Issue link: https://insights.oneneck.com/i/1458399
CHAPTER 2 Security Challenges in Hybrid Clouds 29 These materials are © 2020 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is strictly prohibited. All this happens in the background within a few milliseconds. Sites like google.com or paloaltonetworks.com may have multiple IP addresses, which can speed up DNS lookup times. Millions of people, even from different countries around the world, may be looking for the same information at the same time. These queries will likely go to different servers that are distributed worldwide. DNS information is also cached on your computer and on the serv- ers used by your Internet service provider. Once the IP address for a particular URL is saved, your computer no longer needs to access a DNS resolver to resolve the name with its IP address. DNS is an open service, and by default it does not have a way to detect DNS-based threats. As a result, malicious activity within DNS can be used to propagate an attack causing costly damage and downtime. DNS is a massive and often overlooked attack surface, present in every organization, that can be used for malware delivery, C2 communications, and data exfiltration. Adversaries take advan- tage of the open and widespread nature of DNS to abuse it at dif- ferent communication points during the back-and-forth DNS resolution process described in the preceding steps. According to the Palo Alto Networks Unit 42 threat research team, almost 80 percent of malware uses DNS to initiate C2 commu- nications (see the "DNS-based attacks: OilRig" sidebar in this chapter). Attackers establish reliable command channels that are difficult to take down or identify since DNS is such a reliable way to maintain a connection to DNS servers. Once a connection is established, attackers can use DNS traffic to deliver malware into a network or tunnel data out. Unfortunately, security teams often lack basic visibility into how threats use DNS to establish and maintain control of infected devices. Adversaries take advantage of the ubiquitous nature of DNS to abuse it at multiple points of an attack, including relia- ble C2. Security teams also struggle to keep up with new mali- cious domains and enforce consistent protections for millions of emerging domains at once. Attackers develop domain genera- tion algorithms (DGAs), which automatically create thousands of malicious domains that can be used for C2. As adversaries