{"id":7923,"date":"2022-08-17T12:24:50","date_gmt":"2022-08-17T19:24:50","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=7923"},"modified":"2023-10-12T09:09:20","modified_gmt":"2023-10-12T16:09:20","slug":"the-u-k-s-ncsc-recommends-protective-dns-for-government-and-industry","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/security\/the-u-k-s-ncsc-recommends-protective-dns-for-government-and-industry\/","title":{"rendered":"The U.K.\u2019s NCSC Recommends Protective DNS for Government and Industry"},"content":{"rendered":"

The UK’s prestigious National Cyber Security Centre (NCSC) has issued <\/span>important recommendations<\/span><\/a> for private companies and government agencies to use Protective DNS (PDNS) to secure and protect information technology assets and networks. PDNS provides key defense against malicious cyber threats and can greatly reduce the effectiveness of ransomware, phishing, botnet, and malware campaigns by blocking access to known malicious domains. PDNS also provides very substantial utility for organizations which can use DNS query logs as an authoritative source of data for incident response and threat hunting activities. While NCSC provides their own <\/span>PDNS service<\/span><\/a> for government organizations and emergency services in the UK, they also recommend private companies to select a <\/span>PDNS provider<\/span><\/a> that has experience in cybersecurity and DNS.\u00a0\u00a0\u00a0<\/span><\/p>\n

The NCSC is the UK\u2019s technical authority for cyber threats. The NCSC was formed in 2016 to provide a unified national response to cyber threats. The NCSC monitors incidents, provides early warnings, disseminates information, conducts cyber threat assessments and provides general technical support to competent authorities. The NCSC also acts as a bridge between the UK\u2019s industry and government, providing a unified source of advice, guidance, and support on cybersecurity, including the management of cybersecurity incidents.\u00a0<\/span><\/p>\n

NCSC\u2019s role in responding to cyber threats is substantial and often involves coordination with the cybersecurity and intelligence agencies in the United States, New Zealand, Australia, Canada, and many countries within Europe. In Europe, the NCSC remains in close coordination and information sharing with the European Union Agency for Network and Information Security (ENISA), the EU CSIRTs Network, the European Government CERTs (EGC) group, and the TF-CSIRT task force. The NCSC has strong technical expertise and can leverage the brightest and best cyber defense minds within the UK and partner organizations.<\/span><\/p>\n

During the same time period, The National Security Agency (NSA) and the Cybersecurity & Infrastructure Security Agency (CISA) released a Joint Cybersecurity Information (CSI) brief which contained similar strong guidance on the importance of selecting a protective Domain Name System (PDNS). The NCSC\u2019s most recent guidance is in complete alignment with the NSA\/CISA CSI technical recommendations, both of which stress the criticality and urgency of implementing a PDNS solution.\u00a0<\/span><\/p>\n

NCSC Guidance\u2014Why Use Protective DNS<\/span><\/h3>\n

Protective DNS was designed to stop the use of DNS by threat actors in support of malware distribution and operation. Protective DNS works by making your networks use a given DNS resolver, or set of resolvers. These resolvers, run by the protective DNS provider, base their responses to queries on a set of policies which determine which queries will be allowed and which will be blocked.<\/span><\/p>\n

Typically, both the domain name being requested, and the IP address returned from a query will be checked against a Block List and access is prevented if there is a match. Additionally, some protective DNS providers will attempt to block visits to websites with programmatically generated domain names, which are used by malware to circumvent Block Lists.<\/span><\/p>\n

Protective DNS prevents access to a range of malicious sites including domains distributing malware, command, and control domains used to control malware, and domains used in phishing attacks, including those used for fraud.<\/span><\/p>\n

Preventing access to these domains should protect your organization against malicious actors, making it harder for them to compromise your networks, and harder to exploit any compromises.<\/span><\/p>\n

A secondary benefit from protective DNS is the ability to analyze, and potentially be alerted to, DNS requests made to blocked domains. This information should be incorporated into a Security Information and Event Management (SIEM) model, allowing for effective investigation of incidents. Organizations should have DNS logging in place\u2014this is an important and integral part of the monitoring process.<\/span><\/p>\n

In the UK, the NCSC has arranged for a PDNS to be available for use immediately by central government, local authorities, devolved administrations, emergency services, NHS organizations, and the Ministry of Defense. The NCSC has provided private enterprise with recommendations and technical guidance to acquire the necessary PDNS functionality from vendor sources.\u00a0<\/span><\/p>\n

Selecting a PDNS Provider<\/span><\/h3>\n

The NCSC recommends the acquisition of services from trusted providers. Per the NCSC\u2019s recommendations, trusted providers demonstrate experience and technical expertise in cybersecurity and DNS. Trusted providers should show that they can protect against threats that can, in turn, be blocked by protective DNS. Trust providers should keep their technical expertise up to date. Most importantly, trusted providers should ensure that their policies and block lists are regularly updated by effective intelligence feeds. These intelligence feeds should be regularly reviewed to ensure that they are most effective.\u00a0<\/span><\/p>\n

Agencies within other countries are issuing similar recommendations, such as the US’ NSA who published the previously referenced <\/span>guidance on selecting a Protective DNS service<\/span><\/a>, including a comparison of the capabilities of different providers.<\/span><\/p>\n

No Surprise \u2013 Most Malware Leverages DNS in the Attack Chain<\/span><\/h3>\n

The recommendations for the implementation of a PDNS follow in the wake of a common thread used by many threat actors to exploit and leverage DNS. DNS is continually used to set up and execute attack chains. Sooner or later malware must reach back to command & control, and DNS is used as a covert communication channel for this purpose. The attack may involve DNS queries when the victim\u2019s system is compromised and infected. DNS is almost always used when an infected system communicates with the command and control (C&C) servers.\u00a0<\/span><\/p>\n

PDNS can help reduce the risk of the successful exploitation of your DNS infrastructure. A review of MITRE ATT&CK shows that threat actors leverage a multitude of techniques to directly exploit and utilize DNS.\u00a0<\/span><\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
MITRE ATT&CK TACTICS USED BY ATTACKERS TO LEVERAGE DNS<\/b><\/td>\n<\/tr>\n
TACTIC<\/b><\/td>\nTECHNIQUES<\/b><\/td>\nSUB-TECHNIQUES<\/b><\/td>\n<\/tr>\n
Reconnaissance<\/span><\/td>\nT1590 Gather Victim Network Information<\/span><\/td>\n.001 Domain Properties<\/span><\/p>\n

.002 DNS<\/span><\/p>\n

.004 Network Topology<\/span><\/p>\n

.005 IP Addresses<\/span><\/td>\n<\/tr>\n

<\/td>\nT1598 Phishing for Information<\/span><\/td>\n.003 Spearphishing Link<\/span><\/td>\n<\/tr>\n
Resource Development<\/span><\/td>\nT1583 Acquire Infrastructure<\/span><\/td>\n.001 Domains<\/span><\/p>\n

.002 DNS Server<\/span><\/td>\n<\/tr>\n

<\/td>\nT1584 State Capabilities<\/span><\/td>\n.002 Upload Tool<\/span><\/td>\n<\/tr>\n
Initial Access<\/span><\/td>\nT1189 Drive-by Compromise<\/span><\/td>\n<\/td>\n<\/tr>\n
<\/td>\nT1190 Exploit Public-Facing Application<\/span><\/td>\n<\/td>\n<\/tr>\n
<\/td>\nT1566 Phishing<\/span><\/td>\n.002 Spearphishing Link<\/span><\/td>\n<\/tr>\n
Execution<\/span><\/td>\nT1204 User Execution<\/span><\/td>\n.001 Malicious Link<\/span><\/td>\n<\/tr>\n
Credential Access<\/span><\/td>\nT1557 Adversary-in-the-Middle<\/span><\/td>\n<\/td>\n<\/tr>\n
<\/td>\nT1040 Network Sniffing<\/span><\/td>\n<\/td>\n<\/tr>\n
Command & Control<\/span><\/td>\nT1071 Application Layer Protocol<\/span><\/td>\n.004 DNS<\/span><\/td>\n<\/tr>\n
<\/td>\nT1132 Data Encoding<\/span><\/td>\n<\/td>\n<\/tr>\n
<\/td>\nT1568 Dynamic Resolution<\/span><\/td>\n<\/td>\n<\/tr>\n
<\/td>\nT1573 Encrypted Channel<\/span><\/td>\n<\/td>\n<\/tr>\n
<\/td>\nT1008 Fallback Channels<\/span><\/td>\n<\/td>\n<\/tr>\n
<\/td>\nT1105 Ingress Tool Transfer<\/span><\/td>\n<\/td>\n<\/tr>\n
<\/td>\nT1572 Protocol Tunneling<\/span><\/td>\n<\/td>\n<\/tr>\n
<\/td>\nT1090 Proxy<\/span><\/td>\n.001 Internal Proxy<\/span><\/p>\n

.002 External Proxy<\/span><\/td>\n<\/tr>\n

Exfiltration<\/span><\/td>\nT1030 Data Transfer Size Limit<\/span><\/td>\n<\/td>\n<\/tr>\n
<\/td>\nT1048 Exfiltration Over Alternative Protocol<\/span><\/td>\n.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol<\/span><\/p>\n

.002 Exfiltration Over Asymmetric Non-C2 Protocol<\/span><\/p>\n

.003 Exfiltration Over Unencrypted Obfuscated Non-C2 Protocol<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

<\/h3>\n

Infoblox Support for PDNS Solutions<\/span><\/h3>\n

Infoblox BloxOne\u2122 Threat Defense provides protective DNS capabilities to defend against today’s sophisticated threats, and brings extensive threat intelligence from multiple sources. BloxOne provides the most current, comprehensive, and accurate set of malicious hostnames, domains, IP addresses, and other relevant threat indicators. This enables DNS servers to detect and block activity such as command and control (C&C) communications to malicious destinations. Advanced behavioral analytics, machine learning and other advanced techniques applied to real-time DNS queries can rapidly detect and stop zero-day DNS tunneling, DGA, data exfiltration, Fast Flux, lookalike domains, and more.\u00a0<\/span><\/p>\n

Infoblox’s DDI (DNS, DHCP, IPAM database) data can further provide invaluable information about related devices and actionable network context (like what type of device it is, where it is in the network, who it is assigned to, lease history). This information can provide essential visibility into ongoing attacks and for remediation strategy.\u00a0<\/span><\/p>\n

Also, critically important is that the integration of data with SIEM and SOAR infrastructure can provide significant reductions in time for the detection of threats and the automation of incident response. When Infoblox detects something malicious, a new device, or virtual workload on the network, it automatically shares that event information and context with existing security infrastructures like endpoint EDR, SIEM, SOAR, and other solutions. This data can trigger the security tools to prevent access to the network or scan for vulnerabilities until it is deemed compliant with policy.<\/span><\/p>\n

For more information:<\/span><\/p>\n