Cybersecurity professionals have always needed to keep up with cyber attackers. Bad actors constantly change their tactics, techniques, and procedures (TTPs) to stay one step ahead of being caught. Trying to understand each new one means that professionals are always one step behind the criminals. Simply put, we cannot rely on the same old protection methodology to deal with modern, experienced, and well-financed cyber criminals.
At HYAS, we believe we need to level the playing field. Having a fundamental expertise in adversary infrastructure better enables organizations to protect themselves against cyber threats.
If the Domain Name System (DNS) is the internet’s phonebook, protective DNS redefines the problem of how to stop an increasing number of threats by stopping the communication that facilitates them.
However bad actors break into enterprises, they can and should be stopped long before the damage is done. This is the basic tenet of operational and business resiliency. Protective DNS is the answer for all comprehensive modern cybersecurity solutions, regardless of organizational size, that are looking for the confidence to move their organization forward and address all forms of digital risk.
Regardless of how bad actors break into enterprises — be it spear-phishing employees, supply chain attacks, via insiders or password cracking — malware needs instructions. Malware communicates with C2 to receive instructions, perform privilege escalation, move laterally around the organization, exfiltrate or even encrypt data.
DNS is the system that translates the domain names we type into browsers into IP addresses. The internet as we know it wouldn’t be possible without allowing the distributed creation of new domains, and thus DNS addresses.
But DNS is a double-edged sword: Anyone can freely create new domains, including those who do so for malicious reasons. When a bad actor creates or deploys malware in a network, there’s significant infrastructure (command-and-control, or C2) behind the intrusion.
Malware must communicate with command-and-control (C2) for instructions; phishing communicates with the illegitimate domain that is impersonating the legitimate one. Even a man-in-the-middle attack requires adversary infrastructure. That means whoever is behind the attack had to create a domain in advance. This domain needs a DNS record to be routable on the Internet and ensure that wherever in the world the bad actor gains a foothold, communication can be established back to it.
Threat actors never stop evolving. The last five years alone have exposed the breadth of techniques hackers deploy and we’re constantly seeing new ones develop. But fundamentally, cyber attacks still rely on DNS and communication with C2 to feed instructions to and receive information from malware roaming freely inside systems.
Regardless of how bad actors break into enterprises — be it spear-phishing employees, supply chain attacks, via insiders or password cracking — malware needs instructions. Malware communicates with C2 to receive instructions, perform privilege escalation, move laterally around the organization, exfiltrate or even encrypt data.
The aim is to see this communication early, gaining a significant advantage over threat actors, and stopping the attack before it gets started. It’s not about the content of the communications — it’s simply that these communications are going on. You don’t need to know the conversation topic if you know the communication is with a nefarious destination. You just need to know how to stop it, and render the attack inert.
Distinguishing nefarious communications from benign ones is no easy feat. It means striving to understand C2 and adversary infrastructure across the entire internet so organizations know where they shouldn’t go and who they shouldn’t talk to. It also means ingesting billions of data points a day.
HYAS created an unique Adversary Infrastructure Platform. It’s a graph database of interconnecting nodes with data from authoritative (including exclusive, private, and open-source and commercial) datasets, which fundamentally captures and exposes the intelligence of what is good and bad on the Internet. This automated creation happens in real time, 24x7x365, with no human involvement required. Bad actors create new C2 structures constantly; the Adversary Infrastructure Platform updates in real-time.
The legacy “allow and deny list” approach is too static for an internet that’s constantly changing. Understanding one C2 is not enough. When bad actors realize their malware can’t talk to domains on a deny list, they can simply create another one. The graph database builds connections between the data points, generates connections between the nodes, to fundamentally map what has happened to what is happening and what will happen.
In this way, HYAS Protect Protective DNS powered by this Adversary Infrastructure Platform understands what is and isn’t adversary infrastructure even before the malware tries to communicate with it.
A true operational and business resiliency strategy is not just about keeping bad actors out: it’s also about protecting organizations where bad actors already might be inside. Because, unfortunately, everyone will be breached at some point.
This is a top-priority concern for many CISOs in the onslaught of modern attacks in which threat actors sit inside enterprises undetected for weeks or months.
If you can spot anomalous communications early enough in the cyber kill chain, you can render the attack inert, well before data exfiltration and encryption and thus minimize and control any damage. Early warning signals allow you to investigate anomalies before they escalate.
Instead of notifying bosses, boards, and customers (with all the ensuing fallout of negative PR and adverse financial impact), organizations can get ahead of attackers.
Having the best Protective DNS solution is necessary but not complete. It’s like getting a brand new car engine – if it doesn’t work with the rest of the car, it isn’t that valuable. Protective DNS needs to integrate into the rest of an organization’s security stack. It needs to complement and extend existing defenses, adding intelligence and increasing the efficacy of these defenses. It needs to be integrated into SIEM and SOAR for one-stop-shop on data enrichment and event analysis.
The right Protective DNS solution isn’t just easy to deploy and manage. It harmonizes with and adapts to the existing stack and organizational architecture.
And whatever those existing solutions may be, protective DNS can and should act as an early warning signal and, in the worst-case scenario, a last line of defense.
Given the growing need for protective DNS solutions that government bodies advocate for, enterprises should expect more cyber insurance companies to ask whether they have protective DNS solutions in place. Protective DNS is making its way into standards like CMMC, and by 2025, protective DNS may even be a broad compliance framework requirement.
The perfect protective DNS solution tells a better, stronger story. It helps drive a business resiliency strategy by applying the proactive knowledge and power gathered from a keen understanding of adversary infrastructure. And ultimately, allows you to confidently get a little more sleep at night.
Rethink cybersecurity. Understand adversary infrastructure and counter DNS as a tried-and-true attack vector for threat actors. Contact us today to learn how HYAS can help your organization transition from reactive and defensive to proactive and offensive.