5 types of DNS attacks and how to detect them

The Domain Name System, or DNS, is used in computer networks to translate domain names to IP addresses which are used by computers to communicate with each other. DNS exists in almost every computer network; it communicates with external networks and is extremely difficult to lock down since it was designed to be an open protocol. An adversary may find that DNS is an attractive mechanism for performing malicious activities like network reconnaissance, malware downloads, or communication with their command and control servers, or data transfers out of a network. Consequently, it is critical that DNS traffic be monitored for threat protection.

Attack 1: Malware installation. This may be done by hijacking DNS queries and responding with malicious IP addresses. The goal of malware installation can also be achieved by directing requests to phishing domains.

Indicators of compromise: Forward DNS lookups of typo squatting, domain names that look or sound similar (gooqle.com for example); modifications to hosts file; DNS cache poisoning.
Attack 2: Credential theft. An adversary may create a malicious domain name that resembles a legitimate domain name and use it in phishing campaigns to steal credentials.

Indicators of compromise: Forward DNS lookups of typo squatting, domain names that look or sound similar (gooqle.com for example); modifications to hosts file; DNS cache poisoning.
Attack 3: Command & Control communication. As part of lateral movement, after an initial compromise, DNS communications is abused to communicate with a C2 server. This typically involves making periodic DNS queries from a computer in the target network for a domain controlled by the adversary. The responses contain encoded messages that may be used to perform unauthorized actions in the target network.

Indicators of compromise: DNS beaconing queries to anomalous domain, low time-to-live, orphan DNS requests.
Attack 4: Network footprinting. Adversaries use DNS queries to build a map of the network. Attackers live off the terrain so developing a map is important to them.

Indicators of compromise: Large number of PTR queries, SOA and AXFER queries, forward DNS lookups for non-existent subdomains in the root domain.
Attack 5: Data theft. Abuse of DNS to transfer data; this may be performed by tunneling other protocols like FTP, SSH through DNS queries and responses. Attackers make multiple DNS queries from a compromised computer to a domain owned by the adversary. DNS tunneling can also be used for executing commands and transferring malware into the target network.

Indicators of compromise: Large number of subdomain lookups or large lookup size; long subdomains; uncommon query types (TXT records).
Feeling overwhelmed? There is a ton of detail to absorb and process discipline to put it into practice for 24/7 threat detection and response. Allow us to do the heavy lifting with our co-managed SIEM, SIEMphonic. Whether you use on-premise DNS like Microsoft DNS server or Infoblox or cloud services from OpenDNS, we’ve got you covered. Check out our "Catch of the Day" to read true stories from our SOC in which we detected and thwarted cyber-attacks including DNS-based threats.

The Ultimate Playbook to Become an MSSP

Contributed by: Meaghan Moraes, Content Marketing Manager at Continuum

Now that advanced cybersecurity protections are a must-have in today’s landscape, organizations of all sizes are increasingly seeking out and leaning on a trusted security partner to manage their security services. A recent study released by Forrester revealed that 57 percent of companies are seeking outside help for IT systems monitoring and 45 percent are outsourcing threat detection and intelligence. As a result, managed IT service providers (MSPs) are presented with a major opportunity to step in as that cybersecurity leader through an expanded services portfolio that officially deems them an “MSSP”—a Managed Security Services Provider.
 
As it stands, 42 percent of employees in small- and medium-sized businesses (SMBs) would not know what to do if their business experienced a cyber attack, which stems from the fact that 47 percent do not have employee security awareness and training programs in place. As MSPs integrate security into their services, they will not only significantly decrease the margin of error for their clients’ information security, but they will be one step closer to cementing their status as their go-to provider on an ongoing basis.

But that doesn’t happen overnight, and there’s no silver bullet to security. As you start to think about adding layers of security to your offering in an effort to address your clients’ top concerns, your strategy will begin to develop. Here are some helpful steps to devising a solid strategy and then successfully selling what you have to offer as an MSSP.

Devising Your Cybersecurity Strategy
 
With advanced threats like rapidly evolving and hyper-targeted malware and ransomware, basic security tools alone aren’t enough to keep SMB clients secure; additional cybersecurity is needed for more complete and holistic protection.
 
MSPs and SMBs need more advanced and comprehensive security—such as endpoint and network security, security operations center (SOC) services, log management, DNS filtering, and user training—in order to remain one step ahead of threats at all times. A proactive approach to cybersecurity will inform MSPs of exactly how well-protected their clients are from specific risks. Capabilities such as advanced security profiling and risk scoring, employee security training, and incident response planning can help you consistently predict and manage risk.
 
When it comes to immediate and robust detection capabilities, it’s crucial to offer endpoint and network management so you can detect suspicious behaviors on all endpoints and across the network so you can immediately roll back and minimize any damage.
 
Lastly, with SOC services, you’ll have the ability to monitor and mitigate threats in real time, and offer remediation services and deep forensics as well.
 
Once you have pinned down which protections will comprise your comprehensive solution, it’s time to package your unique offering with effective messaging.

Selling Your Managed Security Services
 
When prospecting or cross-selling to clients, you can refine your message to speak to the SMB mindset around security. MSPs need to not only evolve their strategies to survive, but get client buy-in on them.
 
When working to achieve buy-in, the best method for engaging clients is to develop a common language. Compare a typical business function your client performs—like marketing, for instance—to security. Just as you work to know your audience, understand where to focus and report on those efforts, the same methodology can be applied to your security service delivery. You need to understand the threat landscape, consistently measure risk, and report on risk levels. Finding that type of common ground will help you clearly illustrate how you’re aiming to deliver your cybersecurity offering.
 
It’s helpful to frame the conversation with clients around risk. You can work with them to define acceptable risk and determine what it will take to get to their desired state. Make sure your client sees your relationship as ongoing. If they’re at an unacceptable risk level, you can ensure them that your security services will get them to the acceptable range, and you will maintain that by consistently identifying, prioritizing, and mitigating gaps in coverage.
 
Taking an approach that not only brings to life what your services will represent, but also justifies additional fees and services will cement you as the MSSP that will undoubtedly keep your clients as protected and profitable as possible.