the primary DNS impact is on availability, and that means if organizations are not prepared to mitigate DDoS attacks, their resources can be knocked offline with minimal effort.
“DNS tunneling is a covert method to exfiltrate data out of an organization; if organizations are not minding their outbound DNS queries, they can be easily losing sensitive data,” he said. “Hybrid work environments have changed not only the DNS threat but also the methods by which organizations need to defend themselves.”
He noted the typical DNS defense is operating “split-brain” where the internal resources can only be resolved by an internal resolver.
“With so much happening in the cloud, this layer of defense is not possible. [That gives] attackers insight as to where sensitive information may be available to either knock offline or attempt to phish for access,” Bambenek explained.
In addition, this insight gives attackers knowledge on which cloud companies to use as phishing lures so they can steal credentials to access those resources.
In addition, downtime, either from in-house applications or in the cloud, remains the most damaging impact of DNS attacks, demonstrating how critical DNS is to ensure resilience and to secure access between users and applications.
With nearly all companies in the survey reporting that their apps and services were disrupted by DNS attacks, security strategy changes will be needed going forward, Bambenek said.
The COVID-19 pandemic has created new challenges for businesses as they adapt to hybrid work operating models. Cybersecurity has become a major concern as remote workers more often fall for phishing scams and the increase in vulnerabilities leads to credential stuffing and DNS spoofing.
Other factors include the use of personal devices for work and the use of corporate PCs for personal use and issues with VPNs not being user-friendly enough, or using too much bandwidth and creating latency, leading to poor user experience.
DNS Attackers Use Diverse Methods
As a result, organizations have suffered more diverse types of attacks than ever before, showing that cybercriminals are using all the tools at their disposal to exploit both the DNS protocol and misconfigurations.
“Organizations should seek to control DNS resolution for all their employees and that such requests go through a resolver that logs and looks for anomalous behavior,” Bambenek said. “They should also be using passive DNS and domain registration information to look not only for attempts to phish their brand, but to phish their key partners and cloud providers so they can block those attempts as they come in.”
Nearly all (99%) of organizations surveyed said they have some form of security for DNS in place, but many do not benefit from the advantages of purpose-built DNS security; for example, for business continuity, data protection or user protection.
And while DNS security is established as a critical component of an overall security strategy and almost all organizations have a solution in place, 42% are not yet using a dedicated DNS security solution to help them fill the potential vulnerability gaps.
The lack of a comprehensive approach comes with its own risks, the study noted: Misconfigurations and oversights in cloud environments can cause severe damage, and forgotten VM IP addresses in the cloud can leave the door open for DNS attacks, which tend to target organizations with large and complex infrastructures.
The report noted using a dedicated DDI (DNS-DHCP-IPAM) solution could help eliminate the risk of misconfiguration, particularly if automation is included.
