Blocking Online Data Theft with DNS-based Cyber Security

9th July 2019

Stuart Reed

Stuart Reed
VP Products

For several years now, security experts have been warning organisations to prepare for the worst. It’s not a case of “if” but “when” you are attacked, they say. This is true: over two-fifths (43%) of UK businesses polled by the government said they experienced a cyber security breach or attack in the previous 12 months. Even this could represent just the tip of the iceberg.

But while the root cause of a breach could be anything from unpatched servers to insecure endpoints, attackers are increasingly turning to exploiting the Domain Name System (DNS) to smuggle stolen data out of the organisation. The good news is, it’s also the number one way to regain the advantage.

A breach epidemic

The modern breach epidemic is fuelled by a highly sophisticated and extensive cyber crime economy, where financially motivated threat actors trade stolen data, malware and “as-a-service” crimeware with impunity on dark web markets. The number of breached records globally doubled year-on-year to reach a staggering 3.3 billion in H1 2018. In the US, the number for the entire year had reached 562 million by December 2018.

By now, the impact on the bottom line and corporate reputation is well understood. The average cost of a data breach now stands at $3.9m. But it has risen to many times that for serious incidents like the 2013 “mega-breach” of Yahoo, which has so far cost the company over $120m. The fallout could be yet greater — in fines and negative publicity — for those handling the data of EU citizens, under the new GDPR data protection regime.

DNS and tunnelling

Online information-stealing raids are launched via multi-staged attacks, ending with the final and arguably most important element: data loss. This is where the illegally accessed customers’ personally identifiable information or sensitive intellectual property is transferred by the attacker outside the organisation to a server under their control. To stay hidden from traditional security filters, the hacker will hide this data inside network packets, often DNS packets. Because it is typically encoded, and the DNS traffic itself is often whitelisted by firewalls, it can be smuggled out without setting off any alarms.

This DNS tunnelling technique, used to steal data via DNS, was originally designed to enable users to connect to the internet without paying a service provider. However, today it’s been popularised by black hat hackers, with countless freely available tunnelling tools like Iodine available for them to use.

Shining a light on DNS traffic

Given the ubiquity of these tools, and the fact that firewalls, intrusion detection systems (IDS) and secure web gateways can’t typically spot hidden data inside DNS traffic, organisations are at a distinct disadvantage. This is where Nominet can provide visibility and control where information security teams need it most, shining a light on the problem to help mitigate the risk of data breaches.

Nominet’s NTX platform monitors outbound DNS traffic in real time. It employs advanced analytics to identify malicious packets hidden in large quantities of legitimate corporate data. This could indicate compromised machines on the network attempting to communicate and send stolen data to command-and-control domains. With this crucial intelligence, organisations can cut communications with malicious domains and stop data theft in its tracks, before an attack has had a chance to make an impact. NTX is also set-up to spot any traffic associated with pre-configured DNS tunnelling toolkits.

Data breaches are a fact of life today. But by focusing on the DNS layer, organisations can install an effective early warning system to disrupt the crucial data loss phase. Download our whitepaper to find out more.