Threat intelligence information provides details on the tactics, techniques, and procedures used by attackers. Often, threat intelligence includes lists of known malicious executables, domain names, and IP addresses. As this information comes out, enterprises can update block lists, but this is a reactive approach; attackers quickly and continuously switch domain names to avoid such simple filtering.
Taking advantage of the deeper visibility provided by the DNS system can support more proactive security practices, leading to improvements in three critical security metrics:
- Time to detect
- Time to respond
- Time to restore
The goal is to move as much as possible from incident response to damage minimization. All too often, businesses are not even aware of attacks until customers or law enforcement highlights them. More proactive precautions are necessary to prevent attacks and more quickly detect the start of unpreventable attacks.
Because DNS requests are generally first seen quite early in the attack chain, DNS-based threat intelligence can be effective in shaping proactive precautions, reducing time to detect, and reducing the load on follow-on security controls. This also applies to appliances, IoT, ICS, and other devices without client-side visibility because they have to participate in DNS.
Best Practices for an Effective DNS Security Architecture
An effective DNS security architecture starts by ensuring the performance, availability, and integrity of DNS services by protecting the DNS host platform (server operating system, file system administrative apps and tools), the DNS software (name server, resolver), and the DNS data (zone file, configuration file). Essential security hygiene such as the CIS Critical Security Controls Implementation Group 1 (configuration management, patching, privilege management, etc.) are required for IT and security operations functions. Industry-secure configuration standards (such as Center for Internet Security [CIS] benchmarks and Department of Defense Security Technical Implementation Guides [DoD STIGs]) should be applied and audited for operating systems, databases, and DNS software. Widely accepted, broader frameworks such as the NIST Cybersecurity Framework and the MITRE ATT&CK knowledge base provide the higher-level requirements and justifications for ensuring that a quality DNS security architecture is in use.
These best practices should also include using the DNS architecture for broader overall security benefits. When DNS services are secure and reliable, they can provide the key data for threat intelligence and attack detection/prevention/response capabilities discussed in the previous sections. DNS threat intelligence can provide early, accurate, and actionable information that supports thwarting attacks without causing inadvertent self-inflicted disruption. To gain these benefits, DNS should be an integral part of security operations, which often requires the SecOp staff (including both defenders and incident responders/investigators) to work closely and be cross-trained with IT or network ops groups that may have functional responsibility for DNS services. Where possible, common tools should be used across both groups.
A secure DNS architecture benefits business by ensuring the reliable and trustable DNS services needed for digital business. It also minimizes the risk of attacks compromising those same services, disrupting business and attacking customers. A well-designed and managed DNS architecture, combined with DNS threat intelligence, can reduce the “noise” produced by false-positive indications, reducing the load on security operations staff.