The Key Role of Protective DNS for Phishing Protection

Phishing attacks have been around for almost three decades. Awareness of them is wide with phishing protection measures to detect and block them included in almost every security solution. Nevertheless, they remain one of the most commonly used attack vectors. According to the IDC 2023 DNS threat report, 54% of organizations were victims of phishing attacks in 2023, a 3% increase from 2022. It is not surprising that regulatory bodies across the world are shining a spotlight on this attack vector. The Singapore government took this a step further and introduced a Shared Responsibility Framework (SRF) dedicated to combating scam and phishing attacks and putting financial and telcos organizations responsible for phishing scam losses ahead of victims.

DNS Security is key in phishing protection, with 85% of malware actors leveraging domain name systems (DNS) to orchestrate their attacks.  Moreover, domain names serve as a linchpin across all attack tactics. From reconnaissance, and initial access, where phishing is frequently employed, to lateral movement, where attackers may resort to internal spearphishing to infiltrate other users or devices within the same organization, and extending to command & control and data exfiltration, where attackers commonly utilize the DNS protocol for communication or transferring stolen data. Evolving DNS to Protective DNS Security (PDNS) empowers organizations  to cut the very first link in the kill chain, which is pivotal for thwarting attackers.

Understanding Phishing Attacks

Phishing is a widespread cyber threat where malicious actors use deceitful tactics to perform harmful actions such as stealing money, downloading malware or obtaining sensitive information such as passwords and credit card details. It often manifests through deceptive emails, text messages, or phone calls, wherein attackers impersonate trusted entities to trick individuals into disclosing confidential information or clicking on malicious links leading to phishing websites.

Various types of phishing attacks exploit different communication channels and techniques to deceive targets. Phishing emails, the most common type, utilizes fake or look-alike domains resembling legitimate organizations to send mass requests for personal information. Spear phishing, a more targeted approach, tailors emails to specific individuals, leveraging personal details to enhance credibility. Whaling attacks specifically target senior executives, often masquerading as urgent requests from high-ranking officials. 
Smishing and vishing attacks leverage text messages or phone calls to trick recipients into divulging sensitive information, while angler phishing exploits social media platforms to deceive users through fake URLs or cloned websites. 

In the following example, attackers sent a message to Bank of America customers, pretending to be an unemployment insurance claim text message. The attackers take advantage of people in vulnerable situations, who are more likely to click that link. Later in the blog, we will show a fake Bank of America login page as observed in our customers’ traffic.

Phishing attacks have a profound impact on individuals and organizations worldwide. According to the IBM Cost of Data Breaches report, phishing was the most prevalent attack vector in 2023 and the second most expensive at USD 4.76 million. Beyond financial losses, victims suffer operations disruption, legal repercussions, regulatory fines, reputational damage, and loss of trust. Personal consequences include identity theft, financial fraud, and emotional distress. The pervasive nature of phishing underscores the need for robust phishing protection measures and heightened awareness to mitigate its detrimental effects.

Phishing attacks regulatory imperatives

Recognizing the severity of phishing threats, regulatory bodies urge organizations to take proactive measures to combat phishing attacks. Such directives and regulations include the European Commission’s NIS 2 Directive, the NIST Landmark Cybersecurity Framework, GDPR, PCI DSS, HIPAA, and Singapore’s government’s most recent phishing-focused initiative, the Shared Responsibility Framework (SRF). These standards impose legal obligations on businesses to safeguard sensitive data and mitigate risks associated with phishing attacks. Here are several examples of organizations and governmental bodies that have introduced specific strategies and tools to tackle phishing effectively:

• The National Institute of Standards and Technology (NIST) has recently published the NIST Phish Scale user guide, a method designed to rate an email’s human phishing detection difficulty. NIST provides essential tips for phishing protection, emphasizing vigilance and caution across all communication channels to prevent falling victim to phishing attacks.
• GDPR mandates organizations to stringent measures to protect personal data from unauthorized access, including phishing attacks. This involves encryption, access controls, and regular security assessments and training. The Irish Data Protection Commission published a guideline on phishing protection to help entities meet GDPR data protection requirements.
• The Shared Responsibility Framework (SRF) was introduced by the Singaporean government to address the escalating challenge of scams and phishing attacks. The SRF aims to combat scammers, secure government and banking channels, and strengthen enforcement through initiatives like the ScamShield app and the Singapore SMS Sender ID Registry. Additionally, it emphasizes the responsibility of Financial Institutions (FIs) and telcos to safeguard consumers, setting clear anti-scam duties and accountability standards. The SRF focuses primarily on phishing scams with a digital nexus, aiming to preserve confidence in digital payments and banking while excluding certain scam variants not related to phish

Elevating DNS Security: The Importance of Protective DNS for phishing protection

Countering phishing attacks demands a holistic strategy integrating both technological and human-centric measures. Employee awareness training and regular phishing simulation tests enhance the organization’s readiness for phishing attacks on the human aspect. Traditional phishing protection technologies such as anti-phishing, DNS filtering, spam filters, firewalls, and antivirus software play an important role in minimizing the phishing risk. However, they are not impervious to the sophisticated tactics employed by modern attackers as they lack visibility to the internal DNS traffic and DNS-centric threat intelligence. To effectively combat today’s advanced phishing attacks, organizations must employ advanced techniques such as user behavioral analysis (UBA), advanced AI-based phishing detection algorithms, and dynamic threat intelligence for real-time domain insights.

Protective DNS (PDNS) emerges as a powerful security measure to combat evolving cyber attacks including malware,  ransomware, DDoS attacks, and phishing threats. Unlike traditional methods, PDNS operates as a real-time security service, analyzing DNS queries to identify and block potential risks using DNS-centric threat intelligence. By identifying and blocking malicious domains based on threat data, PDNS effectively prevents access to known malicious or suspicious sites, providing phishing protection at the earliest stage of defense. 

Strengthening phishing protection with EfficientIP’s DNS Security Solution

EfficientIP’s Protective DNS solution was recognized by NSA as a top Protective DNS Vendor for its phishing protection capabilities along with its Domain Generation Algorithm (DGA) and malware protection algorithms. EfficientIP goes beyond a PDNS and employs a holistic cybersecurity approach that protects the organization with proactive zero-trust risk management measures, advanced engines to detect and block attacks, automated mitigation and adaptive countermeasures.

DNS-centric threat intelligence

Dynamic and accurate threat intelligence feed plays a crucial role in defending against phishing attacks, by blocking the access to malicious websites commonly used in such attacks.

EfficientIP’s threat intelligence database continuously gathers rich, voluminous DNS data and statistics from diverse devices, applications, and networks, encompassing on-premise, cloud, or multi-cloud infrastructures on a global scale and multi-source intelligence.

This comprehensive and up-to-date  data is then processed and analyzed leveraging patented AI/ML-powered technology and pioneering algorithms to increase its accuracy and relevance. These advanced algorithms automatically  assess the suspicious or malicious nature of a domain and classify it accordingly into relevant attack categories such as phishing and more. 

In particular, using ML-driven image recognition and Natural Language Processing (NLP) enable it to identify and flag potential threats based on visual attributes associated with malicious online content. For instance, the image recognition model can identify websites that closely resemble known, trusted sites, a technique often used to deceive users into disclosing their credentials or engaging in malicious actions. 

Subsequently, a risk score is calculated to aid in prioritizing incidents and determining the most appropriate course of action. The screenshot below demonstrates a domain classified as phishing and scored at the highest risk level F.

EfficientIP’s DNS Threat Pulse (DTP) is a proprietary threat intelligence feed generated from the consolidated threat intelligence database.

One such example is a phishing attack targeting Bank of America customers. In March 2024, among numerous detections, EfficientIP identified several phishing attempts aimed at mimicking Bank of America’s user login area, with the intent to steal victims’ account credentials. Upon detection, the domains were automatically marked as malicious in the DTP feed, subsequently updating EfficientIP’s detection engines. This ensured that all EfficientIP DNS Security customers received immediate protection against the threat.

EfficientIP’s DNS Intelligence Center (DNS IC) aggregates the data collected by the threat intelligence database to  provide comprehensive threat insights and analytics on the organization’s DNS traffic, including real-time threat matches, as seen in the screenshot below.

Advanced technologies to combat phishing attacks proactively

Introducing advanced technologies to proactively combat phishing attacks is crucial in today’s cyber landscape. DNS Guardian, a leading Protective DNS solution, offers multi-tier threat detection algorithms. Leveraging the DNS IC, DNS Guardian  provides an end-to-end, integrated DNS security solution for optimal protection throughout the threat lifecycle.

DNS Guardian introduces an innovative Client Query Filtering (CQF) algorithm that elevates application access control. By combining client and destination information with dynamic domain lists, rather than filtering only based on the domain name, CQF enables application zoning, restricting users and devices to access only applications they need for their work. This reduces the risk of phishing attacks, as the domains that clients can access are limited by design. CQF also leverages the DTP feed to allow granular policy configuration based on domain category. Since DTP includes a continuously updated list of phishing domains, it allows real-time prevention of phishing attacks at the core of DNS. 

Another core capability of DNS Guardian is the patented DNS Transaction Inspection (DTI), providing real-time analysis of DNS server transactions, including DNS requests, responses, fragments, recursions, and latency. DNS Guardian analyzes the DNS client requests to the DNS cache, identifying suspicious behaviors. Furthermore, it monitors the response time from an authoritative DNS server to its recursive service, detecting suspicious activity. This in-depth understanding of the DNS traffic enhances threat detection well beyond known attack patterns. 

Recovery & Response 

In 2023, the average time to identify and contain an attack initiated was ~300 days. It expresses the urge to put in place automatic measures that will ensure business continuity and reduce the impact of phishing attacks.

DNS Guardian maintains service continuity and minimizes false positives while protecting against phishing attacks through its adaptive countermeasures technology. These methods include blocking or limiting suspicious DNS traffic for specific clients and quarantining suspicious sources such as DNS clients, while preserving cache services. 

As mentioned before, DNS IC offers rich and granular DNS-centric insights. In addition to its critical role in detecting threats, it serves as a powerful threat investigation tool that provides detailed contextual information about domains. The information includes whois and certificate data, classification, indicators of compromise (IoCs), location, and more. The security analyst or incident response manager can leverage the comprehensive data to deeply understand the incident and prepare a response plan. This is especially powerful in phishing attacks, as the malicious domains can be blocked immediately, completely thwarting the attack. 

DNS IC also empowers the SOC team to enrich the DTP feed with domains identified as suspicious in their organization’s DNS traffic. Once reviewed and confirmed by the SOC team as malicious,  the domains can be added to the global DTP feed, enabling all EfficientIP customers to benefit from a unified defense against phishing.

Conclusions

Advanced DNS security is instrumental in reducing the risk of phishing attacks and proactively blocking them as the first line of defense. Selecting a solution that provides advanced, comprehensive measures to detect and block phishing attacks is crucial, given the evolving nature and increasing sophistication of these attacks. Schedule a demo today to explore EfficientIP’s DNS Security solution further and discover how it can help in combating phishing attacks while ensuring compliance with recent regulations and government requirements.