When it comes to the internet, it doesn’t get more basic than DNS—and maybe that’s why it doesn’t get the attention it deserves, especially on security matters.
DNS, or Domain Name System, is officially the decentralized naming system for resources connected to a private or public network (as in, the internet at large). There are different ways to look at it, but here’s the most important: As a distributed directory service that functions globally, it’s been the fundamental underpinning of what we call the internet since the mid-’80s.
This means that every time anyone uses the internet—from home, the office, a café, an airplane, a car—and visits a site, sends an email, makes a purchase or goes on social media, it involves a DNS call. In the simplest terms, DNS is the vehicle in which data travels around the internet.
By the same token, it’s also the medium used for communication during concerted cyberattacks. This means the protocol offers a unique level of visibility into every threat, all the way from minor-league malware and phishing (if it’s ever really minor) to large-scale data exfiltration. And by giving us all this detailed and hidden information, it helps us identify threats faster and spot potential dangers that get past other defenses. We can actually identify malicious domains even before they register on standard threat feeds.
All this should make DNS monitoring a critical component of all IT security best practices. So why doesn’t it happen?
It’s not as if the awareness isn’t there. A new study of CISOs at 30 large enterprises found that a resounding 97% certainly see the value in monitoring, threat detection, attack blocking and analytics at the DNS level to enhance security (the rest don’t say no, just that they’re not sure). It’s entirely likely that most large organizations at least believe they’re doing the work needed to undertake rigorous monitoring at this level. But are they?
Here’s one possible obstacle: According to some industry observers, this part of the process may be so basic that it gets overlooked. Sophisticated cybercriminals surely employ more sophisticated strategies; hence, the resources should go elsewhere.
On a related note, the sheer volume can cover the lack of subtlety. Even multinational conglomerates with abundant resources devoted to security may not have the technologies, capacity and patience needed to analyze billions of DNS data packets in real time. After all, one undeniable characteristic of this field is that torrents of legitimate traffic unintentionally cover tiny levels of malicious activity. Some current offerings basically route DNS requests to risky domains for deeper analysis, while others fail to identify newer threats—even though the vast majority of malware, for example, is unique, according to the 2016 Verizon Data Breach Investigations Report.
Meanwhile, it’s not going to get any easier: According to research from Cisco Systems, annual global IP traffic will reach 4.8 zettabytes per year by 2022, or 396 exabytes per month, up from 1.5 zettabytes per year and 122 exabytes per month in 2017. We’re going to get a lot more traffic to comb through—and that’s only based on technologies and behaviors we already know about.
However, the degree of difficulty (and no one denies that it’s very high) should not impede sustained initiatives to make DNS more important in the security infrastructure. Optimal DNS-level monitoring can play a unique role in predicting, pinpointing and blocking threats small and large in a sea of data noise—and that’s a huge benefit to every organization.