Close
  • Français
  • English

Almost 80% of cyber security incidents involve a DNS query

(This is a translation produced by FIC from the original interview in French)

As the central element of the Internet and the first point of entry for hackers, the Domain Name System (DNS) must be robust. Yet, cyberattacks are becoming more and more ingenious in corrupting it to infiltrate a corporate network. This is why Infoblox, leader in DNS management, had to reinvent itself to become a cybersecurity specialist. Its ‘BloxOne’ SaaS platform offers a complete tool to protect your business against these attacks and orchestrate all your cybersecurity solutions.

 

“It’s always DNS!” A sentence that should sound familiar to network security experts. Now, it has even become a meme, reflecting the unfortunate reality that the Domain Name System (DNS) is often involved in cyber incidents. 79% of organisations have experienced a cyberattack involving a DNS query, according to the 2020 Global DNS Threat Report from International Data Corporation (IDC).

And with good reason: DNS is “at the very heart of the Internet network,” says Philippe Elie, Director for Southern Europe at Infoblox, today one of the major players in DNS security. “ DNS is the first component of the IP network to be contacted when a piece of equipment connects,” he explains. “Whether it’s a phone, a computer, an IP camera, or any other terminal, the first thing a device does to connect to the Internet is to send a request to DNS.

As the first point of entry into a system and “considered reliable“, DNS traffic is therefore used as a vector to access the entire network in many cyberattacks. This is known as “DNS tunneling”, a common method of infiltration for the past twenty years.

 

Digital transformation, Covid-19, and the “uberisation of attacks”

But two now factors are changing the situation: the digital transformation of companies, further accelerated by the Covid-19 pandemic, and what Philippe Elie calls “the uberisation of attacks.”

Increasingly, companies’ data and applications are being stored in various clouds,” he explains. “With Covid-19, this digital transformation has accelerated. Not just because of remote working —which has certainly put enormous pressure on companies to open up the network perimeter—but also because companies have realised that this was a further opportunity to accelerate digital transformation plans to be more ready to seize the economic recovery.” And with this fragmentation, companies’ networks are more exposed.

Things are also changing in terms of attacks. “For a few hundred euros on the dark web, it is now possible to buy all the necessary tools to attack companies, particularly with ransomware.” DNS tunneling is no exception to this trend: tutorials or even complete toolkits for deploying this method to infiltrate a network are available on all the good hacker forums, made public by malicious groups such as OilRig. And with this democratisation, mid-cap companies and SMEs are no longer safe from attacks.

 

Securing DNS, and much more

This is why Infoblox had to and did reinvent itself. Soon after its creation in 2000, the American company established itself as the market leader in DDI management—i.e  DNS, DHCP and IPAM, the latter being two functions which, combined, create a fingerprint to identify exactly where a user is and the characteristics of their connection—with “a market share of 53%,” says Philippe Elie. Over the past five years, it has also become a cybersecurity company.

First of all, Infoblox maintains feeds, i.e. lists of potentially dangerous domain names,” continues Philippe Elie. “Our job is to find out whether the domain name that is trying to be contacted by this traffic is legitimate or not. If it is not in this list, we are also able to analyse with machine learning mechanisms the behaviour of the traffic generated, in order to know if the traffic is legitimate or not.” Such are the basic cybersecurity features of Infoblox ‘New Generation’. But the solution proposed by the American company has also become a real orchestration platform, as explained by its Director for Southern Europe: “Our programming interfaces (APIs) allow our solution to connect and interact with all solutions installed at the customer’s site (firewalls, incident management tools, SIEM, etc.).

As an expert in the field, Infoblox knows better than anyone else that DNS attacks are no longer limited to DNS tunneling: they are becoming increasingly complex, especially since the start of the pandemic. For example, hackers are increasingly using “fake” domain names that are automatically generated en masse by algorithms in a matter of seconds—often called newly-observed domains (NODs)—and are thus difficult to detect by traditional filtering measures. For four years now, Infoblox has integrated into BloxOne, the software version of its application, sold as a subscription (Software-as-a-Service, or SaaS), the Farsight Security solution, which “can identify NODs in just a few minutes when other solutions on the market need about 34 hours, according to our calculations,” proudly says Philippe Elie.

Historically, our main customers were large groups in various sectors (finance, manufacturing, services, retail, etc.),” confesses the Director. “But for the past 18 months, mid-market companies and large SMEs, which are increasingly under attack and whose network infrastructure is increasingly in cloud, are also very interested. We therefore intend to develop BloxOne to support customers who will want cloud platforms that they will place at the edge of their network, for example when deploying SD-WAN.

 

In partnership with

Infoblox Formations - Exclusive Networks - France