DNS-based Analytics: Best Practice Threat Detection to Support the NIST Framework

25th April 2019

Stuart Reed

Stuart Reed
VP, Products

UK boards increasingly recognise the strategic value of effective cyber security. More companies than ever before (72%) claim to perceive the risk of cyber threats to be high or very high relative to other business threats, according to a March 2019 government report. Yet the role DNS-based threats play in the overall landscape is less well understood, despite being articulated at length by organisations like the US National Institute of Standards and Technology (NIST).

The truth is that one of the most effective ways to control cyber risk and support business growth is by focusing on DNS: a key threat vector and therefore a perfect place to plug-in detection and response capabilities. Doing so will go one better than merely managing risk; it will do so in a way that aligns with global best practices by NIST.

A way forward

NIST frameworks are important because they offer firms a way forward amidst an increasingly complex regulatory environment, growing threats and heightened expectations from the business. GDPR in particular is famously light on prescriptive detail, meaning that following industry best practices remains one of the best ways to keep regulators happy. It’s reassuring that the US standards body has produced detailed guidance about DNS risk in the past, highlighting the importance of the system and how frequently it’s abused by attackers.

Although it can be overlooked in the organisation, DNS plays a crucial role for every firm, converting domain names to IP addresses so staff and external users can find the sites, apps and devices they’re looking for online. But it was designed many years ago, with usability not security in mind. Cyber criminals have become adept at exploiting these DNS vulnerabilities to redirect users to phishing and malware sites. Given its criticality, DNS traffic is also usually whitelisted by corporate firewalls, giving hackers an additional opportunity to smuggle stolen data out of the organisation, or to send command-and-control messages to compromised enterprise machines.

The government report mentioned earlier also claims that only 16% of boards have a “comprehensive understanding” of the impact of cyber threats on the organisation. This is especially concerning given the financial and reputational damage cyber threats can do. Data breaches are estimated to cost on average $3.9m, but in serious cases this figure can climb much higher. Yahoo is required to pay out $120m following its 2013 breach of three billion customers, for example, not to mention the $350m that was wiped off its sale price to Verizon.

Supporting NIST

For these reasons and more, firms often look to best practice standards and approaches to help them. NIST offers one of the most globally recognised with its Cybersecurity Framework. It includes five key functions that form a “backbone” around which all other elements are organised: Identify, Protect, Detect, Respond, and Recover.

DNS-based analytics from Nominet fit perfectly with the detect piece, enabling firms to spot “anomalies and events”. Our NTX platform does this by using machine learning to detect the smallest signs of malicious behaviour, right down to single packets, in huge volumes of DNS traffic. This means organisations can spot data loss attempts, command-and-control communications and attempts to direct users to malicious and phishing sites. In fact, NTX also goes beyond the “detect” piece by blocking this malicious activity in real time to disrupt any attack before it’s had a chance to impact the organisation. This means it also helps organisations comply with the Protect and Respond functions of the framework.

That’s the kind of best practice threat detection and response organisations need as they battle to contain evolving cyber risk and stay ahead of the competition. To find out more download our white paper.

Driving Value Through Support for NIST Best Practices

Download whitepaper
NIST whitepaper