Most burglars inspect and observe their targets before executing a heist. They check for security systems, guard dogs, and the best points of access. Perhaps not surprisingly, hackers and cyber criminals often operate the same way.
While Hollywood depicts cyber attackers breaching an organization and causing damage with just a few taps on a keyboard, in reality hackers usually want to stay undetected for several days or longer once they’ve breached a network — as opposed to immediately hijacking the system with ransomware. This quiet period is called “dwell time,” and it allows the hackers to assess the target environment’s structure, databases, and vulnerabilities, explore the organization, and identify valuable troves of data.
It’s also an ideal time to detect an intrusion and prevent it from causing real damage. If a criminal really wants to break into your network, usually they will succeed. But that doesn't mean that their attack needs to be effective, or cause you financial or other pain.
The primary way of mitigating these cyberattacks-in-waiting is through protective DNS, because the attacker needs to be communicating with their command-and-control during this time. When the security system detects a request to malicious infrastructure outside the network, it can block the communication before the breach turns into damage. Here’s how it works.
The domain name system (DNS) dates back to the early 1980s, in the pioneering days of personal computers. Similar to a phone book, the DNS is a directory of how to contact every device, website or service on the internet through its IP address.
Unfortunately, DNS wasn’t designed with cybersecurity in mind. Over the last two decades, bad actors have developed ways to exploit DNS traffic — including through domain spoofing techniques that include sophisticated phishing scams — to illegitimately gain access to a system.
But the use of DNS goes both ways. While bad actors can infiltrate a network through manipulation of DNS records, security systems can use DNS traffic to locate an attacker.
Security firms routinely flag known malicious domains, but the updates can’t come fast enough. While threat actors used to sit comfortably inside a network for months before triggering an attack, the median ransomware dwell time is now less than a week. That’s not enough time for systems to keep their lists current – relying on list updates is a cat-and-mouse game that cannot be won, as the attackers will always be one step ahead.
If you’re relying on different feeds from different vendors to identify malicious domains, then you’re going to miss all of those that nobody submitted yet, or worse, that no one else knows about yet. Of course, no one wants to discover a new malicious domain by experience. The point of DNS monitoring is to spot communication with adversary infrastructure before an attack progresses. Maintaining this advantage requires an advanced telemetry analysis.
How? HYAS relies on its unique infrastructure intelligence captured and continually updated in the HYAS Adversary Infrastructure Platform combined with pattern recognition. By looking at IP addresses, registered users, name services, malware hashes and other identifying characteristics, HYAS can dynamically block domains with profiles similar to known malicious infrastructure, or otherwise related to known malicious IOCs that are encapsulated in the graph database that underpins the HYAS Adversary Infrastructure Platform. In many ways, this is the better safe than sorry approach. If telemetry flags a domain that may be weaponized in the future, it’s safest to stop traffic now; so that not even the initial command-and-control communications can be successfully completed by the bad actors once they deploy their attack.
Foundationally, protective DNS is proactive cybersecurity approach.. It assesses the risk profile of a domain outside of an organization’s network and uses multiple detection mechanisms and rule sets to correlate vast amounts of data for dynamic and accurate results.
But effective PDNS tools don’t just block malicious infrastructure and communications. They also give a picture of security health across the network. For example, reporting tools can show an organization’s riskiest users in terms of domain requests, or identify third-party platforms that were correctly or even falsely flagged. Additionally, top PDNS services offer integrations with other security controls, including endpoint detection and response platforms.
When talking about endpoint DNS requests, most people think of user-driven traffic such as clicking a link or entering a URL into a web browser. But applications also drive DNS traffic, and in the age of the Internet of Things (IoT) and operational technology, it’s increasingly necessary to monitor device beaconing. Attackers may infiltrate your network through the printer, internet-connected coffee pot, or the next brand-new smart device that gets access to the corporate network.
Modern PDNS solutions, such as HYAS Protect, provide visibility into where all devices, including IoT and smart devices, are trying to communicate. Reviewing this data can detect any anomalies or potential network vulnerabilities before bad actors can exploit them, and can provide key insights into overall organizational risk.
No matter how well a network is protected, there are always cracks in the armor. Cyber resiliency requires security-in-depth and the ability to detect and respond to threats at various layers. Criminals may evade detection from the first or even a second line of defense, meaning that we need to detect successful breaches and stop them before they explore the organization, exfiltrate data, and become a major attack.
Large language models (LLMs) will inevitably take center stage in the future of cybersecurity. Already, bad actors can use artificial intelligence to deliver dramatically improved phishing emails or, worse, help write code that bypasses security system safeguards. LLMs are capable of generating polymorphic malware — basically, code that changes its appearance and “signature” while keeping the same outcome. It’s the computerized equivalent of ordering “six of one, half a dozen of the other” — the expressions look different but yield the same result.
Fully autonomous polymorphic malware is difficult to detect and defend against. We know because we built a proof of concept to test against our counteractive measures. LLMs open the door to intelligent, creative, and self-repairing malware that can adapt strategically and evade traditional detection mechanisms.
Even as this technology evolves, one thing hasn’t changed since the invention of the internet: malware still has to make DNS requests to communicate with the attacker’s infrastructure. By inspecting requests and traffic flows, and by monitoring for unusual connections or data transfers, PDNS systems can use telemetry to flag malware indicators, even if the code and attack itself is constantly changing.
Cyber criminals will continuously find new ways to infiltrate networks, but those breaches can be rendered ineffective when identified early. Assuming you can stop all attacks at the organization’s boundary is a recipe for disaster, and there’s never been a better time to deploy a PDNS solution like HYAS Protect.
Are you ready to protect your growing business from cyber threats? Get in touch with HYAS today.