Why you need a product that protects your DNS security (Article 1 of Heimdal Security series)
As Brigantia has previously mentioned, 2016 was the year of ransomware; where Cybersecurity started to become more of a widespread concern. The problem with all of this, though, is that talking about cybersecurity and the threats that are out there, is not going to make it go away. The threats remain as the hacking world continues to grow and evolve. Through Heimdal Security, Brigantia has an answer to these threats, something that has enabled us and our partners to stand out throughout 2016 and install a sense of safety within the channel.
This is the first of two articles that will unravel Heimdal Security and explain how it continues to change the market and specifically how the technology behind the product enables hackers and ransomware to be stopped immediately.
The different types of cyber threats, what they attack and how they affect technology infrastructures tends to be ignored as a result of categorizing all cyber-attacks under one roof. The specific details of an attack are therefore often ignored, which doesn’t help when trying to explain to someone what exactly has happened. In this article, I will explore a specific target area within the cyber realm: DNS Security.
For the less ‘techy’ among us… What is DNS?
DNS is an abbreviation for ‘domain name system’ and defines the relationship between domain names and IP addresses. When attempting to access a particular web address, the DNS translates the domain name you type in (the URL) into an IP address, therefore enabling the user to access the correlating site. This translation happens in the blink of an eye and is not made visible to the user (it’s much easier to remember google.com than its IP address!). Essentially, the DNS is a satnav that guides the URL request down a variety of roads through the internet and brings you to your end location. It also acts as a server that analyses your requests to view websites or to download media.
By default, your DNS is set to obtain a DNS server address automatically by Windows, however, your DNS can also be manually set by either your internet service provider, Google Public DNS or a cyber security solution. You can check your DNS settings in your network connections in your control panel.
So why is it so important for the DNS to be kept safe?
According to ‘Infosecurity Magazine’, in 2016, nearly 20% of UK businesses experienced some form of DNS attack – a much higher statistic when compared with any other country in the world, including the hacking hotspot of America. Basically, a disproportionally large percentage of UK businesses have had their DNS compromised and have suffered financial and operation losses as a result. This suggests that the UK is more susceptible to DNS attacks than anywhere else in the world.
Taking control of someone’s DNS enables a hacker to abuse the way in which your browser communicates with the world-wide-web and would, therefore, allow it to infect and extract any data from your DNS upon request. For example, cybercriminals would be able to send you to a copy of your online banking website and collect your online banking details as you enter them in. Antivirus software would be no use in a scenario such as this because it only has the ability to scan your files and system, behavior, not internet traffic (this is where an additional layer such as Heimdal Security comes into play).
According to the Heimdal Security geeky team, it is advantageous for a hacker to target DNS services for a variety of reasons;
- It’s stealthy and difficult to detect
- It avoids antivirus detection, which rely exclusively on signatures
- It opens up compromised systems to a huge array of attack vectors
- It gives attackers a direct channel to feed the system with malware – a recent report from Cisco states 91.3% of Ransomware attacks happen via DNS level dial backs.
- It provides a way to use a combination of attack methods that can use the system for DDoS attacks and other malware-spreading campaigns.
How can a DNS be compromised?
A hacker can attack a DNS in one of two ways; DNS cache poisoning or DNS hijacking.
DNS Cache Poisoning (or spoofing) is where the domain name translation process is corrupted and the cache stored by a DNS is poisoned by an insertion of corrupt data. This attack causes the DNS to return false IP addresses and enables the hacker to strategically redirect all internet traffic to automatically download sites that feed your PC malware. If the DNS server is used across multiple machines e.g. provided by an ISP, then all machines will be affected and their internet traffic will be diverted towards the hacker’s chosen sites. DNS cache poisoning is very difficult to detect and can easily slip under any antivirus product installed.
Another form of attack is DNS Hijacking, where the DNS settings are changed entirely to manual from the default, as a result of a Trojan, to enable the hacker to re-route all requests to a new, rogue DNS server. Therefore, all traffic requests that are made will be to malicious IP addresses. This form of attack often involves an additional stage whereby the affected machines can be enrolled into a botnet that enables full control over the system.
Both of these forms of attack can be described as ‘broker attacks’ in that the hacker is able to slip in-between the machine and the internet access of the victim.
What should I have my DNS set to?
As previously mentioned, it is possible to have your DNS set to three alternatives to default. If you choose to set it to your ISP, then make sure it is a company that you trust and that has a good reputation. It is possible for ISPs to feed you with their own form of DNS attack in the shape of targeted advertising, so be sure before you make any changes. With Google’s Public DNS, there are benefits due to the size and speed of the service, however, many people are concerned about the level of privacy that Google employs. Another option is to use a DNS service delivered as part of a security suite – Heimdal Security.
How and why Heimdal protects your DNS:
Heimdal users benefit from the bespoke and dedicated DNS service built by the in-house team that filters all internet traffic through the intelligence database. This is essentially a dynamic history book of all known malicious sites that keeps you safe from the following:
- phishing and pharming websites
- malvertising
- websites that have malicious code injected
- traffic redirects
- malicious downloads
- exploit kits
- data leakage
- malware-laden traffic that tries to drop ransomware and other threats
What does this mean for Brigantia partners?
DNS attacks are more severe because they open up an entire web of potential attacks. From installing ransomware, collecting bank details, usernames and passwords, social engineering attacks, DDoS attacks… the list goes on. The difference is that all of these attacks can be carried out as a result of just one successful DNS attack. The importance of using a reliable and secure DNS service cannot be stressed enough to the channel, in protecting business customers. As soon as more hackers start exploiting the huge opportunity that there is with DNS attacking, there is the potential for a cybersecurity epidemic, particularly within the UK.
Brigantia is fortunate enough to be the master distributor in the UK for Heimdal Security, the immediate answer to DNS security and protection from ransomware. For more information, please feel free to get in touch with me direct: angus.shaw@brigantia.com or 020 3358 0079
References
UK more susceptible to attacks according to: http://www.infosecurity-magazine.com/opinions/real-cost-dns-security-attacks-uk/
Cisco report http://signalpartners.fi/wp-content/uploads/2016/01/Cisco-security-report-2016.pdf