Why DNS is important for a Zero Trust strategy

Zero Trust strategy discussions are all the rage these days among enterprise security teams. The problem is that every enterprise is implementing ZT differently and many CISOs are struggling trying to find the ideal approach for their business.

Most security executives agree that authentication and role management is where ZT strategy must start. After all, with a massive number of amorphous frontdoors, identifying who is knocking with a high degree of confidence is essential. After all, if authentication doesn’t work well, an argument can be made that the rest of cybersecurity defenses mean relatively little.

But the second step should be hardening the ability to detect and track an attack in realtime, regardless of how the attackers got in and what they are initially attacking. To do that, few technologies work better than DNS. In an enterprise multi-cloud environment, DNS is one of the few technologies that can see all activity, from on-prem to the cloud/clouds, from remote locations to headquarters, from road warriors to overseas supply chain partners.

Everything on your networks will need to use DNS services. That includes on-prem, cloud, iOT/iiOT, mobile, remote sites, partner networks and contractors. If you have multiple cloud environments–and what enterprise today doesn’t?–it is critical to have a cybersecurity element that can seamlessly track them all, along with everything else. iOT is particularly problematic, but DNS handles it well.

Visibility is critical

DNS delivers a better-centralized visibility and control of all computing resources, including users and servers in a micro-segment, all the way to an individual IP address. Because most traffic goes through DNS resolution first, it is an important source of telemetry providing detailed client information, helping to detect anomalous behavior, and protecting east-west traffic between micro segments. DNS security can also continuously check for, detect, and block Command and Control (C&C) connections and attempts to access websites that host malware. For all of these reasons, DNS security is a core enabler of a robust Zero Trust strategy.

Most importantly, DNS is an absolute Zero Trust control point where every internet address can be scanned for potentially malicious behavior as identified by integrated threat intelligence. DNS security provides a single point of control to administer and manage all of your environments. This provides one DNS security administration point for all of your security stacks, which can easily be integrated with SOAR and other critical cybersecurity ecosystem controls.

That is what makes the following fact so mystifying: Most CISOs and CIOs don’t include DNS controls. In and of itself, that omission makes achieving a true Zero Trust environment far more difficult, if not impossible. It’s sad that so many enterprises have not yet included DNS, DHCP, and IPAM (DDI) controls and data, administration, and management within their cybersecurity strategy and yet, here we are. These capabilities have typically defaulted to a mix of ISPs, on- AND off-premises local hardware, and multiple disparate cloud-based capabilities. These disparate and separate DNS capabilities generally have no integration with cybersecurity threat intelligence, web filtering, or other important defensive capabilities. Most of these have no integrated support for the most common cyberthreats, distributed denial of service (DDoS) attacks, nor provide the necessary visibility.

Visibility (aka the single pane of glass) is crucial today, as well-equipped SOCs deliver a massive number of kinds of intelligence to their analysts. And during an active attack, those analysts have a handful of minutes–sometimes seconds–to understand what is going on, to figure out the best way to defend the enterprise and to then act on that strategy. The analyst simply doesn’t have the time to review multiple screens to try and piece together what is happening. Many attackers are superb today at breaking in and doing their damage and getting out quickly. That’s true regardless of whether the attacker is planting malware (ransomware anyone?) or copying and exfiltrating specific files.

Organizations must always be in control of, and have complete visibility to, DNS traffic. DNS traffic must be resolved by servers controlled by the organization, not external resolvers over which the IT team has no control.

Factor In DoT and DoH

DNS over TLS (DoT) and DNS over HTTPS (DoH) are two new versions of DNS designed to encrypt the communication between DNS clients and recursive DNS servers. These have solved a longstanding gap where DNS queries were transmitted unencrypted.

If an organization’s DNS servers support DoH/DoT, that’s best practice—all traffic, including DoH/DoT, should be routed to those servers. If an organization is routing DoH/DoT traffic to external unauthorized DNS resolvers, bypassing internal DNS servers, then their security team loses visibility and control of the DNS traffic, which will lead to the exposure of many security gaps.

As a best practice rule, organizations should not allow individual applications and devices to bypass internal DNS infrastructure. Such access to unauthorized external DoH/DoT resolvers should be blocked at firewalls and gateways, forcing DNS resolution to internal resolvers. Looking forward, every organization should plan on implementing internal DNS infrastructure that supports DoT/DoH.

Unprotected Dns enabled the Mitre attack

There are a multitude of ways that cyberattackers can leverage unprotected DNS services. The following MITRE ATT&CK techniques and sub-techniques explicitly define how cyberattackers will target and use DNS services. The Tactic represents the goal the attacker is trying to achieve. The Techniques and Sub-Techniques represent the different ways that cyberattackers can achieve the goals and objectives of the tactic. Mitigation of these techniques require comprehensive DNS security solutions.

Zero Trust is going to require Security and IT to entirely rethink every element of every one of their environments. That is going to likely take years and an avalanche of resources. But it is absolutely necessary. When was the last time your network was entirely examined and new appropriate security measures put in place?

Yes, certain security defenses have been added to many of those environments, but that merely leaves old outdated mechanisms in place. That’s the most frustrating cybersecurity reality: Old security defenses, including those that were state-of-the-art back when they were installed, today can become a security hole. That happens when an attacker leverages an app that none of your current team even knew was there.

As long as you rebuilding all of your defenses, it’s critical to include DNS tracking. Any tracking that is not comprehensive and consistent through all of your environments is just asking for trouble.

(Source : Infoblox.com)

For reading more interesting trends, whitepapers and perspectives on cybersecurity, please visit Security Edge 

Comments (0)
Add Comment