Stopping Malware at the DNS layer - Aqueduct Tech

Think about where you enforce security today. Most enterprises have various technologies to augment their security posture and rely on these tools to protect them.

As users, devices, and applications move outside a traditional network, we’re seeing an increase of users request the option of using their own devices (smartphones and tablets) to connect to business-owned applications and resources. Additionally, applications, servers, and other workloads are moving to the cloud and communicate between the cloud and data centers. With the expansion of the perimeter, there is now a larger attack surface with more gaps in visibility which has created a new business challenge.

So what is DNS?

DNS, or Domain Name System, is the map and records of everything on the internet. There are three types of DNS that all work together.

  1. Domain Registrar: Where domains are registered (for example, Go Daddy)
  2. Authoritative DNS: Publishes and tracks domains (think phone book, an example is AWS Route 53)
  3. Recursive DNS: Performs the lookup and remembers numbers for each domain name (Cisco Umbrella and Cloudflare)

There are also DNS Security gateways such as Palo Alto DNS Security and Mimecast DNS Security. In the past these gateways would have been on-premise or in the data center, now they reside in the cloud for easy stability. They can be managed by the business or through a managed services provider.

Why Protect at the DNS Layer?

The first entry point into any enterprise resource is a DNS query, so it makes the most sense to put the protection here. Since DNS is the directory for your entire enterprise, if someone were to expose this asset it would make protection almost impossible.

Studies have shown that DNS can be exploited by cybercriminals through file-less malware, impersonations, vulnerabilities through command, and control. It can also be exploited through coordinated attacks such as Distributed Denial of Service attacks (DDOS) and DNS Floods where traffic amplification becomes so large that normal business traffic can’t get through.

Another issue we see is DNS tunnel. With the proliferation of consumer VPN Clients, users now have the ability to bypass policies and access areas of the internet that are not business relevant. With DNS protection services such as Cisco Umbrella, Cloudflare, or a DNS gateway service, not only can you provide threat protection through threat intelligence services such as Cisco Talos or Palo Alto Unit 42, you can provide malware protection.

Cisco Umbrella also has the ability to use an endpoint agent to create policies that can bet set for when a user is on and off the network and block unsanctioned VPN apps or applications that the business deems not relevant.

Protecting at the DNS layer is one of the simplest, most effective ways to protect your enterprise. Most can be implemented with existing security technologies in place and can be used to meet the demands of a more mobile and astute workforce.