Targeting of the Domain Name System (DNS) by cybercriminals is on the rise, yet it’s also one of the most overlooked areas when IT teams build their defenses. As a result, organizations are increasingly susceptible to becoming the victims of malware payloads and the exfiltration of sensitive information.
To better understand the attack patterns hitting company networks, we decided to create The Infoblox DNS Threat Index to measure the creation of malicious domains. In other words, we’re looking at the formation of cyberattack infrastructure, understanding that as infrastructure is built, an increase in attacks is likely to soon follow. According to our latest report for the second quarter of 2015 (our research, powered by IID, analyzes three years of data), DNS threats are up year over year by 58 percent, while infrastructure for phishing attacks, one of the most common types of DNS attack, rose 78 percent year over year.
Phishing on the rise
Phishing is a time-tested weapon of cyber criminals that involves sending emails pointing users to fake web sites—mimicking a bank’s home page, for example, or a company’s employee portal—to collect confidential information such as account names and passwords or credit-card numbers.
Criminals tend to stick with phishing because it works, and because it’s often easier to trick humans into giving up sensitive information than to overcome increasingly sophisticated cybersecurity systems. Teaching internal users to be diligent and aware of the links they are clicking on is one level of protection. In addition, when important information is at risk once a user has been exploited, organizations should also deploy technology that leverages current threat data to block traffic to and from malicious sites.
“Seasons” of attack activity
Another observation from studying the data is that activity tends to group into two trends, or “seasons.” Attackers and malicious agents are waging a constant cat-and-mouse game with threat researchers. Malicious actors rapidly create infrastructure and set up domains as a base for launching attacks. During this “planting” phase, there is a significant rise in the number of malicious domains associated with malware and exploit kits. Currently, we’re in the planting phase of phishing attacks.
Once this phase ends, the attackers begin to “harvest” the extensive infrastructure they have built to launch attacks, steal data and generally cause harm to their victims. We don’t know for sure, but it appears possible such a harvesting cycle could begin later this year.
Seasons of planting and harvesting will continue indefinitely. Knowing and differentiating between different attacks and the different threat levels of DNS-based malware can enable organizations to prepare, not only by investing in perimeter protection but also in technologies that provide visibility into infections, protection and post-breach response.
By Craig Sanderson is senior director of security products at Infoblox.