Request A Consultation

DNS-Based Threats and Their Impact on Business

By Kerry McQuarrie, SOC Manager, CISO Global, Inc.

A Domain Name System (DNS) is a protocol that translates human-readable domain names/URLs—like favoritewebsite.com—into IP addresses that computers can read—like 135.24.56.98. DNS servers handle tens of thousands of queries that transfer minute bits of data between devices, systems, and servers—which makes DNS an attractive and easily exploitable vector for hackers (Cloudns.net). You might have heard of some big attacks in the past, like the one where a popular banking site was replaced with a mock-up that looked almost identical to the original, enough so that hundreds of customers mistakenly input their personal banking credentials, trying to log in. That kind of brand disaster makes for a really rough day at the office. Better to keep an eye on your DNS security and skip it, altogether. 

Industry reports reflect this trend and show that data breaches caused by DNS-related attacks are on the rise—from 4% to 11% in just a year, per the 2022 Verizon Data Breach Investigations Report. And EfficientIP’s 2022 Global DNS Threat Report found that though 73% of organizations acknowledged that DNS security was a business-critical problem, hackers were continuing to infiltrate their networks, stealing data and disrupting business operations. The use of cloud-based services, a growing hybrid/remote workforce, and the popularity of the Internet of Things have increased the attack surface for DNS-based attacks. 

In short, cybercriminals are taking advantage of many organizations’ lack of monitoring this steady stream of DNS queries to infiltrate corporate networks via attacks such as domain squatting, domain spoofing, and others detailed in this blog. To protect themselves, organizations need to establish effective security measures, including DNS firewalls, threat intelligence, and Extended Detection and Response (XDR) solutions. 

 How DNS attacks impact businesses 

According to the 2022 Global DNS Threat Report, 88% of organizations were subject to DNS attacks in 2022 that cost on average $942,000. Because DNS is a main link between users and both internal and external applications, it is a prime target for copying, transferring, or retrieving unauthorized data—a form of data theft called exfiltration. DNS servers also steer a network’s traffic; once inside, hackers can move around the network, redirect users to fake websites where they can steal credentials and other valuable personal information, and disrupt services and business operations by flooding servers with malicious traffic—known as distributed denial of service (DdoS). In fact, the 2022 Global DNS Threat Report also stated that DNS-related attacks caused 70% of organizations to experience both in-house and cloud application downtime that lasted more than 6 hours. 

Common DNS attacks 

DNS attacks frequently start with a user downloading malware as part of a phishing attack (the 2022 Global DNS Threat Report indicates that organizations reported phishing—51%, and malware—41%, as the top two DNS-based attacks, with 43% reporting they were victims of ransomware). As DNS is considered a “noisy” protocol, systems not using tools set up to analyze or inspect DNS traffic for suspicious queries can find it difficult to distinguish the difference between the normal and malicious host queries in their flow of DNS traffic.  

The 2022 Global DNS Threat Report suggests that organizations could reduce the effects of DNS attacks on their systems by using automation as part of their DNS solutions. XDR solutions, such as the one that CISO Global offers, is an automated tool that monitors high volumes of network traffic, detects known patterns of malicious activity or unusual domain requests, and identifies and blocks suspicious DNS traffic, effectively preventing a range of DNS-based attacks, as described below.  

Domain squatting: Common in phishing attacks, malware plants, and other fraudulent schemes, domain squatting refers to registering a fake domain name—Amaz0n.com, with a zero—that is similar to a legitimate one—Amazon.com, with the letter <o>—to lure users into visiting the false website and clicking on malicious links. XDR solutions can help prevent these attempts by monitoring DNS traffic for similar-looking domains, identifying the fake ones, and then blocking access to them. 

Domain spoofing: This attack is very similar to domain squatting; the attacker slightly changes the source of an email or other communication—Jeff@Amaz0n.com (with a zero)—so it looks like it is coming from a legitimate domain— Jeff@Amazon.com  (with an <o>). It is also a common technique in phishing attacks, emails containing links to malware, and other social engineering attempts and scams. XDR solutions constantly sift through the thousands of queries flowing in as part of  normal DNS traffic for commonly used spoofing domains and can block fraudulent emails or other communications to prevent these emails from getting through to the system’s users. 

Directory busting: Also known as directory brute forcing, this refers to repeatedly guessing or brute-forcing a web server’s directories or files to gain unauthorized access to login credentials, customer information, or other sensitive data. Attackers usually use automated tools or applications in these attacks. XDR solutions can help prevent them by monitoring web server traffic for repeated requests for nonexistent directories or files and by detecting traffic passed through HTTP, which lacks encryption and verification, instead of the more secure HTTPS. 

Incident response planning and incident response: CISO can work with your organization to create effective response plans to implement if/when your system is attacked, including testing the plan with your staff to be sure they know how to respond. If your system does suffer an attack, our experts can help you limit the damage with effective responses, including threat hunting to find the source of attack, containment to prevent it spreading throughout your system, and remediation to repair the damage and reduce dwell time.   

Domain Monitoring 

CISO Global safeguards the domains of its clients as part of our XDR. We alert clients if any changes are made that affects their DNS security, ensuring that action is taken quickly to stop the attack. Learn more about XDR here