A managed services provider (MSP) in Europe was recently considering launching a new security service. Before doing so they wanted to answer a fundamental question: how many of their enterprise customers had malware infections? Within hours of asking the question they made a configuration change and identified over 700 business customers with critical malware infections. For example, a major healthcare company infected with multiple malware variants capable of logging employee keystrokes - a major risk to the sensitive patient data stored on their network.
How was it possible to find so many undetected threats so quickly with so little effort? They didn’t use a brand new security appliance or the newest intrusion prevention technology. Instead they used a 30 year old technology deployed in every IP network - the Domain Name System (DNS). People and applications make trillions of DNS queries daily to translate human understandable domain names into IP addresses to navigate the Internet. Although the DNS has been around since the beginning of the Internet it’s only recently been viewed as a way to start solving a broader range of business problems.
Why is this happening now? Companies being forced to innovate while squeezing more out of their IT budget are re-evaluating how they can utilse already-deployed technologies to solve new problems.
As companies have implemented a variety of new systems to deliver business applications, comply with regulations and address security threats, the complexity of running their networks has increased dramatically. Having more disparate IT systems increases the cost of maintenance, integration, upgrades and patch management. Application ecosystems built around existing technologies such as ERP and sales force automation aim to address this challenge.
Security applications are a logical starting point for extracting value from the DNS since, just as virtually every legitimate IP application relies on the DNS, so do the attackers. This opens up a wide range of uses of DNS data to detect and prevent threats. For instance, DNS is used to prevent data exfiltration from infected devices on the network by observing clients querying criminally owned botnet command and control (C&C) sites. DNS is also being used to prevent phishing attacks, warn users accessing sites hosting malware and prevent access to a range of unwanted or illegal content.
While DNS has played a role in security for a while, its importance has recently increased significantly. In just the last several years the DNS has been used to detect or take down an increasing number of sophisticated botnets - e.g. Conficker, Aurora, Stuxnet, Zeus, Flamer, TDL4 and Nitol. DNS (port 53) is also one of the few open ports on enterprise networks making it a natural target for attackers, especially as enterprises have been scrubbing HTTP traffic more carefully leaving fewer channels of communication open to attackers. Likewise, the proliferation of devices accessing enterprise networks has made it essentially impossible to prevent every infected device from getting on the network. If you can’t keep infections out of the network you need to identify and remediate them quickly, for which DNS is uniquely suited.