The malicious actors and cybersecurity experts constantly try to outsmart each other. Given that more or less any network is protected by firewall, end-point security, and intrusion detection systems, the hackers utilize new tactics to bypass them. Here are some of those, along with explanation on how they can be stopped on DNS level.
DNS tunneling and other DNS-based threats
DNS tunneling uses DNS traffic to smuggle information or code in or out of the network. It is used to steal data or control malware.
Based on one single query it is impossible to identify a DNS tunnel. Some firewalls may even look at each single query to detect known malicious codes, but they do not have the capacity to store the information and analyze patterns, which is exactly what Whalebone Immunity does, blocking the traffic deemed suspicious.
For example, one of the largest attacks to date, the SolarWinds attack, used DNS tunneling to steal information from almost 18,000 networks infected by their malware – even such as Microsoft, Cisco, and parts of the Pentagon. Even though protective DNS would not stop the malware from getting into the network, it would block its communication with the author and immediately notify the admins, thus preventing any damage.
Homographic phising
In homograph attacks, often used for targeting phishing called spear phishing, the attackers lure employees to disclose sensitive information using a domain which looks similar to company domain, often using different alphabets or similarities between letters and numbers to mimic the original.
For example:
google.com x gооgle.com, the latter using Cyrilic “о”instead of standard “о”
googIe.com x google.com, the former using capital “I”instead of lowercase “l”.
Since the domains are usually created for the specific attacks, before the damage happens they are not identified as malicious and thus avoid detection. Protective DNS Whalebone Immunity enables you to set up monitoring for domains which are similar to yours, or to populate your blacklists in advance so that the access to these domains is blocked immediately.
Attacks using DGA (domain generation algorithms)
Most security measures rely on threat intelligence databases. The domain generation algorithms (DGAs) are used to generate new random domains which are not a part of any blacklist, thus avoiding detection.
From a single query, it is not possible to confidently identify DGA-generated domains; even with 99% success-rate the amount of false positives would be overwhelming. That’s why firewalls, which just look at what passes through them at each single moment and thus are unable to analyze patterns, can’t identify the usage of DGAs, if the identificators are not already part of some database. Security on a DNS level, on the other hand, stores and analyzes the traffic with AI, blocking the domains based on query sequences.
Supply-chain attacks
A supply-chain attack is a tactic using an opening in a third-party software or service to access the target’s network. It is especially dangerous since the software used by the target company are trusted by the standard security measures. Moreover, this type of attack can use faults in software used by IoT devices, which usually do not have a strong embedded end-point protection.
Nevertheless, once the malware gets into the network, it needs to be activated or it needs to be able to spread and infect other devices, access databases to be able to lock them or extract their data. More than 95% of malware has to use DNS for those tasks, and this is where it can be stopped.
DNS security layer identifies the malware trying to access malicious domain, or using a suspicious pattern of DNS queries, immediately blocking the threat and notifying the network admins not only of the activity,but even of which device was afflicted.
Identity theft and using leaked credentials
The problem stems from 3rd party services, which are often targeted by hackers with the goal of stealing the information about their users. Stolen data are then sold on the dark web or eventually made public among the hacker community. Even trusted companies such as Microsoft, LinkedIn, Canva, Adobe, Facebook, and many others were breached.
According to Google’s survey, more than 65% of people use the same password for multiple services. If any of your employees have used a work e-mail address to register to the breached service, their password can be used by hackers to simply try to log-in into company e-mail, databases, and other services in order to impersonate the company, spread malware, steal data,and more.
Protective DNS Whalebone Immunity is unique in providing the Identity Protection security layer. The Identity Protection team identifies both new and old leaks, so that you can deal with the past ones as soon as possible and set-up measures for any new ones occurring. Even if there is just a suspicion of a breach, you will be notified immediately.
Attacks targeting remote employees
Employees working from home or at business trips are outside of the security perimeter of the standard network-wide measures, which makes them an easier target for hackers – even more so when they are connected to a public wi-fi at an airport or at a hotel.
This is easily solved by a proper DNS security – Whalebone Immunity’s Home Office Protection app redirects the DNS traffic to the same resolver your company network is using, resulting in the same protection the employees working from the office have. You control and monitor everything in the same portal and do not have to deal with yet another service and the accompanying security and operational risks.
Multi-layered protection is the only way to be safe
Did you not tick all of the boxes? It is very possible, since the standard solutions just can’t keep up with the hackers. Instead it is vital to layer the protection and widen the cybersecurity perimeter.
That could be a lengthy and costly process, nevertheless thanks to DNS protection Whalebone Immunity, you can have the protection of the whole network up-and-running in a matter of hours with no need for special hardware or investment. No installation to the end-devices, no need to train the employees, practically no maintenance burning the time of the IT team.
Make sure that you have covered these important vectors to be sure that your network is as secure as possible. Find out more about Whalebone Immunity here or contact us to see Immunity in action.