Since the losses incurred by both individuals and companies alike are very high due to cyberattacks, the task of maintaining cybersecurity has been very stressful. Especially as opponents seek to take advantage of blind spots, by focusing on the exact places that security teams have not been able to reach for observation. One such place is the Domain Name System (DNS).
Until recently, the company did not attach the importance of DNS, and was the responsibility of the IT infrastructure team and networking affairs only. Now, it is understood that DNS could represent one of the obvious threats to cybersecurity, becoming the subject of attention of ministries of national security, government institutions, telecommunications companies, and others.
Recognizing the importance of DNS came after making sure that about 90% of malware relies on it to hack. It is used for commands and remote control of malware, data leaks to the outside world, and a lot of nefarious tampering.
But it’s also good that security teams can leverage DNS as a defense. Here are 5 cybersecurity threats that DNS records can detect:
Threat 1 – Machines perform actions they would not normally do
Most devices designed specifically for specific purposes, such as factory machines, POS vending machines, and printers, produce a fairly predictable pattern of DNS queries. So anything out of the ordinary from one of these devices likely means there’s a problem, even if it seems benign. For example, if DNS queries originating from your store’s POS device are looking for Google.com, it points to a problem. This also applies to general-purpose devices, such as personal computers.
Threat 2 – Use DNS to transmit information, not just to make a connection
Tunneling works by encoding information and converting it into query names, which are later decrypted by suspicious receiving servers. There are some key signs, from a DNS record perspective, that this behavior occurs.
Because encoding information often results in a string of characters being mixed together, query names tend to lose actual dictionary words and look more like randomly generated strings. So if you find a flaw in the encryption mechanism, it means that there is a problem.
Threat 3 – dynamic change where queries are sent, algorithmically
Domain creation algorithms are a discount solution for bypassing blacklists. They create a series of domains that the firewall will not recognize to block them. So domain creation algorithms require the discount to register some domains. To save cost, adversaries tend to choose uncommon top-level domains (TLDs) from reputable extensions like .biz, .work, and hello.
Similar to tunneling queries, domain creation algorithm queries will also look like blurred words, such as asdf.biz, and asdf. work, and asdf. hello. Etcetera.
Threat 4 – Hidden DNS queries
The DoH protocol, short for DNS over HTTPS, is a special method that enables individuals to browse the Internet by encrypting DNS queries and bypassing the normal DNS server string. When you’re on a corporate network, DoH is dangerous because it reduces the visibility of security teams. Sudden and stressful behavior becomes more difficult to detect.
Threat 5 – Infrastructure hijacking
Because the hijacking process involves a deduction inserting itself into the DNS search string and changing the information it is going through, examining the DNS records of queries and their answers can be helpful. If a query’s response changes, pointing to a client they shouldn’t normally be sent to, it could be a sign of hijacking.
Listen to your DNS records
DNS is already present in every network. The question is, do the security teams listen to what he tells them?
