Internet Identity

Part of IID's DNS Dojo Series

We’ve already discussed that the Domain Name System or DNS is like an address book for the Internet, connecting domain names with the IP addresses that tell your computer where to find a website online. We’ve also talked about how the DNS might pose some risks to your enterprise if your extended enterprise partners aren’t secure. But how exactly is the DNS involved in communications between your company and a partner?

Because the Domain Name System translates what we type (the domain name) and where we want to go (the IP address), the DNS is involved at every step in the process of getting an Internet user to their desired location. And those “desired locations” aren’t just the web addresses a user types into the address bar of the browser. The DNS is working behind the scenes when a customer wants to make a purchase online using a credit card, or when an employee wants to view their paystub on their online human resources website, because those actions involve traveling to unique Internet locations too.

Detailing DNS Connections

In order for a user’s browser to take them to their desired location, the DNS must translate between the domain name and the IP address. When extended enterprise partners rely on each others’ online tools and resources to bring services or information to an end customer, the DNS is working to make those connections in the background too. When a banking customer signs on to their bank’s website to pay a bill electronically, they are accessing not only their own account information via the bank’s website, but they are ultimately connected through that website to the payment processing company handling the transaction. If your organization is that bank, you certainly want to know that the connection you’ve just created between your customer and your extended enterprise partner is secure and acting as intended. Once your customer has confirmed that payment, you don’t want to find out that the “payment processor” was actually a cyber criminal redirecting the transaction to his own bank account.

Blind Trust Doesn’t Work

But if this is all happening in the background, how can companies know where they’re sending their customers and their valuable information? By monitoring their own DNS and that of their extended enterprise partners, companies can be privy to any changes that are made in the DNS that controls the Internet properties they own and connect to.

While the majority of changes made to a domain’s DNS settings are innocuous, those that aren't pose a significant threat to the affected organization and its partners. When IID detects a DNS change, we investigate to determine whether the change was made intentionally by the domain owner, or whether a cyber criminal made those changes. Intentional changes by the domain owner might include changing from one nameserver to another legitimate nameserver in their control. Conversely, a malicious change to DNS could point a domain to an IP address that is not controlled by the domain’s owner but by a criminal who intends to intercept traffic and potentially sensitive data. If a DNS change is deemed malicious, communication with that domain can be suspended until the issue is resolved, eliminating the potential damage. Severing that connection to an enterprise partner whose DNS has been maliciously altered can save your company, employees and customers from inadvertently visiting a compromised site or sharing sensitive information with an unknown cyber criminal.

Now that we’ve pointed out the dangers of an altered DNS, we need to delve into more specifics of how the DNS gets hijacked. This can occur via a variety of methods. One such way—often occurring without anyone knowing it’s happening—is through malicious software that burrows its way onto individual’s computers, with the potential to eventually infect a large network of machines. We’ll talk more in a future post about how this occurs, discuss a recent large-scale instance that infected millions of computers and routers, and reveal what can be done to mitigate such attacks. See you then!