With less than a year to until the EU General Data Protection Regulation (GDPR) is enforced, businesses are taking steps to ensure that they’re compliant with the new directive; understandably, given the eye-wateringly high fines they could face if they fail to comply.
However, while most businesses are approaching GDPR compliance from a data governance perspective, taking steps to ensure that they know where the data is and where it’s moving to, it’s never been more important to be able to detect and stem the siphoning of data by agents from outside of the organisation.
The address book of the internet
At the heart of every business’s IT network lies the Domain Name System (DNS). Translating domain names, or website addresses, into numerical machine-readable Internet Protocol (IP) addresses, it is known as the address book of the internet and, as such, is a mission-critical part of IT infrastructure for all organisations and one without which they cannot function.
Inherently vulnerable, DNS is inadequately protected by traditional cyber security solutions, so it’s little surprise that it has become an attack vector of choice for many cyber-criminals. The most common attacks, such as Distributed Denial of Service (DDoS) attacks, will target external DNS servers; those that are internet-facing, such as hosted websites, applications, and email clients.
The compromise of critical DNS services can result in potentially catastrophic system and network failure, as demonstrated by last year’s DDoS attack on Dyn, provider of DNS services to a number of popular websites such as Twitter, Spotify and PayPal. By flooding Dyn with junk data, the attack led to large parts of the internet becoming sluggish and, in some cases, inaccessible.
A pathway for data exfiltration
DNS is increasingly being used as a pathway for data exfiltration, in which sensitive information is stolen either by establishing a DNS tunnel within an organisation’s network, or by encrypting and embedding chunks of the information in DNS queries to be decrypted and reassembled at the receiving end.
DNS queries are typically tiny data packets, designed to only share the data that’s needed to complete the name resolution process. The flexibility of the DNS protocol means, however, that it’s possible to insert other data into a packet and then transmit it out of the network.
The most common form of the technique, known as DNS signalling, involves the use of the cryptographic hash function to encode information into query strings or response records. But due to their restrictive size, a high volume of DNS packets is required to transport even a small amount of data, thereby impeding performance.
More sophisticated DNS tunnelling, however, employs a number of surprisingly basic ways of using DNS to encode other protocols such as ftp, http, or SMTP, over a DNS session.
Fortunately, the unique position that DNS holds within the network makes it the optimal enforcement point for protection against and response to attempts at data exfiltration.
Breaking the connection
Detection of data exfiltration can be rendered difficult by the ease with which data can be encoded within a DNS query, or in the associated response, both of which may look “correct” from the perspective of a DNS protocol.
By focusing on unusually large queries and responses within a given timeframe, however, it’s possible for an effective internal DNS security solution to detect attempts at DNS tunnelling and drop any queries that exceed a given threshold. Not only will this break the connection with command and control servers giving instruction to any malware on the network, but will disrupt the ability of criminals to steal data through standard network protocols.
DNS is a critical piece of a firm’s IT network that’s far too valuable to be left unprotected. By ensuring that the right security solution is in place to defend its DNS against outside threats, such as attempts at data exfiltration, an organisation’s IT team can take an important step in protecting its sensitive data.
And with GDPR almost upon us, and the potentially calamitous fines it brings with it for non-compliance, it’s more important than ever for businesses to ensure that their customers’ information is secure against any threats to steal it away.
By Dr Malcolm Murphy, Technology Director, Western Europe, Infoblox
Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.
Reserve your place before 2nd October, and receive VIP access to PrivSec Global which includes priority access to limited space sessions, workshops, networking opportunities and exclusive content.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.