Threat Intelligence Is the SOC’s Road Map to DNS Security

July 15, 2019
| |
3 min read

Remember the nervousness and excitement you felt when you took your driving test? You had to practice for weeks, complete the required paperwork and study countless traffic signs. The latter is especially important because these signs are used to warn and guide drivers.

In cybersecurity, like in driving, the earlier analysts are alerted to a hazard, the earlier they can respond to a cyberattack or decide to take a different route.

The Domain Name System (DNS) is a complex network that communicates through multiple servers distributed around the world to match domains with IP addresses. Like a fast-growing city, the rapid expansion of the internet has made DNS vulnerable to attacks, so its traffic needs to be monitored and analyzed to keep users safe.

4 Early Warning Signs of DNS Attacks

Think of threat intelligence as a set of traffic signs for the security operations center (SOC): Analysts can reference it for guidance on how to resolve an ongoing DNS security incident and to generate early warnings of upcoming attacks. Threat intelligence feeds that provide lists of observed malicious domains can be ingested by your security tools through application programming interfaces (APIs) or STIX/TAXII standards, speeding the correlation process against your internal environment and triggering alerts for your team to act on them.

What would happen if the roads were littered with misplaced traffic signs? Most likely, drivers would fail to heed them. That’s why vendor trustworthiness is a crucial consideration when selecting a threat intelligence provider to deliver your malicious domains feed.

Let’s explore some other early warning signs that could help empower your team to block, respond to, anticipate and plan for DNS attacks.

1. Do Not Enter: Blocking Malicious Network Traffic

Early prevention for DNS security starts with proper network configuration. Network administrators spend significant time building a fast and efficient network, monitoring its performance and connecting new devices to it. The network enables the company to run its daily operations and facilitates internal and external communications, as well as the transfer of sensitive information — which presents myriad opportunities for an attacker.

To avoid DNS attacks like phishing and DNS spoofing, update your network configuration to eliminate mining of your DNS traffic data and block traffic from malicious domains automatically. You can block traffic easily with a free DNS server, which routes DNS queries through a secure network and blocks them from malicious domains that appear on the block list.

2. Detour: Keeping Your Data on the Right Track

DNS traffic patterns vary from one organization to the next, which is why it’s important to establish a baseline for your organization’s communication and traffic patterns. Anomalies could indicate a DNS attack, such as tunneling, which diverts your sensitive data through a detour straight to the attacker.

Suspicious DNS behavior can be an indicator that your endpoints are compromised. With timely threat intelligence that includes malicious domains, security teams can quickly prioritize which threats to remediate first based on the threat severity and impact to the environment. In addition, security analysts can automate real-time blocking to and from affected domains.

3. Hazardous Conditions: Recognizing Suspicious Patterns

Some road signs, such as those related to road conditions, are put in place to avoid a pattern of dangerous or destructive behavior. Similarly, a history of IP addresses that an endpoint addressed in the past is an important piece of forensic evidence, providing early insight to identify new threats in your environment.

From this historical data, enriched with contextual threat intelligence, a threat hunter can find correlations to other indicators and understand the worldwide distribution of a threat. This is a great way to proactively detect threats and protect against unwanted DNS attacks such as domain generation algorithms (DGA).

4. Animal Crossing: Understanding Industry-Specific Risks

Most of us are used to seeing deer crossing signs across the U.S., but it is not uncommon to see sheep crossing signs in Ireland, polar bear crossing signs in Norway and so on. Similarly, while some threats are common to all geographies and sectors, others are more relevant to specific industries.

Knowing the deep-dive life cycles and volumetric data of malicious domains could enable a seasoned analyst or security advisor to spot a newly minted registered domain that is likely to target their industry or organization before the threat actor even deploys their campaign. By enriching this information with contextual threat intelligence that provides detailed information about threat actor groups and how they operate, analysts can anticipate a DNS attack such as squatting with ample time to secure every possible entry point.

Threat Intelligence Is Your Guide on the Road to DNS Security

While traffic signs are often painted in bright colors — some even with bells and flashing lights — early warning signs in cybersecurity are often difficult to see. By understanding how DNS works, security teams can gain crucial visibility into potentially malicious activity and deep insights to inform rapid response and remediation efforts against DNS attacks.

Register for the webinar to learn more

Paola Miranda
Product Marketing Manager, IBM