GDPR: Why DNS is key to data protection

If you’re reading this article, you’re already aware the European Union’s General Data Protection Regulation (GDPR) will be coming into effect in May next year. But there is also a good chance you’re looking for ways to secure customer data- saving your business from the GDPR fines of up to £20 million or 4% of global revenue.

Most businesses employ a patchwork quilt of security tools, all designed to mitigate a few specific attack types. The issue is, this can still leave businesses exposed to cyber criminals who can find a hole.

Enter the Domain Name Server (DNS) – the protocol computers use to find each other and transmit data by turning domain names into Internet Protocol (IP) addresses. As the gatekeeper to an organisation’s network, a highly secure DNS can detect and block malicious traffic before it has a chance to enter the system to exfiltrate data or take control of a workstation or server. But all too often, companies do not have the right tools in place to do so.

Organisations of all kinds have historically considered the DNS a benign apparatus, neglecting to secure it properly. But with the attack on Dyn last October bringing down sites like Spotify and Twitter, it was catapulted into the news agenda.

In early April of this year, it was revealed a criminal organisation was able to hijack a Brazilian bank’s DNS infrastructure for 5 hours, stealing the details of every customer who logged in during that time period. The criminals evidently realised that rather than conducting a phishing campaign, targeting people one by one to steal credentials would be more profitable.

Data exfiltration via DNS is a concern to businesses in the midst of becoming GDPR compliant. While most security tools block data transfer mechanisms like File Transfer Protocol (FTP), common internet protocol like DNS are often left unsecured giving attackers a loophole; one where connections to arbitrary servers aren’t blocked. There are a few techniques criminals typically use:

DNS Tunneling: hackers add data payload to an organisation’s DNS and use this as a method of command and control and/or data exfiltration.

Registrar hijacking: cyber criminals hijack the commercial account with a DNS registrar, using social engineering or by breaking passwords, and ownership is passed onto the attacker.

Cache poisoning: threat actors exploit poorly configured servers, allowing them to inject address information that does not relate to the initial cache.

Typosquatting / URL hijacking: attackers create a domain name almost indistinguishable from the intended original, often to redirect traffic for phishing scams.

Hackers looking to extract data from a network using DNS are also using free software which allows them to encode data. With this software, they can extract data by embedding blocks of encoded data within their own DNS server. This method is very slow but extremely effective, especially when it comes to valuable details like credit card information.

When it comes to DNS tunneling, it can be used as a way of not only extracting data, but also encoding it in alternate names for servers. This offers attackers a command and control channel for their tools. Tunneling is a relatively fast way to extract data, with one known attack delivering 18,000 credit card numbers a minute to an attacker’s server.

Attackers typically target the DNS as a threat vector because technologies to block exfiltration via Hypertext Transfer Protocol (HTTP) and FTP are very advanced. Traditional security tools, such as firewalls, focus on easier exfiltration routes and force attackers to explore other methods.

These alternate routes converge on DNS because cyber criminals can splice malicious behaviour with normal traffic to try and bypass traditional security tools. The plethora of employee and customer devices with access to a company’s Wi-Fi presents a challenge to security teams trying to identify malicious IP addresses.

Organisations looking to mitigate these risks, protect their networks and comply with the GDPR, must deploy tools such as DNS Guardian which can analyse DNS traffic in real-time to identify attacks. Cyber criminals are constantly evolving their attack methods, so security teams must keep on top of DNS security if they are to protect their organisation and the critical data under threat of exfiltration.

A 360° approach to network security will allow the savvy organisation to better protect itself, especially given the increasing volumes of traffic modern networks are having to manage. The point of the GDPR is to ensure companies are prioritising security and protecting customer data. Implementing the right solutions and processes to protect the organisation’s network is clearly a crucial step in the right direction.

By David Williamson, CEO at EfficientIP.


Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.

Reserve your place today and gain access to the entire event free of charge. With all sessions available to view live or on-demand, you can build a personalised agenda based on your key focus topics and make the event fit around your work schedule.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.