Cisco’s annual security report released this week, covering everything from threat intelligence, aging infrastructure, geopolitical Internet governance, outsourcing security, and many other topics. The comprehensive report is a view of the security landscape, including results from a large survey that aims to take the pulse of infosec organizations and how they are spending budget and tackling their security challenges. A portion of the report is dedicated to how important it is for organizations to monitor DNS for attack indicators, though a good majority do not do so.
In July 2014, OpenDNS Security Labs conducted an informal survey to find out how many companies were monitoring recursive DNS, and the results were not positive. Nearly 67 percent of responders indicated they do not monitor recursive DNS for malicious traffic. The same year, the Verizon Data Breach Investigations report called DNS one of the most valuable sources of data within an organization, recommending that it be mined regularly and cross-referenced against threat intelligence.

Cisco Cloud Security Research Lead Dan Hubbard said security teams that are not monitoring DNS for indications of compromise are missing an opportunity. “Aside from routing protocols, DNS is the lowest layer of the Internet,” Hubbard said. “And because it’s so robust and reliable, criminals use it too.”
According to the Cisco report, more than 91 percent of attacks use DNS in some way, either to communicate with a control servers, exfiltrate data from targets, or receive new commands to infiltrate networks further.
Hubbard said to get that figure for the report, his research team analyzed six months’ worth of known malware signatures from Threat Grid’s intelligence data, detonated the attacks in a sandbox, and observed which attacks used DNS to communicate.
“Most organizations have systems that sit above the DNS layer, like secure web gateways and firewalls,” he said. “But soon, your car, your heart rate monitor, your refrigerator, are all going to use DNS. It’s the most pervasive protocol.”
The Cisco security report notes that many organizations may not monitor DNS because security and DNS are often managed by two different teams. And while that may be true, Hubbard thinks it’s also a matter of prioritization. The dependability and simplicity of DNS can turn it into an organization’s security blind spot.
To read the rest of the report, visit Cisco’s security portal. For more discussion about the DNS security blind spot, see the webcast with Dan Hubbard here.