Coffee Chat with Cricket and Krupa: All the Ways Threat Actors Abuse DNS

Cybercriminals use Domain Name System (DNS) to execute a range of malicious campaigns at various stages of the kill chain. This exploitation is often successful because organizations frequently don’t consider DNS from a security context, creating a gap that attackers readily exploit. For instance, cybercriminals: - Use C2 (Command and Control) to communicate with external servers and receive malicious commands to execute - Utilize DNS tunneling to exfiltrate data from within networks as part of campaigns like Ransomware - Setup Traffic Distribution Systems (TDS) to more efficiently deliver malware to victims - Leverage various DNS record types to avoid detection by security tools that only monitor some of the record types - Create lookalike domains that could impersonate organizations, deceiving customers, partners and suppliers - Register zero-day DNS domains to launch targeted spear phishing attacks within minutes Many of these activities go unnoticed by traditional security approaches, resulting in prolonged dwell times, lateral spread of malicious activity and costly data breaches. In this Coffee Chat, we will explore the myriad ways DNS is abused by threat actors and discuss proactive measures that organizations can implement to protect their users and data.