Over the last few years, there has been an increase in cyberattacks targeting vulnerable subdomains so that criminals can set up fraudulent web pages and emails used in phishing, malware, and ransomware schemes. This increase in subdomain hijacking has created the need for strengthened Domain Name System (DNS) security and the management of all DNS records.
Digital records accumulate over time, and administrators who are unaware of each domain’s history are hesitant to delete legacy records fearing they are tied to critical infrastructure. This buildup of inactive DNS zone records that do not point to content are known as “dangling DNS” and are at risk of subdomain hijacking where an attacker gains control of a legitimate subdomain that’s no longer in use to host their own fraudulent or malicious content.
Traditionally, domain security was an overlooked aspect in broader cybersecurity planning and budgeting, particularly because of confusion on who would own and manage it among marketing, IT, and cybersecurity departments. As a result, there are several challenges today for teams aiming to make improvements to the monitoring and security of their DNS landscapes.
Unlike physical business assets that take up physical space, the digital nature of DNS records make these assets harder to keep track of. As businesses grow with new initiatives and campaigns, and employees come and go, their record bases only multiply. Eventually, most companies end up with 20-plus years of history within their DNS records holding information on owners, policies, vendors and more.
Administrators scanning DNS records usually are hesitant to delete any records they are unfamiliar with, for fear of accidentally deleting something necessary to the company’s critical infrastructure and operations. Though understandable, the issue with stockpiling DNS records is that the sheer number makes it difficult to ensure they are all accounted for when conducting proper housekeeping. Organizations therefore run the risk of leaving unresolving, dangling DNS records susceptible to subdomain hijacks which can then allow phishing, malware, data theft, stolen credentials and financial loss.
Ultimately, security teams need to develop a mindset shift in treating domain security and DNS abuse as an ongoing risk management process instead of an infrequent checkup. Only then will companies have more complete cyber hygiene across their entire digital ecosystem.
Best practices for mitigating subdomain attacks
Similar to other security and protection programs, implementing effective domain security and DNS management requires a defined strategy. Teams need to establish a consistent process for collecting and documenting DNS record activity as well as justifying how they are handled. Here are four ways to make DNS upkeep more efficient:
- Evaluate the business value and criticality of all DNS records: When digital records accumulate without proper oversight, the organization’s records landscape becomes filled with noise from unnecessary assets and information, creating more of a challenge to secure what’s necessary and creating gaps that are easily exploitable to criminals. Security teams should ask themselves the following questions regarding their DNS records to determine the most appropriate course of action for each:
Does the record point somewhere/resolve?
What the record's function today and who requested it?
What's the long-term value of the record if the company keeps it?
- Implement daily DNS record monitoring: Many organizations audit and clean up their subdomains manually on a quarterly or twice-yearly basis, but it’s not frequent enough for how often zone files change, leaving dangling domains that criminals can hijack. Security teams should set up alerts so that they are aware of when an active zone becomes inactive, and they can assess if they need to purge that zone or resolve a web hosting issue.
- Set aside budget for domain security: Large corporations typically have the budget they would need for stronger DNS security. Security teams should consider how to bring this topic into budgeting conversations and focus on the following areas: selecting a trusted enterprise-class provider, securing portal access, controlling user permissions, and employing advanced security features for business-critical domains.
- Evaluate and consolidate the company’s partners: Most organizations have multiple DNS providers and need to pull all their data together to do necessary security queries. As such, these organizations should prioritize finding security-minded partners that offer the tools and services that help address emerging critical threat vectors, such as the ability to compile all DNS records and mine the data for how they are/are not working for the company’s business goals.
With more organizations prioritizing internet-based communications along with customer engagements and interactions, it’s critical for companies to maximize the security of their DNS infrastructure to prevent security issues, disruptions and other threat actor activities that could cause harm to the brand and its reputation.
While attacks on vulnerable subdomains continue to rise, companies can no longer afford to overlook the state of their domain and DNS security. Executive and security teams need to consider a more proactive strategy for ongoing DNS maintenance and how they can incorporate this strategy as their business grows and new DNS records are created.
Mark Flegg, global director, security services, CSC Digital Brand Services