Dec 28 2020

How DNS Security Helps Agencies Protect Themselves

Domain Name System security tools can help agencies go beyond firewalls and perimeter defenses with another layer of protection.

There has rightly been a lot of focus in the federal IT security community around zero-trust security principles. However, while we look ahead to the next big thing in cybersecurity, we should not forget about protecting fundamental aspects of agencies’ networks and technologies that have been around for a long time.

That includes the Domain Name System (DNS), which has been a crucial element of the internet world for decades and translates website domain names into IP addresses so that browsers can load internet resources.

Like most things that have been around for a long time in the IT world, DNS was not designed with security in mind; however, DNS security is now quite important. More than three-quarters of cybersecurity professionals “have said they expect to see an increase in DNS-related security threats over the next few weeks,” according to a recent survey from Neustar, InfoSecurity magazine reports.

There are several different kinds of DNS attacks that federal IT security leaders and their teams need awareness. Fortunately, there are solutions that can be deployed to enhance DNS security.

The entire approach should encourage cybersecurity professionals in government to think about security beyond the firewall and other perimeter defenses. There are clearly vulnerabilities that sophisticated malicious actors can exploit, and IT security leaders need to make sure all of their defenses are shored up.

What Is DNS Security?

To understand DNS security defenses, it’s important to look at the way in which DNS is vulnerable to attack. Most DNS attacks occur by getting users to think they are going somewhere safe on the internet so that they enter their credentials.

For example, let’s say a user wants to access a commonly used website. That person would type the website address into the browser bar. A malicious actor could poison the cache of the DNS server where the user’s browser is connecting. The user’s browser bar would say the correct website, but he or she would actually be connected to a malicious site that delivers malicious content or harvests credentials. This is known as cache poisoning or DNS spoofing.

Another attack type is DNS hijacking, in which the attacker makes changes to the client DNS server settings and the domain registrar to take a user’s traffic away from the intended server and toward a new, malicious destination. That website will likely be a fake version of a real website that can be used to harvest user credentials.

Other attacks involve the use of command and control servers that activate a malicious payload, such as ransomware, on a user’s device. This is often accomplished by getting a user to click on an email or a link. However, users are not yet doomed in these cases, since their devices need to communicate out to these command and control servers for keys that will lock up their data.

Traditionally, agencies have invested a lot of time and money in their firewalls and perimeter defenses, so users know that when they go into their offices, they are operating in a secure environment.

However, firewalls alone won’t protect users from being redirected to malicious destinations on the internet. Moreover, with many federal workers working remotely, they are not behind their enterprise firewalls in the way they were at the office, making them more vulnerable to attacks. Many security measures that agencies and users took for granted pre-pandemic need to be re-evaluated.

There are many DNS security solutions for federal agencies to consider, including Cisco UmbrellaPalo Alto Networks DNS Security and Infoblox Advanced DNS Protection. Such solutions, Cisco’s and Infoblox’s in particular, can leverage threat intelligence feeds to block outbound DNS calls and effectively put them in a black hole, so users are prevented from going to bad websites.

Such solutions aren’t absolutely required to prevent cache poisoning but having them helps automate the process.

EXPLORE: Find out how next-generation endpoint security tools can protect remote workers.

Considerations for Deploying DNS Security Tools

DNS security tools are not as widely deployed in the federal government as other cybersecurity solutions, but there is definitely awareness and use of them. Prior to the pandemic, they were easy to deploy; often, within a day or two of an agency signing a purchase order for such a tool, agencies could redirect their enterprise DNS servers to connect to the internet through the new security tool.

Some solutions, such as Cisco Umbrella, have an agent that can go on users’ endpoints, pushing the security controls down to the device. Agents can report back on traffic and behavior, so depending on the maturity of an agency’s IT security team, they can appropriately analyze such data and put together a holistic picture of their remote workforce.

There is no reason an agency should avoid deploying DNS security tools. Currently, they seem to be more popular in the defense realm than civilian agencies, in part because of architectural requirements for Defense Department networks.

IT security leaders should consider whether DNS security tools can be deployed remotely onto users’ devices and whether or not they support agents. Some technologies operate well in centralized environments but not when they are pushed down to endpoints.

DNS security should be considered when IT leaders are thinking through endpoint security. Most endpoints need to have something bad to happen on them before they are triggered to stop that activity, so DNS security solutions can help enhance protection by blocking users from malicious content in the first place. IT leaders should also ensure their DNS security tools work with solutions they already have protecting their networks.

At a time when so many users are working remotely, it’s time to think beyond the firewall for protection, and DNS security tools can help.

This article is part of FedTech’s CapITal blog series. Please join the discussion on Twitter by using the #FedIT hashtag.

CapITal blog logo

DKosig/Getty Images