How can good guys take advantage of DNS

It is often used by the bad guys to compromise an enterprise network

1 dns
Credit: Thinkstock
Helping out the good guys

DNS is a core infrastructure component that is often overlooked when thinking about security. It is often used by the bad guys to compromise an enterprise network. DNS Security is generally perceived as either securing DNS architecture and infrastructure from various attack vectors or maintaining a black and white website list to control access to malicious domains – while that is certainly an important part, there are far more security controls, intelligence and benefits that can be obtained from DNS which can be used by the good guys to their advantage. Humayun Wahab, a product marketing manager at Bluecat Networks, lists the various advantages of internal and external DNS to the enterprises that can proactively mitigate known and unknown threats.

2 visibility
Credit: Thinkstock
Internal and external visibility

Whether it’s the IT infrastructure, a corporate server, a desktop, a laptop, a POS system, untrusted devices connected to a guest network or even unmanaged devices such as smartphones or any other connected “thing,” they all use DNS to communicate internally and externally. The pervasiveness of DNS provides tremendous internal and external visibility into the network that can help manage ever-increasing levels of risk posed by internal bad actors and external threats.

3 uncovering
Credit: Thinkstock
Uncovering the intent of a user or device connected to the network

The wealth of data generated by DNS services provides an opportunity to learn typical user/client behavior, which can be used to identify when a client or user starts to deviate from that profile, or if a client begins to exceed the risk tolerance that an enterprise has put together. For example, if a client or user establishes a communication with a newly generated domain outside of the normal business hours say around 3 a.m. and transfers several gigabytes of data, it is a good indicator of a malicious behavior.

4 enforce
Credit: Thinkstock
Enforcing policies

One of the challenges in the security world is enforcing policies across all devices in an enterprise. Put simply, there are too many different device types, operating systems, and other “things” on the network - some of which are not even owned by an enterprise so a control agent cannot be installed on them. DNS changes this model by giving visibility into what every device is trying to do, and since DNS is in a unique position to allow or deny access to resources, it is easy to then set a policy that allows or denies specific activities based on the established criteria. For example, using DNS, a policy can be set to allow access to social media on a guest wireless but not on the corporate owned assets.

5 risk
Credit: Thinkstock
Risk assessment and scoring

One of the strengths that DNS provides as a security platform is the ability to bring context to a given request. This context can be used to assess the overall risk of allowing an action to be taken, which can then be blocked or allowed based on the risk tolerance of an organization. For example, if a client queries www.yahooX.com, DNS can be used to ask a series of questions about that query and provide a risk score for it. The answers to these questions help determine risk, and that risk determines a course of action, such as blocking the request, redirection, or some other action.

6 defense
Credit: Thinkstock
Enhanced security posture

A defense-in-depth strategy and the underlying technologies supporting each layer under this strategy is extremely valuable. While each layer has its own scope and purpose, DNS can enhance or even become a new layer in the organization’s security posture without the need to deploy new infrastructure, re-architect networks, or interrupt current operational practices.

7 breach
Credit: Thinkstock
Breach forensics

The ubiquity of DNS and the data it yields not only provides visibility into all the activity on a network, it also produces factual data that can be analyzed to trace the root cause of a breach once it has been identified. This factual data include details like originating devices, its type, operating system, applications or services being run on that device, domains accessed, etc. which is a goldmine of information to be used in any breach forensics.

RELATED: Why you need to care more about DNS