Forty percent of enterprise networks show evidence of DNS tunneling
DNS tunneling is a significant security threat that can enable cybercriminals to insert malware or pass stolen information into DNS queries, creating a covert communication channel that bypasses most firewalls.
A new report released by network control company Infoblox reveals that 40 percent of the enterprise files it tested in the second quarter of this year show evidence of DNS tunneling.
"In the physical world, burglars will go to the back door when you've reinforced and locked the front door. When you then secure the back door, they'll climb in through a window," says Rod Rasmussen, vice president of cybersecurity at Infoblox. "Cybersecurity is much the same. The widespread evidence of DNS tunneling uncovered by the Infoblox Security Assessment report for the second quarter of 2016 shows cybercriminals at all levels are fully aware of the opportunity. Organizations can’t be fully secure unless they have tools in place to discover and prevent DNS tunneling".
While there are semi-legitimate uses of DNS tunneling, many instances are malicious. There are also several off-the-shelf tunneling toolkits readily available on the internet, so hackers don't always need superior technical skills to mount DNS tunneling attacks. At the same time, these techniques are often part of very sophisticated attacks, including those sponsored or directly managed by nation states. For example, the recently uncovered Project Sauron -- a particularly advanced threat that is considered likely to have been sponsored by a government -- uses DNS tunneling for data exfiltration.
The most common threats uncovered by Infoblox during the quarter are: protocol anomalies (48 percent), DNS tunneling (40 percent), botnets (35 percent), amplification and reflection traffic (17 percent), DDoS) traffic (14 percent), and ransomware (13 percent).
"While these threats are serious, DNS can also be a powerful security enforcement point within the network," adds Rasmussen. "When suspicious DNS activity is detected, network administrators and security teams can use this information to quickly identify and remediate infected devices—and can use DNS firewalling as well to prevent malware inside the network from communicating with command-and-control servers".
You can find out more about the findings in the full report on the Infoblox website.