The role of DNS-layer security in preventing phishing scams and other malware attacks

How DNS works

When you type a URL into your web browser, such as "www.oxspring.com", your computer sends a request to a DNS resolver to translate the domain name into an IP address.

The resolver first checks its own cache to see if it already knows the IP address for that domain name. If it does, it returns the IP address to your computer and the request is complete. If it doesn't, the resolver then sends a request to a root server, which returns the IP address of the top-level domain server for the domain name, such as ".com".

The resolver then sends a request to the top-level domain server, which returns the IP address of the authoritative name server for the domain name. The authoritative name server is responsible for providing the IP address for the specific domain name.

Finally, the resolver sends a request to the authoritative name server, which returns the IP address for the domain name. The resolver caches this IP address so that it can be quickly retrieved the next time the domain name is requested.

This process happens quickly and seamlessly in the background, allowing users to access websites using human-readable domain names instead of having to remember a series of numbers.

DNS server

Often computers are configured to use a default DNS server provided by the internet service provider (ISP). While that may be convenient, it may not always be the best choice in terms of performance or security. Some ISPs may have slow or unreliable DNS servers, which can slow down your internet connection or cause websites to load slowly. And most free DNS servers do not provide security features, leaving your computer and network vulnerable to cyber threats.

Changing default DNS settings for an organisation is usually a relatively straightforward process. Most operating systems allow administrators to configure DNS settings centrally, either through group policy or other management tools. This makes it easy to change DNS settings for all devices on a network at once, rather than having to manually configure each device individually.

This is relevant because implementing DNS-layer security simply involves switching to a more advanced DNS service.

DNS-layer security

DNS-layer security is a method of protecting against threats by analysing DNS requests, comparing them against a database of known threats, and filtering out any requests that are deemed to be suspicious or malicious. If a request matches a known threat, it is blocked before it can reach the user's device.

DNS-layer security operates at the network level, meaning that it can protect all devices on a network, including mobile devices and IoT devices. This makes it a powerful tool for organisations looking to protect their networks from cyber threats.

In addition to blocking known threats, DNS-layer security can also help protect against Day-Zero attacks, which are attacks that exploit vulnerabilities that are not yet known or patched. Since DNS requests are often the first step in a cyber attack, DNS-layer security can identify and block requests to malicious domains or domains that have been recently registered or have unusual DNS configurations. By blocking these requests, DNS-layer security can help to prevent attackers from establishing a foothold in the network.

Phishing attacks

Phishing scams are a common method used by hackers to steal passwords and other sensitive information. In a phishing scam, the hacker sends an email or message that appears to be from a legitimate source, such as a bank or social media site, but is actually a fake. The message typically asks the user to click on a link or download an attachment, which then installs malware or directs the user to a fake login page where they enter their username and password.

Phishing scams can be difficult to detect, as the messages often look very convincing. In HTML, a hyperlink has two elements: the actual link and the text that is displayed to the user. Phishing scams take advantage of this by displaying a legitimate-looking URL as the text, but actually linking to a malicious website. In any case, the URLs in the email are often a close match to the real thing, for example www.mybank.uk.com instead of www.mybank.co.uk.

The displayed "from" address in emails can also be misleading because it can be easily spoofed. This means that the sender can make it appear as if the email is coming from someone else's address. Hackers can exploit this weakness to make the email appear more legitimate and increase the chances that the recipient will click on a link or download an attachment. Email authentication protocols such as SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) can be used to verify that email messages are actually coming from the domain they claim to be from, and that they have not been tampered with in transit.

Phishing scams often try to create a false sense of urgency to panic the user into not looking too closely at such details. For example, “some money has been taken from your account and we just need you to verify that it’s ok”.

DNS layer security is very effective against phishing attacks. It’s not fooled by such tricks, and examines the actual URL rather than whatever it’s purporting to be.

URL Filtering

URL filtering is another reason why an organisation might wish to implement DNS-layer security. There are many URLs that not malicious, as such, but neither are they desirable. One of the key benefits of URL filtering is the ability to block access to bandwidth-hungry and NSFW (Not Safe For Work) websites.

Bandwidth-hungry websites, such as streaming video or music services, can consume a significant amount of network bandwidth, slowing down other internet-connected services and applications. By blocking access to these websites, organisations can help to ensure that network bandwidth is used efficiently and effectively.

Similarly, NSFW websites can pose a risk to organisations in a number of ways. These websites may contain inappropriate or offensive content that can create a hostile work environment, or they may be used to distribute malware or engage in other malicious activities. By blocking access to NSFW websites, organisations can reduce the risk of these types of threats and help to maintain a safe and productive work environment.

Cisco Umbrella

Cisco Umbrella is subscription-based DNS service that incorporates DNS-layer security and internet-wide visibility to protect against threats such as malware, ransomware, and phishing.

By using the Domain Name System (DNS), Cisco Umbrella is able to block requests to malicious or inappropriate websites before they even reach a user's device. This is done by using a global network of servers that analyse DNS requests and filter out any requests that are deemed to be suspicious or malicious.

Like other Cisco security products, Umbrella benefits from the latest threat intelligence from Cisco Talos, one of the largest commercial threat intelligence teams in the world.

Cisco Talos

Cisco Talos is a threat intelligence and research group that is dedicated to providing advanced threat intelligence and research. They use a combination of machine learning, statistical modelling, and human expertise to identify and analyse threats, and to develop effective countermeasures.

The group is made up of security researchers, analysts, and engineers from around the world, and they work closely with other threat intelligence organisations and law enforcement agencies to provide comprehensive coverage of the threat landscape.

Cisco Talos provides a wide range of threat intelligence and research services, including malware and vulnerability research, threat analysis and investigation, and incident response. They also publish a variety of reports and advisories, providing up-to-date information on the latest threats and vulnerabilities.

Remote workers

Cisco Umbrella extends protection to remote workers by providing a cloud-based security service that can be accessed from anywhere with an internet connection. This means that even if an employee is working from home or another remote location, they can still benefit from the same DNS-layer security and internet-wide visibility provided by Cisco Umbrella.

Remote workers can access the service by connecting to the internet through a VPN or by using a Cisco Umbrella roaming client. The roaming client is a lightweight software agent that can be installed on a user's device, providing DNS-layer security and internet-wide visibility without requiring the user to connect to a VPN.

Cisco AMP for Endpoints

Cisco Umbrella is particularly effective when used in conjunction with Cisco AMP for Endpoints, because they work at different yet complementary layers. Umbrella prevents connections to malicious destinations and command-and-control call-backs at the DNS layer, while AMP works at the file level to prevent the initial malware execution and track file behaviour over time. Together, these solutions help organisations protect users against blended threats that use email, web, and other more sophisticated techniques.

In summary, if you’re still using a bog-standard DNS service you’re missing out on a security quick-win that can protect your network against phishing scams and other malware attacks.

We can offer a 14-day free trial of Cisco Umbrella.

For more information please call +44 1226 761188 or email info@oxspring.com

_{Cisco, Cisco Umbrella, Cisco AMP for Endpoints and Cisco Talos are registered trade names of Cisco Systems, Inc.}

‍