Written by Craig Sanderson, Principal Cyber Security Strategist at Infoblox

On 14 December 2022, the European Commission published “Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union,” otherwise known as the NIS2 Directive. This directive is the EU’s update to the Network and Information Systems Directive (NIS), aimed at strengthening cybersecurity across the EU by setting higher standards for security in essential and important sectors.

The NIS2 Directive focuses on enhancing the resilience of critical infrastructure and improving the ability of EU member states to respond to cybersecurity incidents. It has a broad reach and significant impact on both EU and non-EU entities, applying to a wider range of sectors, including digital infrastructure, healthcare, energy, transportation, and critical public services. Additionally, it expands coverage to include not just essential services but also medium and large entities in critical sectors, including digital services and suppliers of key technologies.

17 October 2024 then marked the deadline for EU Member State implementation of NIS2 into national law. The European Commission has adopted the NIS2 Implementing Regulation which sets out in further detail some of the technological requirements that entities subject to NIS2 are expected to comply with. The requirements of the Implementing Regulation form the baseline of compliance across the EU, and we expect them to be supplemented with further technical details and guidance in the coming months.

Of particular relevance to legal, compliance and cybersecurity practitioners working for entities subject to NIS2, are the requirements of the Implementing Regulation on DNS security. Article 6(7) of the Implementing Regulation requires that “the relevant entities shall . . . apply best practices for the security of the DNS”. The European Union Agency for Cybersecurity (ENISA) will help define what constitutes “best practice for the security of the DNS” and we look forward to collaborating with them in that endeavour.

Infoblox has been providing DNS and DNS security solutions for over 25 years and has performed countless numbers of DNS health and security assessments in organisations across the globe. Based on our experience we expect the best practices to focus on three key areas:

1. Securing the DNS Platform
2. Securing the DNS Protocol and
3. Implementing DNS as a Cyber Security Control

Cybersecurity regulations are increasingly focused on operational risk and digital resiliency. This includes the resiliency and availability of critical infrastructure. DNS is a foundational networking service which users and applications rely on. Any loss of service due to denial-of-service attacks or even misconfiguration can have devastating consequences. It is expected that NIS2, like other regulations, will focus heavily on ensuring that regulated entities have a robust and resilient DNS architecture that is accounted for in business continuity plans and processes.

In Infoblox’s experience, many organisations have not proactively assessed the robustness of their DNS deployments, leaving them exposed to significant operational and cybersecurity risks. Regulated entities are likely to need to undertake a DNS architecture assessment to address risks such as insufficient patch management or architecture resiliency before instituting processes to proactively maintain the DNS infrastructure.

As highlighted by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), DNS is widely abused by threat actors to facilitate a broad range of attacks ranging from ransomware to phishing. Implementing DNS without appropriate security protections has been proven to be an effective means to exfiltrate data out of networks, as most cyber security infrastructure allows DNS traffic to facilitate web browsing.

Similarly, threat actors know that to execute phishing campaigns to target an organisation’s employees or even their consumers, using “lookalike” domains that impersonate the brand leads to a far greater success rate. As a result, organisations that have failed to secure their public-facing domains or register those that users expect they own can lead to devastating consequences. Infoblox research suggests that all sizes of organisations are being targeted with Infoblox detecting 25,000 new lookalike domains every week.

Given the prevalence of threat actor abuse of the DNS protocol and domains it is widely expected that NIS 2 and other regulations will drive regulated entities to formalise a strategy and process to secure their external facing, authoritative domains.

According to U.S. cybersecurity official Anne Neuberger, “using secure DNS would reduce the ability for 92% of malware attacks … from a command-and-control perspective, deploying malware on a given network.” Given that DNS platforms have, in effect, a front-row seat to what malware is operating on a network it seems logical to integrate DNS into any cybersecurity defence strategy.

Protective DNS refers to a DNS service that intercepts requests from clients to resolve malicious DNS domains. By using threat intelligence optimised for DNS platforms, it provides a highly scalable and pervasive security control that is simple to deploy and based on the industry-recognised DNS standard.

The UK National Cyber Security Center service much like the US government version operated by CISA PDNS, has become a core pillar in government cyber security strategy. With the DNS4EU initiative in the European Union, the use of Protective DNS has become an accepted DNS best practice which is already adopted by not only governments but also public and private sector organisations.