Australian government agencies now have access to a purpose-built domain name service (DNS) security platform that has been credited with preventing more than 10,000 cyberattacks during the government’s recent successful online census.
Available for free to Commonwealth, state, and territory government agencies performing “critical services for Australians”, the Australian Protective Domain Name Service (AUPDNS) checks incoming and outgoing network traffic against a blacklist of known high-risk websites, malware command-and-control (C&C) servers, email servers, and other systems.
By checking domain name requests across participating agencies when they are resolved in the DNS system, AUPDNS can flag and stop malicious traffic that might otherwise have been routed through to its destination.
“A single malicious connection could result in a government network being vulnerable to attack or compromise, so it’s vital we do everything we can to prevent cybercriminals from gaining a foothold,” said Andrew Hastie, the assistant minister for defence, in announcing the system’s general availability.
The system follows on from a pilot Protective Domain Name System (PDNS) program that last year blocked over 150,000 “threat events”, according to the Australian Cyber Security Centre (ACSC), which has spearheaded the Harden Government IT (HGIT) initiative established under the country’s Cyber Security Strategy 2020.
HGIT, the ACSC noted in its recent overview of the Commonwealth cybersecurity posture, “aims to centralise the management and operations of the large number of ICT systems run by Commonwealth entities…. To reduce the number of targets available to adversaries, including nation states or state-sponsored adversaries.”
AUPDNS provides one element of that centralised protective capability — the ACSC’s official support for DMARC antispoofing technology, adopted by just over a quarter of government agencies as of early 2021, is another — and early signs suggest that it is helping reduce government agencies’ exposure to malware.
Delivered in partnership with Nominet Cyber, the system has already analysed more than 10 billion network queries and blocked more than 1 million connections to malicious domains, Hastie said — including processing about 200 million queries per day and blocking more than 10,000 connections to known malicious domains during the census. “Any one of these could have resulted in a phishing or ransomware attack,” Hastie said, noting that the system is already protecting more than 200,000 users.
DNS vulnerabilities attract cyberattackers
The ubiquity and historical vulnerability of DNS servers has made them popular targets for cybercriminals, who have tried all manner of approaches to leverage the systems to support and conceal their cybersecurity activities.
Fully 87% of organisations surveyed in the recent IDC-EfficientIP Global DNS Threat Report said they had experienced DNS attacks, with the average organisation reporting 7.6 attacks over the past year and 47% of companies experiencing cloud service downtime from attacks on the DNS infrastructure supporting key cloud services.
DNS domain deny and allow lists are seen as a key enabler of zero-trust networking, with 43% of companies citing their importance in zero trust and 26% noting the importance of better monitoring and threat analysis of DNS traffic.
“While it is positive that companies want to use DNS to protect their increasingly remote workforces, organisations are continuing to suffer the costly impacts of DNS attacks,” said Romain Fouchereau, IDC’s research manager for European security, in announcing the survey results. “As threat actors seek to diversify their toolkits, businesses must continue to be aware of the variety of threats posed, ensuring DNS security is a key priority to preventing these.”
The average DNS attack cost victims around $1.3 million, the report found, with costs particularly surging over the last year in Malaysia (78%), Spain (36%), India (32%), and France (25%).
Helping the network protect itself through DNS security
While the general availability of AUPDNS will give Australian government agencies access to a highly scalable malicious domain filter, investing in DNS security is something that will benefit any company, noted Infoblox director of product marketing Krupa Srivatsan in a recent webinar.
With most companies historically leaving DNS traffic open to facilitate online application queries, Srivatsan said, the foundational Internet service had often become a conduit for malware and ransomware command-and-control (C&C) traffic — and companies had often been none the wiser. “If you’re not monitoring and not looking for DNS lookups that are going to malicious destinations,” she said, “you can miss that back-channel C&C communications in a compromised device. … There are known bad neighbourhoods on the internet, and if you put that intel on your DNS server, you can now block any resolution to a known bad destination — and leverage analytics on DNS requests to check for things like data exfiltration. We see many cases where data exfiltration is happening over the DNS channel because nobody’s monitoring it.”
Widely available open source programs have standardised the high-throughput movement of large quantities of data by piggybacking on DNS protocols to set up DNS tunnels that use the system to pass stolen information that might otherwise be detected over normal channels.
Some 26% of respondents to the IDC study reported having sensitive customer information stolen through exploitation of DNS over the past year, up from 16% the year before — with domain hijacking used more than twice as often as the previous year.
DNS “is a perfect security control point where you can detect malicious activity early,” Srivatsan said, noting that the addition of DNS security had been shown to improve objective, automated measures of cybersecurity maturity used by the likes of SecurityScoreCard and similar tools.
Whether or not the use of AUPDNS has a similar effect across the Australian government agencies leveraging remains to be seen. The ACSC is currently resetting its Cyber Security Posture report cadence, with the next report to be delivered in November 2022 and subsequent annual reports tracing the development of government security maturity in each financial year.
“Levels of cybersecurity maturity continue to vary across the Australian government and sustained effort is required for Commonwealth entities to meet the challenges of the evolving cyber threat environment,” the ACSC wrote in introducing the latest report.