The overwhelming threat of DNS attacks on the finance industry

By Ronan David, Chief of Strategy at EfficientIP

The financial service industry has always been an attractive target for cybercriminals because of the volume of sensitive customer and financial data such organisations manage. The rapid digitisation of the industry and increased reliance on cloud services have expanded the digital threat landscape. Moreover, the continuous transition to distributed and remote workforces has made financial networks and IT ecosystems more complex to manage.

This growing complexity in financial networks is creating scope for attackers to take advantage of DNS (Domain Name System) vulnerabilities, which ultimately paves the way for attacks such as ransomware, DDoS, cache poisoning, and zero-day exploits. In fact, our 2022 Global DNS Threat Report found the finance sector is the most targeted industry by DNS attacks. Over 90% of the financial institutions suffered from at least one DNS attack in the past year. On average, companies in this industry fell victim to 9.5 attacks in the past 12 months.

The high cost and frequency of DNS attacks can significantly impact a business’s continuity plan in the market, and even hinder their ability to sustain in the market for a long time. Therefore, as financial organisations continue to expand their digital landscape and continue to develop more complex network architecture, how can the industry become resilient to the advanced persistent threats and ensure more efficient DNS security?

Understanding DNS attacks

DNS is one of the most critical components of any business with a digital presence. It is the foundation of any internet-enabled business and the base on which the rest of the network should be built upon. DNS servers translate human-readable domain names such as xyz.com to machine-readable IP addresses such as 192.0. 2.44, allowing users to seamlessly access the resources they are looking for. So, if any element of these servers are compromised, consumers or employees can no longer reach vital applications or services. In simple terms, no DNS means no business.

It’s important to understand that DNS is the fundamental gateway through which almost all communication is initiated, making the link between users and both internal or external applications. That’s why they are often the prime target for exfiltrating or stealing such critical data. As DNS servers directly steer a network’s traffic, exploiting its vulnerabilities can allow threat actors to breach a network, redirect traffic to illicit web pages and steal user credentials, or even flood the server with malicious traffic to disrupt critical services and business operations.

Such threats are critical for financial services organisations, as they often have thousands of employees and users accessing their digital resources. For example, in a banking organisation there are multiple departments such as accounts, loans, and investments, and users of these different departments require access to different resources at the same time from varying locations. Therefore, it is impossible for financial firms to directly analyse in real-time the flow of traffic between remote clients and DNS servers. This allows threat actors to exploit DNS vulnerabilities and initiate a breach without triggering any alarm bells.

Understanding the impact of DNS attacks

From the threat of losing sensitive data to extended downtime in critical business operations, DNS attacks can have severe consequences on financial firms.

Firstly, such attacks can initiate a larger chain of future threats that can potentially compromise several different organisational networks and affect a large population of users. If threat actors can exploit DNS vulnerabilities, they can redirect traffic to illicit web pages and launch phishing campaigns to compromise credentials. These credentials can later be used for more sophisticated strikes such as supply chain attacks and targeted ransomware.

There’s also the critical threat of business downtime. Our research found that 70% of the organisations that suffered a DNS attack experienced severe application downtime. In fact, 36% of organisations had to entirely shut down a part of their network due to such attacks, before finding an effective resolution. On average, it took over six hours for businesses to mitigate the impact of a DNS attack.

Application or network downtime can be crippling for financial services firms. The services of these organisations are accessed 24/7 by hundreds of thousands of people. Imagine if a banking app was disrupted by such threats, it would mean millions of transactions would be affected and individual users and businesses won’t be able to access important financial services.

The growing adoption of remote work practices and cloud migration has also increased the potential impact of such attacks. As most organisations are now greatly dependent on cloud applications, the downtime caused by DNS attacks can have a large-scale impact on business operations, as well as their consumers, partners, and third parties.

In addition to the financial consequences, when all of these impacts are combined, these attacks could cause significant damage to a business’s reputation and cause their credibility to be questioned.

This also leads to several legal repercussions. If financial services firms do not have proactive measures in place to protect sensitive customer data and information, this could lead to severe lawsuits and regulatory penalties. Regulatory bodies such as the Financial Conduct Authority (FCA) can sanction fines between £15-£200 million for insecure practices and security mismanagement leading to a breach.

To overcome these significant threats, financial firms must emphasise DNS security. Traditionally businesses have relied on standard network security solutions such as anti-DDoS, IPS, and firewalls. However, such solutions don’t provide complete coverage of the modern and evolving DNS threat landscape – as they lack capabilities of managing high-volume network traffic and detecting behavioural anomalies within the network.

In order to achieve effective DNS security, financial firms must invest in proactive solutions that provide a holistic approach to protect public and private DNS infrastructures.

How to implement effective DNS security through proactive strategies?

A feasible approach to achieving proactive DNS security is the adoption of Zero Trust principles. Financial organisations should invest in solutions that can monitor network traffic in real-time at the user level and implement DNS filtering policies to ensure that only specific users can access specific apps and services. The network activities and behaviour of malicious traffic are different from legitimate users. However, these differences cannot be easily identified or flagged by standard security systems, as businesses will have a large volume of incoming and outgoing traffic traversing through the servers.

Automation should also be a key consideration when investing in any DNS security solution. Such solutions are not resource-intensive, as they can automate adapted security responses to DNS incidents without requiring human intervention.

We found that currently, 25% of businesses are not collecting data or analysing their DNS traffic, while 62% are still not using any kind of auto-remediation tool for DNS threats. So, evidently, there needs to be a greater push towards investing in such solutions across industries.

A modern automated DNS security solution can analyse all network traffic data in real-time and identify the different parameters of user behaviour within the network. If the activities of any network traffic are not recognised as standard behaviour, such solutions can launch an immediate response, therefore containing the damage and stopping sophisticated attacks such as zero-day malicious domains.

Moreover, automated DNS management solutions can streamline the IP provisioning and de-provisioning processes, thus eliminating the risks of network misconfiguration, shadow IT, and increasing visibility, especially in multi-cloud and hybrid environments. Security teams equipped with these capabilities can achieve a greater understanding of how their employees behave, allowing them to monitor machine-to-machine interactions and detect unmanaged programmes or devices across the IT estate.

In addition to implementing automated solutions, organisations must also enhance their internal network and security operations to build a robust DNS security infrastructure. For financial firms, an effective way of doing this is by integrating and converging the workflows of NetOps and SecOps teams – establishing a consolidated NetSecOps division.

Establishing a NetSecOps team allows both network operations and security teams to collaborate more efficiently across infrastructure design, incident handling, monitoring, and response. Such collaboration accelerates threat remediation efforts by automatically sharing actionable data and events coming from DNS traffic analysis with security teams to simplify SOC investigation and response.

In conclusion, the best approach to achieving a robust DNS security infrastructure is through the implementation of an automated 360-degree DNS security solution, the adoption of Zero Trust principles, and the establishment of a NetSecOps division. As our digital threat landscape is continuously expanding, financial firms must adopt these strategies to ensure that any vulnerabilities in network infrastructure don’t lead to a crippling cyberattack.