The Domain Name System (DNS) is a fundamental building block of our online lives. Think of it as the phonebook of the internet, translating human-friendly domain names (like www.example.com) into IP addresses that computers use to communicate with each other.
Protective DNS (PDNS) services intercept DNS queries and apply security policies to them, protecting users from malicious activities. PDNS can block a domain linked in a phishing email, even if the message looks legitimate and tricks someone into clicking the link. This security tactic can also detect compromised devices by identifying unusual communications (such as a device trying to connect to a suspicious domain) and blocking them.
“The attacks are getting better and better,” says David Ratner, the CEO of cybersecurity firm HYAS, a leader in PDNS solutions.
“They’re getting harder and harder to stop, either visually or with user training. And as they’re getting better at getting past Endpoint Detection and Response (EDR) and traditional defenses, it really highlights just how important proactive cyber resiliency and advanced protective DNS solutions are.”
On an “RSAC Fireside Chat” episode of “The Last Watchdog” podcast, Pulitzer Prize-winning business journalist Byron V. Acohido talks to David about how PDNS works and why it’s so fundamental to cybersecurity.
In cybersecurity, “command and control” (C2 or C&C) refers to the communication channels that cybercriminals use to control compromised devices within a network. These channels allow attackers to issue commands, exfiltrate data and coordinate malicious activities.
David estimates that over 93% of all malware uses DNS as its mechanism to establish and leverage a C2 channel. “If you think about how an attack works — it doesn’t matter if it’s a supply chain attack or insider risk, or if they crack a password or whatever,” David explains, “once the bad actors gain a foothold inside the organization, the first step in that attack is generally beaconing out to command and control for instructions: I’m alive, what do you want me to do? Where do you want me to go?”
Most cybersecurity companies gather lists of malicious domains and use them to manage traffic. However, HYAS solutions can recognize the patterns that suggest a command and control infrastructure and block the domains from which they originated before bad actors can cause any damage.
“As attacks evolve, they are going to get more sophisticated, but they still all rely on being able to communicate with a piece of infrastructure the organization should not be communicating with. They all still use DNS."
HYAS gathers data directly from authoritative sources on the Internet. Some of our IP is in exclusive or private data sources, which are combined with commercial and open-source data. But HYAS’ secret sauce is “how that’s assembled into a graph database,” says David. “And how we build the connections between the nodes in that graph database — and how we map what has happened, to what is happening, to what will happen.”
HYAS can do that partly because the company has access to data others don’t have, “which allows us to build connections in that graph database that other people can’t build,” David explains.
That’s because HYAS has a set of proprietary algorithms that map any new piece of infrastructure and put it into the graph database so analysts can understand everything it touches.
“That’s the way you build connections and linkages between nodes,” David explains. “The game is to understand every single piece of infrastructure on the internet, and what’s going to be used as command and control in the future so that you can block it now.”
Check out the Award-Winning HYAS Protect Protective DNS for more details!
More than ever (and more easily than ever), cybercriminals can use generative AI to improve their targeting and hone their phishing emails.
“Oftentimes the bad actor is in a foreign country, and maybe English isn’t their first language,” David notes. “Two years ago, in a phishing email, or in a submission on your mobile device, you’d be able to recognize that it was not proper English.”
But the use of large language models (LLMs) has allowed non-native English speakers, and those who know no English at all, to create messages in perfect English — in record time — that target victims in the U.S. and beyond.
However, no matter how well-written or well-targeted a phishing email may be, the sender is still trying to get the recipient to click on a link that takes them to an unsafe domain.
“As attacks evolve, they are going to get more sophisticated, but they still all rely on being able to communicate with a piece of infrastructure the organization should not be communicating with. They all still use DNS,” David says.
Today, they might use Microsoft Teams or Azure (which support remote work and virtual machines, respectively — but still rely on DNS queries) rather than traditional domains, and that’s just the tip of the iceberg.
“Every single device we have still uses DNS — whether it’s the smart coffee pot an employee brings into the office or the printer. They all use DNS,” David explains. “It’s the common protocol every single device uses for communication. That’s why it’s so popular. If 10 years from now, there’s a set of different protocols, protective DNS will simply expand to be looking at those other protocols as well.”
Four years ago, protective DNS was already a key cybersecurity measure, “but it wasn’t front and center,” David says.
But after the pandemic sparked a remote-work revolution, PDNS “was almost viewed as a requirement in the 2021 CISA [report on routinely exploited vulnerabilities,” he notes. “And the NSA published its memo on selecting a protective DNS service, that concluded, ‘You should go get protective DNS’ — and then later made it part of their Shields Up initiative.”
Now, cyber insurance carriers ask organizations they cover whether they have PDNS. Even the White House has publicized the importance of designing our systems to be resilient. Advanced PDNS is now coming into its own.
People are realizing that it’s a critical part of how to get proactive against threats they don’t yet even understand,” David says.
“As attacks evolve, they’re going to get more sophisticated, but they still all rely on being able to communicate with a piece of infrastructure that an organization should not be communicating with.”
By integrating advanced PDNS, organizations can not only fortify their defenses but also enhance their resilience against emerging threats. Proactive defense is crucial to stay ahead of attackers and enable security teams to identify and mitigate risks before they escalate.
Emphasizing these strategies ensures a robust, adaptive security posture in unpredictable times. That’s as close to future-proofing we can get.
Try HYAS Insight Intel Threat Intelligence Feed - Organizations can get actionable intelligence on adversary infrastructure FREE!
Register here
Try HYAS Protect At Home - FREE enterprise-grade protective DNS for your home network.
Register here
Are you ready to protect your growing business from cyber threats? Get in touch with HYAS today.