Ensuring GDPR Compliance by Preventing DNS Exfiltration

The implementation of the EU’s new General Data Protection Regulation (GDPR) is now a bit more than a year away. It’s a wide-reaching set of rules which you must comply with if you’re holding data about European citizens. Compliance doesn’t need to be difficult though, as much of GDPR is focused on how you handle data loss and network breaches. To avoid catastrophic fines after breaches, the easiest way to become compliant is simple: you need to enhance your security.

However, it’s important not to take this advice lightly: data breaches have significant effects on those whose data is stolen; and with GDPR that data loss will now reflect on companies that have breached. The result is the possibility of large fines – from 2% to 4% of global revenue; as well as sanctions that can force organizations to stop processing user data.

There are many ways to protect data, but the one that is often neglected is data exfiltration via the DNS. A new IDC report looks at how DNS-based attacks have become a significant risk that must be considered as part of your GDPR preparation.

The mechanisms of DNS exfiltration

DNS exfiltration is often part of an advanced persistent threat-based attack. Attackers inside your network spend time finding valuable data, but then have to remove it. While most security systems in use block obvious data transfer mechanisms like FTP, common internet protocol like DNS are often left unsecured. That gives attackers a loophole; one where connections to arbitrary servers aren’t blocked.

There are two ways data can be extracted over your network using DNS. Both rely on the attacker having software that can encode your data, and then use various DNS techniques to transmit data to remote servers. The first option is purely focused on extraction, and embeds blocks of encoded data within requests to an attacker’s own DNS server. It’s a slow way of extracting data, but when it comes to valuable details like credit card information, it’s certainly effective. The second approach, DNS tunneling, uses DNS as not just a way of extracting data, but by encoding data in alternate names for servers. This way, it’s able to offer attackers a command and control channel for their tools. Tunneling is also a relatively fast way of extracting data, with one known attack delivering 18,000 credit card numbers a minute to an attacker’s server.

Why is DNS a risk?

So why are attackers using DNS? There are two main reasons.

The first, and most obvious, is that we’ve actually got quite good tools at detecting exfiltration via HTTP and FTP, the two most common protocols. Data loss prevention tools and next generation firewalls focus on those technologies, locking down the easiest routes out of your network. That forces attackers to explore and experiment with other protocols, and take advantage of those, like DNS, that aren’t blocked by traditional security tooling.

The second, and perhaps more important, is that it’s easy to hide exfiltrated data in amongst the normal operation of a DNS service. Many common internet services use DNS; which means that most DNS servers are constantly busy. Then there’s the additional problem of living in a world where BYOD and customer Wi-Fi are prolific, making access to DNS by devices that we don’t know and don’t manage an everyday occurrence. The sheer volume of traffic makes it hard to see the requests used for DNS exfiltration, especially when they can be spaced out over time using statistical techniques to look like normal traffic.

Preventing exfiltration with DNS protection

So how can you protect your networks? Traditional monitoring techniques have a risk of blocking legitimate traffic. After all, just because a DNS request is going to an unknown server doesn’t mean it’s malicious; the decentralized architecture of the global DNS service makes it impossible to know every server in use.

To understand what’s happening in your DNS services, you need to embed security tools into your DNS servers, the heart of DNS. That’s where you can analyze packet contents to see just what is happening in your networks. The result is deep inspection of DNS traffic, analyzing payloads and analyzing traffic.

Once you’ve identified malicious DNS traffic in your network, you can start to apply mitigations. One option is to block malicious domains as soon as they’re identified; and use DNS reputation tools to reduce the risks of both false positives and false negatives. You can also examine the traffic from specific suspicious devices on your network to further target suspicious activities.

Keeping on top of DNS security can help with GDPR compliance, as it’s not purely a matter of avoiding breaches – it’s also a matter of timely reporting if data has been stolen. If you report breaches to the appropriate data protection bodies (for example, in the UK, to the Information Commissioner’s Office) within 72 hours, you remain compliant. If new techniques and zero-day attacks have been used to exfiltrate data, you will need tools to log all your DNS data. Once logged, you will also need to explore those logs regularly to find previously undiscovered advanced persistent threats in your network (with large DNS logs, this can be like finding a needle in a haystack).

Log file analysis at this scale with a traditional DNS server can be a significant issue: you’re either having to work with batch data well after the event, allowing data to be stolen without you knowing, or you’re going to have to either statistically sample or slow down DNS traffic to allow log file search tools to work. Either way you’re risking user data, which increases the odds of being out of compliance with the GDPR.

Alternatively, you can use a modern DNS server that’s able to identify attacks quickly or in real-time, using real-time transaction analysis – which gives you the option of blocking data exfiltration as soon as it is spotted by the DNS server analysis tools.

A call to DNS action!

You may well have deployed a hefty set of security tools, with a focus on data loss prevention. But DNS exfiltration is being used by attackers to get around your security perimeter, so what can you do to ensure your DNS doesn’t risk your GDPR compliance?

You’re going to need tools that operate inside your DNS servers, tools that can analyze your DNS traffic and spot outliers, helping you locate suspicious clients that are tunneling data out your network over DNS. Once you’ve identified malicious DNS traffic, you can use countermeasures to block exfiltration – and protect your network from other attacks that can take advantage of this critical protocol.

We are in an increasingly dangerous world; and one where data is valuable to companies – and to attackers. GDPR puts an onus on companies to be as secure as possible, with significant penalties for failure. That requires doing much more than protecting your databases, but protecting every part of your IP networks as well.