Category Archives: Institutions

Enabling DNS over HTTPS (DoH): Advantages and Best Practices

A new internet protocol is making headlines in the world of enterprise security: DNS over HTTPS. Even though this is of major interest especially for businesses and organizations, regular users will be impacted by it as well. Are you ready for this cybersecurity revolution yourself?

Here’s what all the fuss is about the new DoH protocol. If done right, the hype around it is well-deserved. Once it’s implemented well, DoH can make network communications much more secure.

The new DNS over HTTPS protocol is still relatively new in the world of network connections. First emerged about two years ago, the new protocol is mostly not implemented yet.

When it comes to browsers, Google seems to be the first to it. They recently announced they plan to roll out DNS over HTTPS in the near future.

This guide will tell you what this means and how you can implement DNS over HTTPS yourself, the changes to expect and so on.

What Is DNS over HTTPS (DoH) and How Does This Protocol Work?

First thing’s first, let’s clear up the basics. Not everyone understands exactly what DNS is and how it works, let alone the new DNS over HTTPS.

DNS definition:

DNS stands for Domain Name Server and it helps computer networks attach various information to each web domain. To put it simply, all Domain Name Servers are basically the fundamental internet address book.

But while people can remember a domain name easily, computers need numbers to understand it. That’s why the DNS system ‘translates’ each domain name into an IP number and assigns this info, together with other details.

A DNS traffic filtering solution is a crucial security layer for businesses and consumers alike. We discussed elsewhere the importance of DNS traffic filtering and what cybercriminals can hope to get from infiltrating it.

Now that we defined DNS and DNS filtering, let’s move on to the new buzzword in cybersecurity news: DNS over HTTPS (DoH).

DNS over HTTPS (DoH) definition:

The new standard released by the IETF enables DNS protocol to be enabled over HTTPS connections (the more secure form of HTTP).

DNS over HTTPS (abbreviated as DoH) is an internet security protocol which communicates domain name server information in an encrypted way over HTTPS connections.

DNS over HTTPS vs. DNS over HTTP vs. DNS over TLS

A. DNS over HTTP vs DNS over HTTPS

Most networks are now still using DNS over HTTP communications, which makes them vulnerable to man-in-the-middle attacks if they are not protected by a traffic filtering solution. This is because this communication is sent in plain text.

The innovation brought on by the DNS over HTTPS protocol is that the communication is encrypted using built-in application HTTPS standards. This helps achieve an unprecedented default level of privacy and data protection since the encryption is (or should be) the golden standard.

Man-in-the-middle attacks (a common cybersecurity concern) are more or less useless if DNS over HTTPS is enabled. Since all DNS requests are encrypted, a 3rd party observer cannot make sense of the data they would gleam.

If that data is not encrypted (such as in the DNS over HTTP protocol), it is easy for a 3rd party malicious observer to see what domains you are trying to access. In contrast, when DoH is active, this data is encrypted and hidden within the enormous amount of HTTPS data which passes through the network.

Therefore, there is no comparison to be drawn between DNS over HTTPS (DoH) and DNS over HTTP. DoH is clearly the superior protocol. It’s only a matter of time until everyone adopts it one way or another, and the road may indeed be difficult for a time.

B. DNS over HTTPS vs. DNS over TLS

I think we’ve cleared up by now what is DNS over HTTPS (DoH).

DNS over TLS (or DoT) is regarded by some as being more or less the same thing with DoH, but this is not accurate. It’s true that both types of protocols achieve the same result: encrypting your DNS communications.

But each type of DNS protocol uses a different port for this encryption they make and the focus of each. The DoH encryption allows, theoretically, network admins to view the encrypted DNS traffic should an issue arise, while the DoT encryption can protect data even from admins.

The fans of DoT protocols state that this DNS over TLS standard is a better fit for human rights concerns in problematic countries. At the same time, in countries where freedom of speech may be limited, the only effect of enabling DoT encryption may be that it draws attention. In other words, authoritarian regimes may look unfavorably upon those who adopt DoT instead of the more mainstream DoH.

Other than that, there is also the technical difference of the port used. DNS over TLS has its own dedicated TLS port, Port 853. DNS over HTTPS uses a different one, Port 443. This internet port (Port 443) is the current standard for all HTTPS communications, so it makes sense that DoH uses it too.

How Chrome and Mozilla Are Going to Implement DNS over HTTPS (DoH)

Both Google Chrome and Mozilla have announced that they plan to include DNS over HTTPS by default in future builds.

A. How Chrome will include DNS over HTTPS:

For now, the Chrome team is experimenting with the new DoH protocol only for a limited number of users. This trial period will help them fix any potential issues and figure out how to then deploy DoH for everyone.

The DNS over HTTPS protocol will be tested starting with the new Chrome 78 version of the browser, which is not launched yet. You can also opt into this experiment if you’d like to be part of the users who get DoH in advance.

You can access the Chrome flag chrome://flags/#dns-over-http in order to activate or deactivate the DNS over HTTPS experiment, once Chrome 78 is live.

The only downside to this is that DoH is still relatively hard to configure manually in Chrome, for inexperienced users at least.

B. How Mozilla will include DNS over HTTPS:

To their credit, Mozilla has been working on DNS over HTTPS implementation for a longer time than Chrome, and it shows. As of now, opting to implement DoH in your browser is easy even for non-technical users, and the protocol settings have a much more developed interface.

For now, it’s an opt-in, as mentioned above, but Mozilla has announced that they plan to make DoH a default in future browser versions as well.

How DNS Traffic Filtering Solutions Need to Adapt to HTTPS

As most organizations are already aware, a DNS traffic filtering solution is a crucial layer of their cybersecurity environment. But while most organizations are already using a DNS traffic filter, the dilemma brought on by DoH is that compatibility issues may arise once browsers start using DoH by default.

In laymen’s terms, here’s what can be problematic. DNS traffic filtering solutions are using the settings built-in Operating Systems in order to perform DNS queries. But if the browser (whether it be Chrome or Mozilla) will no longer use the standard DNS port (53) for queries and instead switch to the DoH one (443), the traffic filtering solution will lose sight of those queries.

Basically, this has an upside and a downside. On the upside, the built-in DNS over HTTPS protocol from browsers will take over some parts of the functionality held until now by DNS traffic filtering solutions. This is good news for those who did not yet adopt a DNS traffic filter, but they should still be warned that DoH is not enough for security.

On the downside, when the DNS queries from the browser are wrong (or intentionally misled by malicious 3rd parties), the DNS traffic filter might have trouble catching on.

This is why when choosing a DNS traffic filter provider, you need to make sure that they support DNS over HTTPS correctly. Our Thor Foresight Enterprise solution is currently developing a solid integration of DoH.

How to Implement DNS over HTTPS Correctly in Your Organization

Since for the first time the DNS over HTTPS protocol makes the DNS traffic communications encrypted, this can bring about more privacy and better security for users and organizations.

But because the DoH protocol is still new, some organizations are anxious about adopting it, due to compatibility and implementation issues. Here’s what you need to know in order to ensure a smooth transition to DNS over HTTPS.

Pros to Early Adoption of DNS over HTTPS (DoH):

  • You get to test out how DoH will integrate with your networks ahead of time and fix any potential issues before the DoH protocol becomes default;
  • If implemented right, you can gain more data security and better privacy across your organization;
  • You get to test out the compatibility of DNS over HTTPS with your DNS traffic filter;
  • Your feedback may help all software parties involved better their products, to your benefit.

Cons to Early Adoption of DNS over HTTPS:

  • If your system admin(s) are not experienced with DoH and similar security protocols, this can end up in blocked queries, false-positive security flags and so on;
  • If your DNS traffic filtering solution has not worked to integrate with DoH, this can render it ineffective;

How We Cover DoH within Thor Foresight Enterprise

For the moment, our Thor Foresight Enterprise product (which includes DarkLayer Guard, a market-leading DNS traffic filtering solution) circumvents the DNS over HTTPS which will be implemented by browsers.

While we still use the DNS settings from the operating system, we supplement the queries from the browser. Since the DoH protocol is still under tests in browsers, whenever DNS servers will have a fallback, their system will proceed to query the OS settings, which is where our solution comes in.

On the long(er) run, we are working to fully integrate the DoH protocol with DarkLayer Guard in a way which will help every party involved develop stronger cybersecurity and cyber resilience.

Wrapping up

Like any IT innovation, DNS over HTTPS can pose a few challenges at first, until everyone gets aligned with it. But once DoH becomes the standard, the benefits of it will greatly outweigh the difficulties it poses in the beginning.

The post Enabling DNS over HTTPS (DoH): Advantages and Best Practices appeared first on Heimdal Security Blog.

Heimdal™ Security Launches MailSentry™, the Solution against Business Email Compromise (BEC)

When cybersecurity advances made hacking a more expensive illegal pursuit, would-be digital thieves switched to social engineering more and more. As long as they could get insiders to trust them, they could make off with company assets in an easier way than fighting the built-in cyber-defenses. That’s why Business Email Compromise (BEC) attacks have risen so much over the past few years.

Almost every month brings yet more news of successful BEC scams. It’s usually public institutions, like city administrations or hospitals, who get targeted by these scams the most. But businesses also make ripe targets for scammers. On average, a successful BEC scam can cost companies around $59,000 per incident, and from July 2016 to July 2019, the total losses caused by BEC scams surpassed $26 billion, according to FBI’s data.

To answer the need for extra defenses against BEC attacks, Heimdal™ Security launches MailSentry™. MailSentry™ is a cybersecurity module designed to identify and prevent email fraud. Beyond the simple protection, you can get from a spam filter, this new product will allow businesses everywhere to elude the paralysis of multiple person approvals and double-checks.

Morten Kjaersgaard, CEO Heimdal Security details:

“MailSentry™ will, at last, be able to secure the final frontier of cyberattacks: fraud which relies on human trust. Businesses can now no longer be preyed on by ruthless imposters or waste valuable time in double-checking and questioning every seemingly legitimate request. With our new MailSentry™ product, we expect to lead the market for all mail fraud technologies. From now on, you can prevent CEO fraud and business email compromise in a single blow dealt to hackers.”

How Will MailSentry™ Work?

MailSentry™ is a specialized add-on to any spam filter already in place. It will pair over 125 vectors to detect fraud attempts and properly flag them. Combining email signature scans to word scans in order to detect changed IBAN codes and so on, no suspicious detail will pass unnoticed.

The new MailSentry™ product will be available as part of a personalized Enterprise suite, or as a stand-alone module. With its complex network of vectors, the BEC protection cybersecurity product will automatically detect:

  • Business Email Compromise (BEC)
  • Email-deployed Malware
  • Phishing and Spear Phishing
  • Imposter Threats (Modified Invoices)
  • CEO Fraud and Criminal Impersonation
  • Man-in-the-email and Spoofing Attacks
  • Malicious content in historical emails

 

With MailSentry™ your business will also receive live monitoring 24/7 by a team specialized in BEC fraud defense. This way, you can detect malicious intent in due time and prevent any costly mistakes.

Raising employee awareness about scams and Business Email Compromise (BEC) is always a good idea, but businesses shouldn’t rely on it. MailSentry™ and its automatic scan vectors will help where human vigilance fails so that scammers won’t stand a chance.

At the same time, its intelligence will be aided by the expertise of the 24/7 specialist team on-call for analyzing suspicious emails. With MailSentry™, you can stand out from your competition by harnessing the capability of innovative technology, coupled with human ingeniousness.

You can read more about MailSentry™ and schedule a free demo HERE.

Note: MailSentry™ will be live and ready to deploy on 31st October 2019.

About Heimdal Security: Heimdal Security is an emerging cybersecurity company, founded in 2014 in Copenhagen by winners of the world ethical hacking competition Defcon CTF. Since then, the company has grown spectacularly, earning awards for both its proactive security suite (Anti-Malware Solution of the Year in 2018) and for its blog, providing intelligence to security outlets worldwide (Most Educational Security Blog in 2016).

The post Heimdal™ Security Launches MailSentry™, the Solution against Business Email Compromise (BEC) appeared first on Heimdal Security Blog.