[ed. note – this post was authored jointly by John Stuppi and Dan Hubbard]

The Domain Name Service (DNS) provides the IP addresses of intended domain names in response to queries from requesting end hosts. Because many threat actors today are leveraging DNS to compromise end hosts monitoring DNS is often a critical step in identifying and containing malware infections and investigating attacks. Yet our research found that few organizations actually monitor DNS for security purposes—or at all—which makes DNS a security “blind spot.”

We explore this issue in more detail in the Cisco 2016 Annual Security Report. But here’s one statistic from the report that helps underscore why security teams need to start, or step up, their monitoring of DNS: Our recent analysis of malware validated as “known bad” found that the majority (91.3 percent) of that malware uses DNS in one of three ways:

  1. to gain command and control
  2. to exfiltrate data
  3. to redirect traffic

Cisco regularly conducts retrospective investigation into DNS queries and subsequent TCP and UDP traffic to identify malware sources such as command-and-control servers, websites, and distribution points. Through our research, we have discovered and identified “rogue” DNS resolvers in use on customer networks; unmonitored and unmanaged use of these resolvers by employees leaves companies vulnerable to malicious behavior such as DNS cache poisoning and DNS redirection.

We have also uncovered a range of other DNS-related security issues in our customers’ networks, including DNS “typosquatting” (i.e. the act of registering a domain name similar to an existing domain name, in order to target users who may have inadvertently mistyped the intended domain) and pervasive DNS tunneling to Chinese-registered domains.

To drill down into the DNS issue even further, we recently examined the networks of a select sample of Cisco Custom Threat Intelligence (CTI) customers across multiple verticals. We found that a significant majority of these organizations had malware infections due to the Angler exploit kit, Bedep Trojan, Dyre, Cutwail spam botnet, and many other threats that rely on DNS to help execute their campaigns.

Our research underscores why vigilant monitoring of DNS should be part of an organization’s ongoing security strategy. DNS monitoring is so important for security investigations, as well, because it allows researchers to map out components that can help determine everything from the type of infrastructure supporting the attack to finding its source.

One reason organizations fail to monitor DNS—or simply do a poor job of it—is because their security teams and DNS experts typically work in different IT groups within the company and therefore don’t have an opportunity to interact often. Improving communication and collaboration between these two groups is something that must be addressed—but it’s only part of the solution. The security technology and correlation analysis are also essential to undermining adversaries that use DNS.

Please download Cisco 2016 Annual Security Report to read more on the DNS blindspot and other important security topics as we move into 2016.


John Stuppi

Technical Leader

Cisco Security Research & Operations