DNS security – Does your firewall need a booster?
DNS security services can close firewalls vulnerabilities – and keep teams secure during remote working, too.
As organisations grow and mature, they tend to become increasingly aware of their cyber security needs. In commercial environments, this awareness translates into having at the very least, a firewall installed within the office premises. And today, most companies do at least have a firewall to protect them from malicious websites and cyber-attacks. This brings up the question: why do firewall often fail at preventing ransomware attacks?
The quick answer is: your firewall might need a booster!
Firewalls offer network centric protection and when setup effectively, can do an amazing job at stopping cyberattacks targeting network devices like file server or printers. But cyberattacks today are targeting humans. Cybercriminals are exploiting psychological weaknesses like curiosity or stress to increase users' chances of making a mistake. In this new scenario, it is the users’ action – clicking on a link, downloading a file, that enables the cybercriminal to install spyware and trojans within the company network.
Our company firewall did not stop a phishing or ransomware attack. What did we do wrong?
Unfortunately, traditional cyber security setups based on firewalls might just not be enough faced with these type of attacks. To understand why this is the case, we have analysed three scenarios below. They are based on Mike O’Leary’s book Cyber Operations: Building, Defending, and Attacking Modern Computer Networks.
Cases studies
Each case starts with a situation in which a cybercriminal plans an attack. For each situation, you can see how well the threat is handled by:
a firewall
a DNS protection system based on blacklisting
AP Lens – Private Browser strategy based on DNS + whitelisting
1. Phishing attempt
Situation: The attacker creates a website via typosquat technique to induce the user to think they are on their own bank website, hence tricking them into providing sensitive information to the attackers themselves.
| Firewall | DNS Protection (Blacklisting) | AP Lens (Whitelisting) |
|---|---|---|
| In order for firewalls to protect users, the IT manager must confirm a domain is malicious and add it to the filtering rule so that, should the user try to click on the link (after seeing it on an email or elsewhere), the firewall can block the communication with it. |
DNS based protection would work the same way with one important difference: it would safeguard the user in any location, not only at the office when the user is connected to the firewall-protected company network. This is particularly important given the ever-increasing use of remote working in many organisations. | AP Lens would achieve the same result as the DNS protection system, but without needing any intervention from the IT manager to update the list of malicious domains. Being based on a zero-trust principle, AP Lens will treat all websites as potentially malicious unless they have been added to the organisation’s whitelist. |
2. Malware activated in the network
After the attacker manages to get a user to run a malware software on their Windows workstation VICTIM-1PC within the internal network, the attacker will try to use a reverse shell to call-back the attacker’s system itself (aka C&C server with an external IP). For the attack to succeed, the call-back must be allowed out through the network firewall. This call-back traffic most often appears like a normal web traffic. It is difficult to determine whether the attempt at communicating is a malware call-back or whether it is a user trying to visit a website.
| Firewall | DNS Protection (Blacklisting) | AP Lens (Whitelisting) |
|---|---|---|
| Firewalls are able to block the call back or phone home traffic, if the attacker is using unusual protocols. However, firewalls cannot stop SSL or web traffic from VICTIM-1PC since all SSL traffic appear to the firewall as encrypted. Only high-end firewalls with special configuration can use SSL inspection to stop an attacker using SSL for call-back communication. |
A protective DNS service which is also integrated with threat intelligence (usually this happens via paid subscription with security vendors) can block all types of data traffic with known malicious domain, including the call back/phone home traffic. | The call back is originating from user computer and trying to reach a website controlled by a cybercriminal. This website is not in the whitelist and all connection are blocked. Therefore, the user is safe without the need to constantly review or patch. |
3. Stealing data using covert channel
Situation: In a firewall protected network, the attacker will try to find out which ports allow traffic out of the network before gaining a foothold in the network, in this example it could be UDP port 53.
| Firewall | DNS Protection (Blacklisting) | AP Lens (Whitelisting) |
|---|---|---|
| Covert channel can be created by mixing data packets with normal DNS queries. Sending data to a remote server using DNS protocol cannot be detected or blocked by firewall. A firewall might not be able to stop traffic from a specific port if the data is being leaked at a very slow rate - say 1k byte/s without detection (amounting to 153.6 Mb in 48 hours). | A dedicated DNS server can limit traffic from UDP port 53 by allowing it only to a predetermine fixed IP (a trusted DNS server like 8.8.8.8). The attacker is then not able to use this port to perform the attack even if the spyware is already installed on the user’s machine. | AP Lens also offers a high availability and low latency DNS servers for our users. With AP Lens DNS systems, it is not possible to create covert channel using DNS query. |
Zero trust security and AP Lens whitelist-based protection
Based on DNS whitelist, AP Lens – Private Browser enhances the security attributes of DNS based security services by adding the feature of the whitelist. By using a whitelist and zero trust mindset, AP Lens does not rely on potentially flawed criteria to identify websites that could be malicious. It simply considers all websites that have not been vetted and included in its whitelist, as potentially dangerous. These “unknown” websites, that constitute on one hand, the greatest part of the internet, but on the other, count for a small percentage of the users’ traffic within an organisation, are then loaded through a cloud-based browser and served to users in form of “preview”. The user is safe from executable malicious code as well as protected from phishing attempts via lookalike domains.
Knowledge pills:
Firewall and DNS
In the constant cybersecurity arms race, experts have been focusing on intrinsic vulnerabilities of – among others – traditional network security based on firewalls. A firewall is a network security system that monitors and makes decisions on incoming and outgoing network traffic based on predetermined security rules. The purpose is to establish a barrier between a trusted network (protected by the firewall) and an untrusted network, such as the Internet. Apart from potential errors made by humans in the process of firewall configuration, the attention has been recently focused on how existing firewalls vulnerabilities can be resolved with the help of technologies such as the DNS.
The Domain Name System (DNS) is central to the operation of modern networks, translating human-readable domain names into machine-usable Internet Protocol (IP) addresses. In other words, DNS servers make it possible for people to input normal words into their browsers, such as aplens.co, without having to keep track of the IP address for every website.
Protective DNS (DNS) services characteristics
Because of the DNS ability to resolve domain addresses, cyber security services built around this protocol are able achieve protection from threats that normally go undetected by firewalls.
A recent guidance document by the USA National Security Agency on “Selecting a Protective DNS Service” for example, identifies four such cases:
PHISHING
Phishing websites created to maliciously collect information, including access credentials by tricking the user into believing they are navigating a legitimate website. Phishing websites use techniques such typosquats – or close lookalikes of common domains. PDNS can protect users from accidentally connecting to a potentially malicious link.
MALWARE
sites that serve malicious content or those that used by threat actors to command-and-control malware. These include for example, sites hosting malicious JavaScript files, or domains that host advertisements that collect information for undesired profiling. PDNS can block and alert on known malicious connection attempts.
DOMAIN GENERATION ALGORITHMS
Sites with programmatically generated domain names that are used by malware to circumvent static blocking. Advanced malware – including some botnets – depend on the ability to communicate with command and control (C2) infrastructure. Cyber threat actors use domain generation algorithms (DGAs) for malware to circumvent static blocking – either by domain name or IP – through programmatically generating domain names according to a pre-set seed. PDNS can analyse domains’ textual attributes and recognise potentially malicious ones based on certain characteristics for example, high entropy
CONTENT FILTERING: PDNS
can use a categorization of various domains’ use cases (e.g., “gambling”) and warn or block on those that are deemed a risk for a given environment.
Reference:
What Is DNS?, https://www.fortinet.com/resources/cyberglossary/what-is-dns
National Security Agency and Cybersecurity & Infrastructure Security Agency, Selecting a Protective DNS Service, https://media.defense.gov/2021/Mar/03/2002593055/-1/-1/0/CSI_Selecting-Protective-DNS_UOO11765221.PDF
Mike O’Leary , Cyber Operations: Building, Defending, and Attacking Modern Computer Networks, https://www.oreilly.com/library/view/cyber-operations-building/9781484242940/
Cat photo is from https://twitter.com/MalwareJake/status/1495136191016013833
