Dissecting the latest DNS-based attack trends -- What we're seeing and how to get ahead
As the foundational component of the internet, DNS has been around for over 40 years and yet, it remains a major vector for bad actors even today. You might think that DNS wouldn’t be such a big security concern today given how much time we’ve had to come up with a better way to secure it, but lo and behold, it’s still at least partially responsible for a large percentage of cyber-attacks.
DNS-based attacks can include everything from malware to phishing, to domain theft and DDoS (Distributed Denial of Service) attacks, among others. And these can have major consequences for the organizations hit by them. While there are countless examples, some of the most recent and well-publicized ones have included takedowns of ChatGPT and Google Cloud, though almost every bit of modern malware leverages DNS in some way.
How are today’s bad actors taking advantage of DNS today? And more importantly, what can your security team be doing better to regain control? Read on.
Looking some of the common methods
DNSFilter’s annual security report found that our average user encounters five malicious queries a day; that adds up to about 1,825 malicious queries per user per year. Detections of both phishing attempts (106 percent) and malware (40 percent) increased year-over-year. Cybercriminals depend on phishing, malicious web links and social engineering to carry out ransomware attacks. In fact, CISA found that 90 percent of cyberattacks begin with a phishing attack. This statistic alone should send people running to defend their DNS.
When we look into some of the primary methods that bad actors are using as of late, some of the biggest trends include:
- Using fake Office365 pages for phishing: When we analyze what we see across our customers, we see that Office365 is a commonly used lure for bad actors. That is, they’re using spoofed pages that seem like legitimate Office365 pages to get people to click on links that will spread malware and more.
- Redirection through traffic distribution systems: One thing we often see is people being redirected through traffic distribution systems. Theseare aged or trusted domains that will direct people to a malware landing page; it might be a scammy website, a fake casino or a real OneDrive page with links that lead to a fake Office365 phishing login page. The attacker is betting that the person will check the OneDrive URL and, figuring they’re safe, not check the second URL.
- Revolving domain names: We’ve also seen some strange activity where every day the domain name changes based on a new domain that was registered like a day prior, and we don't know exactly what it's trying to hit, but it's some kind of new server that uses the same range of IP addresses, but new random, keyboard-smashed-looking domains, sometimes multiples per day. More than a hundred different organizations across our network have had computers hitting it.
The drivers of DNS security issues
DNS is an easy target for bad actors. One would assume that by now, security would be baked in, but that’s not the case. It’s still typical for DNS traffic to not be monitored, secured or encrypted. Remember: DNS was designed to be fast and reliable, not secure. For decades now, cybersecurity teams weren’t paying attention to DNS, even though it’s ubiquitous and therefore used in most breaches and attacks.
Another reason is that humans are inherently, well, human. In today’s fast-paced technological world, people are moving fast and aren’t always examining the links they are clicking on -- or the sender’s address -- to see if they look legitimate. That’s why phishing attack are still so successful.
AI and other technologies are making bad actors’ efforts more sophisticated. Cybercriminals can use AI to personalize phishing emails, making them more believable and bypassing spam filters. They can also use AI to automate tasks like scanning for weaknesses in DNS servers and configurations. This empowers them to quickly and efficiently identify targets, then home in on exploiting those vulnerabilities.
Regaining DNS control
Most of the time, security teams aren’t necessarily focusing on DNS. They are focused on the problem they are facing: they don’t want a user to click a bad link and get phished. They don’t want a user to download something that infects their network with ransomware.
But it’s high time to focus on DNS, as our data reveals. In fact, the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) were saying this three years ago.
CISA and the NSA aren’t alone in recommending DNS protection. Organizations worldwide are acquiring DNS security solutions, particularly in response to the remote work trend. The distributed workforce requires security teams to defend not just the company network, but all the endpoints related to remote workers.
Security teams need a strategy for prevention, detection and response. It starts with finding the right tools, and here’s where AI and automation come to the rescue. Just as criminals leverage these technologies, defenders can use them to scan every domain accessed by users and identify zero-day threats using machine learning-driven domain categorization, preventing threats before they infiltrate the network.
Another element of DNS security is more cyber hygiene. Organizations need to help employees understand what to look for to avoid clicking on bad links in the first place. As noted earlier, everyone’s in a hurry these days, so they need ongoing training to ensure that security best practices become second nature.
Toward secure DNS
It’s clear that DNS security is long overdue. Cybercrime statistics and recommendations from governing bodies speak to this need. Human nature and the nefarious use of AI and automation create barriers to security, but teams can fight fire with fire by using those same tools as defensive weapons and by providing ongoing training to all employees. With these strategies, organizations will be prepared to meet their cyber adversaries’ attacks with confidence.
Photo Credit: Mopic/Shutterstock
Will Strafach is head of security intelligence and solutions, DNSFilter.