Securing DNS: Interrupting Attacks as Early as Possible

Chain that is torn at sunset
Author: Lewis Pope, head security nerd, N-able
Author: Lewis Pope, head security nerd, N-able

The sooner you can stop a cyberattack, the less damage will be done to your customer’s network. As N-able's Lewis Pope explains, DNS filtering can help you get ahead of attackers in key areas.

While MSPs have been making significant investments in security and offering services, it is a challenge to keep up with the frequency and evolving sophistication of today’s cybersecurity threats. Defense in Depth (DiD) is the foundation on which most MSPs have built a layered security approach for dealing with them. DNS filtering is one of the strongest and earliest lines of defense you can implement as part of a layered security offering to reduce your clients’ exposure to malicious threats and, in turn, help reduce your operational overhead.

The sooner you can stop an attack, the less damage will be done. Fewer hours will be spent on remediation, and client operations will suffer less. These are goals every MSP strives for, but how does DNS filtering help you achieve them?

What is a kill chain?

Understanding what a kill chain is makes it easier to understand how DNS filtering works to protect against cybersecurity threats. A kill chain is a phased-based model that describes the stages a cyberattack goes through for the attacker to achieve their final objective. There are many different frameworks, and some are more detailed than others. The MITRE ATT&CK matrix is perhaps the most robust and current framework and one you should be familiar with. The MITRE ATT&CK framework covers separate attack phases through 14 stages with over 200 sub-techniques.

While DNS filtering doesn’t protect against all the techniques defined in the MITRE ATT&CK framework, it does interrupt the earliest and some of the most important steps, which is perhaps its most powerful feature.

How DNS filtering interrupts a kill chain

DNS filtering interrupts a kill chain in five key areas:

1. Reconnaissance

The first stage of a kill chain is Reconnaissance. Sometimes this is as simple as an attacker checking LinkedIn for employees of a company then sending phishing emails. Nothing can stop an attacker from developing a list of valid emails for a domain and then sending phishing emails in hopes a user will click on a link or divulge information. A mail filtering solution, cybersecurity awareness training for end users to not answer “what was the name of your first dog” social posts, and a DNS filtering solution are great bets for combating against reconnaissance.

If the mail filter doesn’t catch the email, or if the end user overrides it and opens the correspondence anyway to click on a link inside, then a DNS filtering solution has the opportunity to block the connection to the website hosting the phishing attack. The end user is taken to a block page instead of the actual malicious website, which can interrupt an attacker’s information gathering meaning the attacker will have to begin again with other methods.

2. Resource Development

These are the techniques an attacker may use to set up resources to support other parts of the kill chain. The MITRE ATT&CK framework defines these as, Acquire Infrastructure, Compromise Accounts, Compromise Infrastructure, Develop Capabilities, Establish Accounts, Obtain Capabilities, and Stage Capabilities. While you can’t stop an attacker from performing any of these steps, the later use of all five of the sub-steps of Stage Capabilities (uploading malware, uploading malicious tools, installing a digital certificate, drive-by targeting, and link targeting) can all be defended against by having DNS filtering in place. If an attacker uses compromised systems, or uploads malware or other ingress tools to known malicious servers, then DNS filtering can block an endpoint’s access to that resource.

3. Initial Access

Similar to the phishing in the Reconnaissance phase, during the Initial Access phase an attacker may be sending highly targeted spear phishing emails—but instead of information gathering, these are delivering a payload. The phishing emails can contain links that might evade a mail filtering solution and once clicked may download a malicious payload file from known malicious servers. Again, email filtering, cybersecurity awareness training for end users, and DNS filtering are some of your strongest defenses here.

Drive-by Compromise is also a technique used for initial access. Attackers may compromise existing, legitimate websites to redirect information to the attacker’s infrastructure or attempt to deliver malicious payloads via the compromised site. A DNS filter can block access to the compromised website if it has known malicious activity.

4. Execution

The Execution stage consists of running attacker-controlled code on a system. This is often paired with other techniques to achieve broader compromise of an environment or the delivery of a payload. Within the MITRE ATT&CK framework there are 12 sub-techniques listed under Execution. Of these, Command and Scripting Interpreter and User Execution are probably the most used.

If a threat actor manages to get their code to run on an endpoint, say via a macro embedded in a Word document that calls and executes a PowerShell script to download and run a malicious payload, then a DNS filter has the opportunity to stop this attack technique by preventing the download of the payload from the known malicious site where it’s hosted.

5. Command and Control

Command and Control covers the techniques attackers use to control and communicate with compromised systems. This is where DNS filtering perhaps gives you the most bang for your buck. By filtering all DNS traffic through a trusted service, you can prevent compromised endpoints from communicating with an attacker’s command and control infrastructure. This can prevent endpoints from receiving malicious commands, reducing the likelihood of data exfiltration and preventing a device’s enrollment as part of a botnet.

DNS filtering as part of layered security

There are plenty of other opportunities that DNS filtering has for interrupting kill chains. Since DNS is such a fundamental part of how navigation around the internet works, being able to stop attacks at such an early stage can help you avoid many hours of troubleshooting, remediation, and client downtime.

Reducing an endpoint’s exposure to threats through DNS filtering, combined with the high efficacy in detecting threats provided by N-able Endpoint Detection and Response (EDR), can allow you to quickly implement a solid cybersecurity foundation from which to build on. During MITRE’s ATT&CK Carbanak+FIN7 Evaluations that were completed in April 2021, N-able EDR achieved full visibility of all 174 sub-steps tested with zero misses. With this one-two punch of reducing exposure to threats and being able to identify and remediate them when they occur, MSPs can change the story around their cybersecurity services.

This guest blog is courtesy of N-able. Author Lewis Pope is the head security nerd at N-able. You can follow him on Twitter (@cybersec_nerd), LinkedIn (thesecuritypope) or Twitch (cybersec_nerd). Read more N-able guest blogs here. Regularly contributed guest blogs are part of ChannelE2E’s sponsorship program.