DNS security – what it means and how to do it right

As businesses embark on their digital transformation journeys, ask the C-Level board about its primary concern, and they will almost certainly say ‘security’. They have good reason to raise security as a concern, given that global cybercrime is on the rise. So too are the costs associated with it, and they are increasing 15 per cent year over year. That concerning figure is from a 2021 cyberwarfare report by CyberSecurity Ventures. Looking further ahead, the picture only becomes gloomier. By 2025, the report estimates that cybercrime will cost businesses worldwide $10.5 trillion annually. It’s not just the costs that business are concerned about, but also the damage done to brand reputation and the loss of trust that customers feel when, for instance, a breach has resulted in their personal data being compromised. 

Of course, it’s not just businesses moving to the cloud that are concerned about cybercrime; all businesses – irrespective of their size, sector or the status of their cloud migration progress – are prioritising security. One growing area of concern are domain name system (DNS) attacks, and how organizations can leverage DNS data to detect cyberattacks across systems. 

Given that DNS acts as the phonebook of the internet, ensuring it’s robust and secure is imperative. 

However, DNS security has two different meanings. First, DNS is a critical infrastructure that all organisations rely on and cannot function without. Yet DNS remains a vulnerable component in the network that is frequently exploited as a beachhead for cyberattacks and is inadequately protected by traditional security solutions. When critical DNS services are compromised, it can result in catastrophic network and system failures. Hence, DNS security's first meaning is ‘to protect DNS servers’. 

Second, DNS plays a critical role in the present-day layered security design known as “defense in depth,” where no single solution addresses all threats, which means multiple approaches to cyber-defense are needed.

In today’s threat environment, where organisations and individuals are being targeted, using traditional security layers in silo does not provide adequate protection. Attackers know how each layer works, and therefore know how to bypass each individual layer. Gathering independent information from multiple distinct sources and then sharing that information between the different layers is the key for stopping attacks.

By integrating DNS information into the security architecture, organisations can get visibility into areas of cyberspace that have been relatively obscure until now. Correlating DNS security events with events happening elsewhere in the infrastructure (endpoint, email, network, cloud, etc.) greatly improves threat detection and prevention chances. Hence, the second meaning of ‘DNS security’ is using DNS data as a security architecture layer.

A recent Gartner report titled “Quick Answer: How Can Organizations Use DNS to Improve Their Security Posture?” (https://www.gartner.com/en/documents/4002327/quick-answer-how-can-organizations-use-dns-to-improve-th) recommends organisations to collect and analyse DNS logs for threat detection and forensics purposes using SIEM, implement DNS threat prevention and blocking capabilities, and monitor DNS traffic for other anomalies. 

While some great teams and organisations are dedicated to DNS network infrastructure and security in its first meaning, some focus on its second meaning. Their goals are to harness the power of the DNS data (as well as other network related data), which is available in any network to create a new layer of security which complements the different other layers. 

Tofsee – detection through DNS-based approach

A multipurpose malware called Tofsee, first seen in Europe and the US in 2020, seems to become increasingly prevalent in APAC in recent months. Alibaba Cloud researchers recently discovered traces of an exploit kit (EK) of this trojan in hundreds of cloud machines, which suggests it may have already spread to tens of thousands of machines across the region. 

The Tofsee trojan allows attackers to perform various malicious actions for various purposes including spamming, click fraud, and mining cryptocurrencies. It is a powerful malicious program, which can cause serious damage, including financial loss. A compromised system becomes part of the Tofsee Spam Botnet, which is used to send large amounts of spam in order to compromise and put additional systems under the botnet operator's control.

The common method for detecting a Tofsee activity on a server would be using an endpoint agent; for example, an Endpoint Detection and Response (EDR) solution, which is installed on a machine, and monitors its activity, would be able to identify known signatures of Tofsee (known files or patterns that were seen associated with it before).

The downside is that if attackers know that a signature exists, they can make small modifications to their malware code and process, and bypass it. Then, until a new signature is created, the detection capabilities of the EDR will decline. 

Rather than tracing the Tofsee threat by using an endpoint agent, some researchers have used a set of algorithms that analyse DNS traffic, and search for patterns and correlation with prior malicious activities.

More specifically, their method identified co-occurrences between domain names (sequences of domains that regularly appear together), which was followed by validation of maliciousness based on previously observed malicious behavior patterns.

The detection of the Tofsee trojan traces started with a single domain name (‘work[.]a-poster[.]info’) that was reported by a reputable security firm a couple of months ago. This domain was marked at the time as related to a ‘generic Windows command and control’ threat.

By applying machine learning algorithms, research teams have been able to correlate and link this domain to additional domain names, which were all related to a spam and malware downloading botnet. That was the Tofsee botnet. A quick follow-up analysis detected all the cloud machines that were impacted by the botnet.

Another layer in the security onion

While in the case above a single domain name was the key to detecting Tofsee's presence on multiple machines, additional detection methods could have revealed other aspects of the threat. Security is built layer upon layer, and it is hoped (or assumed) that one or a few of the layers can identify a threat as soon as it appears. Some of these layers require an agent and some do not, but each carries a unique value in the security ‘onion’. 

The new DNS and network-based approach described here compliments existing agent-based security, and enables customers to receive better security coverage, without the need to install any new software.

This new approach to DNS security should go some way to reducing C-Level concerns about security, while also helping them to reduce security-incident related costs.