The strategy of having multiple layers of defence to protect IT networks is almost as old as the Internet. And while most infosec leaders understand that, they may not realize the importance of one particular layer: DNS protection.
That was the message from an official at the Canadian Internet Registry Authority (CIRA), which is responsible for the .ca domain, during a webinar on Tuesday hosted by IT World Canada.
”DNS (domain name system) is a critical part of a defence in depth strategy,” said Mark Gaudet, CIRA’s product and business development manager. “It has high, high value” because every Internet application – legitimate or malicious – uses DNS to look up sites for communication.
DNS is a directory that converts common name web addresses (like www.itworldcanada.com) to the numerical internet addresses behind the domain names.
Gaudet pointed out that virtually all types of malware – an estimated 91.3 per cent – need DNS services to find web addresses to infect, and once infected to communicate back to command and control servers for instructions.
And while employees can be told to avoid dangerous, suspicious and erotic websites, that isn’t enough protection. Gaudet noted a commonly-used site employees go to – for example, run by a partner – could be infected and pouring out malware. At the other end, he added, your company’s website code could be infected with malicious links.
DNS data is sensitive, he added, so queries have to be protected. The data can be mined, with an attacker (or competitor) being able to find out who an organization’s customers are, who new customers might be and what sites employees are going to for information. ”You need to really understand where your DNS data is going and how it may be used,” Gaudet said.
There are many DNS policy-based products and online services that offer domain protection, including CIRA’s cloud-based recursive D-Zone DNS Firewall. Like others, it offers content filtering, malware and phishing blocking and protection against botnets by compiling lists of known malicious and suspicious DNS addresses.
That list has to be extensive and constantly updated because threat actors easily add thousands of addresses to their armory daily. To meet the demand CIRA’s DNS Firewall uses a threat intelligence feed from a company called Nominum, which was bought five months ago by cloud delivery platform Akamai.
Because Akamai supplies Internet service providers, Gaudet said, through its DNS servers it sees a huge number of DNS queries (about 1 million a second), which is combined with 37 commercial and other threat feeds that use data analytics to look for patterns. That produces an intelligence feed that goes to CIRA’s DNS servers to block threats.
Using machine learning, the feed can find new and unreported threats. Those include new domains that don’t resolve, which tend to host malware; similarities between domains; rate domain reputation (by facts like who registered the domain, what IP addresses are associated with it) to create clusters of domains that could be blocked.
A new but suspicious domain can be added to the black list within 15 minutes of hitting the internet.
Gaudent said false positives are rare. The average delay caused by its firewall typically is less than 50 milliseconds.
He added that for .ca domain users all DNS queries are protected and the data remains in Canada.
Launched in June and aimed at businesses, non-profits and the education sector, CIRA’s DNS Firewall now protects 800,000 users, Gaudet said, including universities, school boards, and some ISPs). It blocks about 1 million malicious domains a month covering malware, botnets and even bitcoin miners as well as content filtering for adult material, and gambling websites. Customers can also set up their own blocked domain and content rules, all without packet inspection.
Activating the CIRA DNS Firewall is as simple as changing an organization’s DNS server to point to the CIRA cloud service.
Pricing starts at $3 per user, with volume discounts available.
In answer to a participant’s question, Gaudet noted that the service only looks for suspicious DNS activity. It doesn’t monitor network behaviour or look for malicious signatures.
Which comes back to a layered defence. “No one layer of defence is going to be 100 per cent effective,” Gaudet said. “Multiple layers are going to improve the protection, as long as they use different threat feeds.”