Johannesburg, 03 Jul 2017
Increased ransomware attacks have resulted in organisations becoming increasingly proactive about network security. Regardless of whether it's downtime or exposed data, no business can afford the damage that this would do to their reputation in the marketplace. The impact of such attacks must be seen both from a business perspective (i.e. brand reputation) and from a service provider point of view. So as a bank, for example, not only is your reputation tarnished if you lose data, but your ability to provide your customers with a service is impacted if you have extended downtime. To survive in today's competitive market, organisations need a fast, reliable and secure network.
Rene Bosman, Manager at Infoblox Africa, says, "Businesses are starting to take these types of threats a lot more seriously - and there's no one-size-fits-all solution. Security is a complex architecture.
"No business can afford to lose its network; if the DNS goes down, your business is down. Your customers will move to the competition if you can't keep your network stable. Uptime is survival and your business's reputation is at stake."
Threats are evolving continuously, and the DNS (domain name system) server is the easiest to exploit by attackers wishing to disrupt a business. If the DNS server goes down, the entire network is shut off from the Internet. You can't even rule out the possibility of a competitor hiring hackers to disrupt the competition, according to Bosman. He says: "South Africa's mobile data networks are far behind the rest of the world in terms of data consumption and penetration, which makes for highly competitive industries, and security becomes massively important in these conditions."
No network means no work. Literally. Business are reliant on the DNS server, which was traditionally a box in the corner of the office that offered no visibility or security. Bosman, says: "There's recently been a realisation that DNS needs to be regarded as a strategic component of the network. This includes implementing very specific DNS security to protect customers and the network."
He goes on to explain how attacks that target DNS servers work: "It's as simple as a small human error, you type in the wrong URL, not even realising that you typed an 'e' where an 'a' should have gone, for example Hackers have already figured out the most common mistakes made when typing in URLs and are ready for you to hit 'enter'. You'll go to a site that will look just like the site you intended to visit, but with one massive difference - it could immediately install a programme (malware) on your laptop the minute you visit it. It could be ransomware, phishing, you might not even notice that it's happening."
This type of attack uses the DNS server to communicate with the network - the attempt can't be detected by the firewall as it relies on a human to make the initial error, i.e. typing in the wrong URL, so the attack isn't coming from outside the organisation. "Traditional DNS doesn't provide visibility or reporting, and offers zero security," says Bosman. He advocates a two-step approach to remediation:
1. Assess to see what malware is on the organisation's network currently.
2. Detect data exfiltration using DNS to identify if someone is removing data from your business that you aren't aware of.
Bosman continues: "Cyber criminals are evolving their use of DNS weaknesses on an ongoing basis, they're becoming smarter, they know which errors are common when for example typing in a domain name for a bank. It becomes difficult for a business's IT security staff to stay abreast of this and block all of those domains. You need a DNS security solution that looks at the types of data going through the DNS and flags certain types as potential threats. It identifies behaviour."
"There's a growing realisation in the industry of the importance of defending at DNS level," says Bosman. "As mobile data user numbers grow in Africa, so the threat and attack opportunities will go up too."
Five steps to identification and protection:
* An infected device (e.g. a USB) is brought into the office and the malware on it calls home to a command and control server.
* The corresponding DNS query is blocked by the Infoblox DNS appliance running DNS firewall with ActiveTrust Threat Intelligence.
* The firewall employs DNS response policy zones that allow policy controls to be applied to DNS lookups.
* Malicious DNS is blocked.
* Visibility is provided around the client sending the malicious query including device IP, user name, MAC address, as well as layer 2 layer 3 connectivity information such as the switchport the device is connected to.