Tottem Torro - stock.adobe.com
“DNS has been around for more than 20 years and is a ubiquitous part of the technology stack, but these advances are just now enabling organisations to harness an asset they already have to complement and improve their cyber defence capabilities,” he told attendees of Infosecurity Europe 2019 in London.
Some of the key research into the application of DNS data to cyber security has been undertaken by Nominet, which is responsible for running the .uk registry and analyses up to 10 billion DNS requests a month, identifying an average of 30 million suspicious events.
Off the back of this research, Nominet has established a cyber security division and has been working with the National Cyber Security Centre (NCSC) since 2017 on the cyber security agency’s Active Cyber Defence initiative, which includes blocking public sector access to malicious domains.
“We are seeing a lot more breaches, and with many businesses embracing digital transformation, the attack surface is getting wider. But in many cases, having an understanding of what is going on in the DNS layer can reduce the impact of breaches and even prevent them,” said Reed.
“DNS has an important role to play because it underpins the network activity of all organisations. And because around 90% of malware uses DNS to cause harm, DNS potentially provides visibility of malware before it does so.”
In addition to providing organisations with an opportunity to intercept malware before it contacts its command and control infrastructure, DNS visibility enables organisations to see other indictors of compromise such as spikes in IP traffic and DNS hijacking.
“Being able to track and monitor DNS activity is important as it enables organisations to identify phishing campaigns and the associated leakage of data. It also enables them to reduce the time attackers are in the network and spot new domains being spun up for malicious activity and data exfiltration,” said Reed.
Stuart Reed, Nominet
“Although not much data can be sent out in each DNS packet, it can be an extremely effective way for attackers to send out sensitive data from a compromised network under the radar if this activity is not tracked and monitored,” he said.
Nominet’s NTX platform capitalises on Nominet’s DNS expertise and is deployed at the heart of a network, said Reed, to analyse DNS traffic for threat prediction, detection and blocking, as well as anomaly detection and threat hunting, using external threat feeds and Nominet-developed algorithms.
“An understanding of what is happing at the network level provides early visibility of threats, which enables security analysts to prioritise their efforts, while at the same time helping to focus the minds of the board in a way that encourages them to support security because they understand the risk.”
According to Reed, using a DNS-based approach to security can enable organisations to see malware up to 10 days before most other malware detection systems and identify phishing campaigns up to seven days before other systems.
Nominet has designed its NTX platform to identify known threats using threat intelligence, predict and detect unknown threats using algorithms and analysis enabled by machine learning, categorise threat data so that things like phishing can be blocked automatically based on security policies, and provide actionable intelligence.
“The actionable intelligence enables organisations to make informed decisions about how to respond to what is going on in their network, and we have found that this approach provides a huge amount of value in terms of identifying vulnerabilities on the network,” said Reed.