Using DNS, Threat Intelligence and Network Context In Your Security Lifecycle
There is no shortage of security products in the market today. We have everything from Next-gen firewalls and intrusion detection systems to next-gen endpoint protection and application security solutions. While each category has an important role to play in securing an organization, something that is often overlooked but is a critical component of every network is DNS. Together with DHCP and IPAM, DNS servers contain a wealth of information on network activity including which device is accessing which resources, how often, where the network asset is etc. In addition, most malware (90%) starts with a DNS lookup once it has breached the perimeter and is inside the network. So making DNS a first line of defense and sharing threat intelligence and network context with the broader ecosystem should be an integral part of your security lifecycle.
DNS can be used to detect and block APT and malware activity before it can spread laterally or download additional malicious software from its command and control(C&C) site. This includes popular phishing malware and ransomware, exploit kit activity, and others. Enforcing security policy at the DNS level allows for protection without the need to deploy endpoint agents. This is especially helpful when IoT devices are being used. Using a hybrid DNS security solution that covers users on-premises or off-premises will ensure that protection follows your employees and users, wherever they go. You can also deploy self-protecting DNS servers that can intelligently detect DNS DDoS attacks like amplification, reflection, protocol exploits, cache poisoning etc. to maintain service availability even under an attack.
DNS based data exfiltration is on the rise as attackers seek to bypass traditional DLP solutions. Taking data out the DNS “backdoor” is hard to detect especially when attackers use zero-day methods that don’t use known malicious destinations or known DNS tunnels. Using a big data, machine learning and streaming analytics on DNS queries can help detect and prevent these zero day data exfiltration attempts from succeeding.
Analysis and Investigation
There is a wealth of information that DNS, DHCP and IPAM services contain. Leveraging that network context and actionable intelligence can help assess risk and prioritize alerts, especially when security operations teams today are inundated with so many alerts and have no way to know which ones are important to address first. Further, automatic threat investigation tools can provide timely access to context for each threat indicator (what type of malware, associated campaigns, etc.). This enables rapid threat investigation and frees up security personnel to work on more strategic tasks.
Automatically sharing DNS based indicators of compromise/abnormalities with ecosystem technologies (Endpoint: Carbon Black, NAC: Cisco ISE, vulnerability scanner: Qualys, SIEM) can accelerate remediation and ease security operations. For example, if a DNS security solution detects malicious communications from a network device, automatically informing a vulnerability scanner to scan the device immediately instead of waiting for the next scan window can speed up the remediation.
Using timely, consolidated and high quality threat intelligence is important for enforcing security policy. You can maximize the ROI on threat intelligence and enforce policies not just in one part of the infrastructure but across the board by using an exchange platform that distributes the threat intelligence to various security infrastructure elements.
Learn how Infoblox solutions provide all the capabilities described above and more by visiting our website.
Contributors: Fredrik Moller & Martin Van Son