The internet has fueled growth opportunities for enterprises by allowing them to establish an online presence, communicate with customers, process transactions and provide support, among other benefits. But it’s a double-edged sword: A cyberattack that compromises these business advantages can easily result in significant losses of money, customers, credibility and reputation, and increases the risk of completely going out of business. That’s why it’s critical to have a cybersecurity strategy in place to protect your enterprise from attackers that exploit internet vulnerabilities.

How DNS Analytics Can Boost Your Defense

The Domain Name System (DNS) is one of the foundational components of the internet that malicious actors commonly exploit and use to deploy and control their attack framework. The internet relies on this system to translate domain names into numbers, known as Internet Protocol (IP) addresses. Giving each IP a unique identifier allows computers and devices to send and receive information across networks. However, DNS also opens the door for opportunistic cyberattackers to infiltrate networks and access sensitive information.

Here are five tips to help you uncover hidden cyberthreats and protect your enterprise with DNS analytics.

1. Think Like an Attacker to Defend Your Enterprise

To protect the key assets of your enterprise and allocate sufficient resources to defend them, you must understand why a threat actor would be interested in attacking your organization. Attacker motivations can vary depending on the industry and geography of your enterprise, but the typical drivers are political and ideological differences, fame and recognition, and the opportunity to make money.

When it comes to DNS, bad actors have a vast arsenal of weapons they can utilize. Some of the most common methods of attack to anticipate are distributed denial-of-service (DDoS) attacks, DNS data exfiltration, cache poisoning and fast fluxing. As enterprises increase their security spending, cyberattacks become more innovative and sophisticated, including novel ways to abuse the DNS protocol. Malware continues to be the preferred method of threat actors, and domain generation algorithms (DGAs) are still widely used, but even that method has evolved to avoid detection.

2. Make DNS Monitoring a Habit

Passive DNS data is important because it is unlikely that a new network connection doesn’t have an associated DNS lookup. It also means that if you collect DNS data correctly, you can see most of the network activity in your environment. A more interesting subject is what we can do with this data to create more local security insights. Even though it is not hard to bypass DNS lookup, such network connections are suspicious and easy to detect.

3. Understand Communication and Traffic Patterns

Attackers leverage the DNS protocol in various ways — some of which are way ahead of our detection tools — however, there are always anomalies that we can observe in the DNS request sent out by endpoints. DNS traffic patterns vary by enterprise, so understanding what the normal pattern for your organization is will enable you to spot pattern anomalies easily.

A robust, secure system should be able to detect exfiltration via DNS tunneling software, which is not as easy as it sounds due to their different communication patterns. DNS tunneling software communication is reliable and frequent, the flow is bidirectional, and it is typically long. On the other hand, DNS exfiltration communication is opportunistic and unexpected, and possibly unidirectional since attackers are looking for the right moment to sneak out valuable data.

4. Get the Right Tools in Place

When analyzing which tools are the best to protect your organization against attacks leveraging DNS, consider what assets you want to protect and the outcomes you would like your analysts to achieve. There are many tools that can be pieced together to create a solution depending on your goals, such as firewalls, traffic analyzers and intrusion detection systems (IDSs).

To enhance the day-to-day activities of your security operations center (SOC), enable your team to conduct comprehensive analysis on domain activity and assign an appropriate risk rating, your SOC analysts should take advantage of threat intelligence feeds. These feeds empower analysts to understand the tactics, techniques and procedures (TTPs) of attackers and provide them with a list of malicious domains to block or alert on their security system. When this information is correlated with internal enterprise information through a security information and event management (SIEM) platform, analysts have full visibility to detect or anticipate ongoing attacks.

5. Be Proactive and Go Threat Hunting

Technology is a very useful tool that allows us to automate processes and alerts us of suspicious activity within our networks — but it is not perfect. Threat hunting can complement and strengthen your defense strategy by proactively searching for indicators of compromise (IoC) that traditional detection tools might miss. To succeed at threat hunting, you must define a baseline within your environment and then define the anomalies that you are going to look for.

A standard method for threat hunting is searching for unusual and unknown DNS requests, which can catch intruders that have already infiltrated your system as well as would-be intruders. Some indicators of abnormal DNS requests include the number of NXDOMAIN records received by an endpoint, the number of queries an endpoint sends out and new query patterns. If you identify a potential threat, an incident response (IR) team can help resolve and remediate the situation by analyzing the data.

Learn More

Every organization is unique, but by understanding the basics of DNS analytics, the common methods of attack and the tools available to security teams, you will be better prepared to protect your enterprise from hidden cyberthreats.

We invite you to check out our on-demand webinar to learn even more about DNS threat hunting.

Watch the webinar on-demand

More from Threat Intelligence

Phishing kit trends and the top 10 spoofed brands of 2023

4 min read -  The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of…

Grandoreiro banking trojan unleashed: X-Force observing emerging global campaigns

16 min read - Since March 2024, IBM X-Force has been tracking several large-scale phishing campaigns distributing the Grandoreiro banking trojan, which is likely operated as a Malware-as-a-Service (MaaS). Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails. The latest malware variant also specifically targets over 1500 global banks, enabling attackers to perform banking fraud in over 60 countries…

Threat intelligence to protect vulnerable communities

2 min read - Key members of civil society—including journalists, political activists and human rights advocates—have long been in the cyber crosshairs of well-resourced nation-state threat actors but have scarce resources to protect themselves from cyber threats. On May 14, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) released a High-Risk Communities Protection (HRCP) report developed through the Joint Cyber Defense Collaborative that addresses the threat to these vulnerable groups, with findings contributed by the X-Force Threat Intelligence team.Cyber criminals seek stolen credentialsThe HRCP…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today