HYAS Blog

Using Proactive Intelligence Against Adversary Infrastructure

Written by David Ratner | February 7, 2024
  • Organizations cannot and will never keep bad actors from breaching their perimeter: They’ll always find a way in. But that doesn’t mean that organizations can’t still make themselves resilient against cyber attacks and address their digital risk.
  • Germany-based independent security evaluators AV-TEST found that HYAS Protect Protective DNS is the most effective operational resiliency solution on the market today to drive business continuity and continued operations.
  • Only with a pioneering and proven approach to cybersecurity will organizations be able to get proactive and defend themselves against both today’s and tomorrow’s attacks: Protective DNS — combined with an understanding of adversary infrastructure — integrated into the overall security-in-depth approach.

There’s a simple answer as to why the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) recommend protective DNS (PDNS) solutions as part of their Shields Up initiative and the Department of Defense (DoD) requires it as a prerequisite for Maturity Level 3 in the Cybersecurity Maturity Model Certification (CMMC) standard (SC.3.192).

There will always be breaches, but they needn’t lead to the fallout that continues to impact major corporations and governments across the globe. To effectively combat the inevitable, businesses need a paradigmatic shift in how cyberthreats are viewed and treated. Understanding adversary infrastructure and combining it with protective DNS is the key to ensuring that organizations do everything they can to get proactive against threat actors and drive true business and operational resiliency. To this end, the German security evaluators AV-TEST independently established HYAS as the most effective DNS protection on the market.

They Won’t Be Kept Out: Look for Digital Exhaust Instead

To proactively drive operational and business resiliency, organizations shouldn’t be asking if they will be able to keep bad actors from breaching their defenses. While businesses’ entire security stacks do matter, it’s impossible to stop all nefarious activity beforehand. Cybercriminals will always be looking for (and will find) ways inside.

But that doesn’t mean game over. Protective DNS (PDNS) solutions arm companies with the tools they need to identify “digital exhaust”: the telltale signs and traces of activity signaling the first signs of an active breach. These are the signs that threat actors have breached the network and are beaconing out to adversary infrastructure for instructions, data exfiltration, or other attack advancement.

Combining PDNS with a deep understanding of how threat actors communicate and execute cyber attacks is the key to effectively combating them. Without this understanding, businesses remain one step behind, relying on outdated allow-and-deny lists of where to go yesterday — not today.

Consider:

    • The log4j attack was difficult to detect and stop based on traditional log-file analysis. But in the wake of the attack, manychief information security officers (CISOs) realized that PDNS was the answer to early detection and resiliency against similar attacks simply because log4j was surprisingly easy to detect at a DNS level.
    • The SolarWinds Sunburst attack involved a dormancy period of 15 days before the “digital spy” woke up to communicate with the command and control (C2) to take instructions. A PDNS system which knew in advance that the infrastructure it beaconed out to was nefarious would have rendered the attack inert and stopped it in its tracks before it ever got started.
    • How many times have you heard “the bad actor was inside the network for 100+ days undetected?” During all that time, there was communication between the bad actor inside the network and their adversary infrastructure – this is exactly the digital exhaust that a well-tuned and highly effective PDNS system will detect, alert on, and stop.

The only way to stay safe is to know what communication is occuring, to what destination and how often, and compare that activity against a complete understanding of adversary infrastructure. Threat intelligence isn’t just a reactive post-incident response. Proactivity means knowing what will be used as C2 before the attack is ever launched, so even a net-new technique and attack can be stopped before it causes damage.

Enter AV-TEST: Independently Proven Results for PDNS Efficacy

Understanding threats alone isn’t enough. We need to prove that solutions can actually be effectiveGermany-based independent security evaluator AV-TEST began by testing antivirus software (hence the name) and grew to test the various and ever more sophisticated security solutions seen on the market today.

AV-TEST has proprietary mechanisms for understanding and scoring security solution efficacy. Cybersecurity vendors themselves may construct test frameworks that artificially bolster their results, which is why independent third-party testing is crucial in demonstrating accurate results.

The organization has tested multiple PDNS solutions, including HYAS Protect. Prior to the HYAS test, the top solution was around 50% effective as a standalone option and technologists could boost it up to 70% when layered on top of other products.

But this was before AV-TEST had tested a security solution based on understanding adversary infrastructure. The test focused on the detection rate of links pointing to portable executables (PEs) such as malware .exe files, non-PE (including HTML and JavaScript) malicious files and phishing URLs. In all cases, the score was over 80% and in some cases, closer to 90%. The false positive rate hovered around 2.5%.

This independent test conclusively proves HYAS Protect is the most effective form of protection and resilience against cyber threats today. It’s also quickly deployable within a matter of minutes and, depending on the organization’s architecture, can be integrated into existing endpoint detection and response (EDR) solutions, extended detection and response (XDR) solutions, firewalls, and other components. Pioneering a New Approach to Cybersecurity

Existing protection solutions are not a bad thing — they are actually necessary components of the overall stack. The same goes for EDR, XDR and managed detection and response (MDR). The critical thing to remember is that a security stack without the right kind of PDNS isn’t sufficient to drive true operational resiliency, especially as the likelihood of breaches will always be high.

Effective PDNS needs to work not just independently but easily integrate into pre-existing stacks and components, both to ensure it works as part of a “security in depth” strategy and to ensure it is future-proof as the architecture changes. Combined with adversary infrastructure understanding, enterprises finally have a powerful intelligence-based weapon to help them get proactive against cyber threats.

The future isn’t about blocking every single attack. It’s about taking a completely different approach of understanding and utilizing an adversary infrastructure platform to change cybersecurity paradigms that aren’t working into those that do. Only in this way can organizations realize their operational and business resiliency goals against all forms of digital risk.

Rethink cybersecurity: Understand adversary infrastructure and counter DNS as a tried-and-true attack vector for threat actors. Contact us today to learn how HYAS can help your organization transition from reactive and defensive to proactive and offensive.