Problem to Solve: How can we use APM and NPM tools to help protect our Company’s Brand?
So many companies are spending millions of dollars “To Protect Their Brand”, which includes creating multiple layers of security in their network, and protecting their doors with physical locks and guards. Just look at the recent breaches and what they have done to the customer loyalty. According to an article on SecurityIntelligence.com, the AVERAGE cost of a security data breach is up to 3.79 Million dollars per company.
DNS and Brand Protection 101
Take a look at your own “Brand”. How much of that information exists on the Internet? If you answered a lot or all, then DNS is extremely important to you. Domain Name Server(DNS) is one of the glues that holds the Internet together. I remember when I was younger, I had to memorize every phone number of my friends and family just to call them, and if I didn’t I then had to look it up in the phone book. Well if you had to remember the phone number for every website that you wanted to go to, you would probably be like me and have few friends. For example, 184.108.40.206 is the Internet Protocol Address(IP) of a very popular website: google.com. For the most part humans seem to remember names and words much better than numbers. It just seems to be part of our DNA make up.
DNS is the protocol that is the address book for the Internet. When you type in google.com, your computer immediately starts asking around, “Does anyone know this guy? I am not sure where he is?” The DNS server that is located in your data center or your ISP provider either knows the answer or knows who to ask. Then the process is started. Once you get the answer back, your machine now knows that google.com=220.127.116.11 and where the server is that hosts that IP. You can think of it as the White Pages for the Internet. You now know the street address of the Google. One of the other advantages is that Google may have multiple servers and addresses hiding behind that one single name, but they all will do the same thing. This process helps Google by allowing them to add and remove servers, change IP’s and all you need to know is www.google.com.
Now to the point of Brand Protection there are many ways the bad guys are going to try to steal your main Internet customer facing name. Below I have mentioned a few that can be proactively fought off. Thank you to Network World for this article, which I will reference in the rest of my blog. Here is the link http://www.networkworld.com/article/2886283
Brand Attack 1 – Distributed Reflection DoS Attack
Who, What, Where, When? All of these questions become critical points of triage when a DrDoS attack happens. How can you mitigate or fight the bad guys if you do not know if the attacks are coming from the outside or from the inside on a compromised system? It is going to be pretty hard to resolve those numbers if the server can’t keep up with all the requests.
Why Should You Care? “Time is Money” as they always say. Companies fight for the (5) 9’s which is 99.999% uptime. So how much does 1 hour of downtime cost your Business? How much in the high paid salaries trying to resolve the issue?
Brand Attack 2 – Cache Poisoning
What happens if you click on www.mybank.com and it takes you to www.badguys.com. It looks exactly like mybank, but when I enter my personal information and login, for some reason it does not work? Well guess what, now they have your login and are on the real mybank.com and are stealing your money. At that point, as a customer, I am going to be pretty upset with mybank and move to yourbank. Ensuring that your DNS server is providing the proper answers can assist in resolving this issue.
Why Should You Care? Trust is everything to a brand. So if your company name is splashed on the Front Page of the newspaper, you are going to have a hard time keeping that customer trust and loyalty.
Brand Attack 3 – TCP SYN Floods
When it rains, it pours. Similar to attack 1, SYN Floods can cause chaos by attempting to open a connection to the server an immense amount of times. This causes the server to basically stop responding to everyone who is trying to communicate to it. Alerting to rising levels of TCP SYN traffic can help mitigate the problem before it gets to a Flood Stage.
Why Should You Care? Tick Tock, there goes another hour of revenue.
Brand Attack 4 – DNS Tunneling
This is a case for deeper analysis. On the outside, the attacker looks like a normal SSH, HTTP conversation, but on the inside, they are masking their intentions. They can use this method to keep the normal screening methods at bay. Deep Packet Inspection can be required to determine the actual intentions. This process combined with a baseline of that traffic, is usually required to understand when there is an abnormal amount of SSH traffic being generated.
Why Should You Care? Your brand has a large “Bullseye” on it if you have been breached for months without knowledge.
Brand Attack 5 – DNS Hijacking
Like the Cache Poisoning attack, you can lose control of your most important asset. Understanding what servers are responding to DNS requests and the DNS Messages that are contained within are a critical step in being the eyes and ears of the corporation.
Why Should You Care? Litigation, lawyers and PR teams are expensive to use after your customers have had their personal information stolen.
Brand Attack 6 & 7 – Basic NXDOMAIN Attack and Phantom Domain Attack
A lot of the different attacks revolve around overwhelming the server with requests. When the server is “down on the mat” trying to catch a breath, step in and do the resolving for it. This is an attack where watching the network traffic to and from the DNS server can give you a clue to the issue. Many times the server will be start responding slower and the general DNS response times will increase.
Why Should You Care? Everyone knows there are bad people on the Internet. Do you want to be viewed as a company that can handle themselves or as a victim?
Brand Attack 8 & 9 – Random Subdomain Attack and Domain Lock-up Attack
The attacker creates multiple different entries that are going to fail, such as g00gle.com or gogle.com. The attacker then asks for the server to resolve these domains over and over. The ability to recognize and alert on the increasing “Name Error” responses, and who the inquiries are coming from can help in preparing to block these attacks.
Why Should You Care? Once again, it is pretty hard to sell your services if the customer can’t open your web page.
Brand Attack 10 – BotNet-based attack
As much as you tell your employees, “..NO you cannot get free money from Nigeria” they continue to click on the Emails and infect devices with Malware. This malware can be in the form of Botnet that can attack your DNS servers from within your walls. Establishing your defense only on the outside of your walls can be a drastic failure. Make sure you know what is going on outside as well as within your own walls.
Why Should You Care? With crippling speed, malware can spread like a nasty rumor. It is pretty hard to maintain trust if you have to call your customers and instruct them to NOT open that email from your business email address.
With the proper eyes and ears on your DNS traffic you can successfully respond to the different levels of attacks above. Visibility provides the business a level of confidence that the Brand you have worked so hard to build will be defended and not compromised.