Why air-gapping may not be enough to protect your critical systems
The classic way of preventing critical systems, such as industrial controls, from attack is to air-gap them. That is to say ensure they don't have a connection to the internet.
But while they may not have a web connection they still often require DNS services in order to resolve a company's internal DNS records. New research from Pentera shows that this can provide a weak point to be exploited by attackers.
DNS attacks, in general, are more common than ever with 88 percent of organizations reporting some type of DNS attack in 2022 according to the latest IDC Global DNS Threat Report. More specifically, attackers often abuse DNS to establish command and control (C2) to gain unauthorized access to the network. One type of these attacks, DNS Tunneling, accounted for 28 percent of DNS attacks in 2022, an increase of just over 16 percent year over year.
Pentera's researchers have demonstrated how an attacker could leverage DNS communication to an air-gapped network.
When communicating via DNS traffic is usually sent via UDP, which means there's no inbuilt error detection and no control over the flow or sequence of data transmission. DNS also restricts the types of characters it accepts and limits the length of characters that can be sent. By using techniques like compression and buffering, and by avoiding DNS restrictions, attackers can ensure their payload gets through.
Organizations can guard against these attacks by using a dedicated, offline DNS server for air-gapped networks and monitoring any outside access attempts. In addition they can employ a secure DNS service with advanced anomaly DNS analysis such as the length of requests and the number permitted in a specified timeframe.
Uriel Gabay, senior security researcher and exploit developer at Pentera, explains the threat in more detail on the Pentera blog.