DNS: The High Fidelity but Underutilized Threat Signal

Malware in general, and ransomware in particular, is the scourge of enterprises today. You can look at the headlines around incidents at Maersk, Capcom, regional hospitals, and you will see a trend. The organizations involved probably have good IT security teams, but the malware slipped through their protective layers, the damage was done, and news headlines resulted. 

Today’s malware (that frequently installs ransomware) can be quite sophisticated and is leveraged by a cybercriminal ecosystem. While the Mitre ATT&CK framework provides a comprehensive overview of techniques, tactics and procedures (TTPs), the below diagram derived from the Lockheed Cyber Attack Kill Chain framework summarizes things succinctly. 

Threat actors need to slip through protective layers like next-generation firewalls, secure web gateways, segmented networks, and endpoint protection platforms. For an attack to be effective, it has to navigate through a thicket of security controls. 

Among the many steps to a successful attack, adversaries may need to:

  • Gain access (avoiding secure web gateways, network IDS/IPS, next-gen firewalls and endpoint protection platforms)
  • Execute the initial compromise (avoiding endpoint protection platforms)
  • Evade defenses (again avoiding next-gen firewalls and EPPs)
  • Move laterally (bypassing internal firewalls)
  • Communicate with command and control (avoiding firewalls, secure web gateways, etc)
  • Exfiltrate information (bypassing secure web gateways, firewalls, etc)

Each of these stages represents a potential point where a security control could have blocked the attack, but all too frequently that does not happen. And a breach occurs. Not catching the attack could have been a miss due to a flood of false positives that inundated the SOC (remember the Target breach?), an endpoint protection platform was not updated with the latest engine or signatures, or a firewall was misconfigured. Defense in depth is a best practice, but the layers can have cracks. 

One commonality through most of these attack stages is external communication using the domain name system (DNS) to lookup/resolve the destination. Malware needs to communicate with its command and control (C2) domain or a user clicking on a bad link ends up at a phishing website. All of this traffic utilizes DNS, and that DNS traffic represents a valuable source of threat intelligence. For most enterprises, DNS traffic is an under-appreciated and under-utilized source of threat intelligence. DNS traffic provides a high fidelity threat signal that can cut through alert noise to surface incidents before they become catastrophic compromises. 

“Compromised machines receive instructions through command and control channels. DNS security, [secure web gateways], and other network detection and response (NDR) solutions can detect and block these channels.”

“How to Prepare for Ransomware Attacks”, Gartner (16 November 2020)

HYAS Protect enables you to leverage your existing DNS traffic to deliver that high fidelity threat signal. HYAS has the largest data lake detailing adversary infrastructure in the industry. We have accumulated petabytes of DNS data and knowledge since our founding in 2015. HYAS detonates ~200K+ malware samples on a daily basis to extract the C2 domain information so we can block new, emerging attacks. The data lake, combined with the unrivaled DNS expertise that is part of the HYAS DNA, provides essential security to catch threats slipping through your protective layers.

HYAS Protect can surface simple and sophisticated attacks, from common phishing to complex “low-and-slow” attacks. HYAS Protect delivers verdicts and analysis of your DNS traffic to provide a precise threat signal. It can inform existing security systems via API integration into your SIEM, SOAR, Firewall, or other component in your security stack so you can take action to avoid damage. 

HYAS Protect offers supports a number of deployment scenarios, along with flexible API integrations, including:

  • Real-Time Threat Signal: HYAS Protect can sit in front of or behind the firewall and leverage a mirror/tap of the DNS traffic to surface threats that slip through your protective layers (what was detailed above)
  • DNS Resolver: HYAS Protect operates as a next-generation DNS resolver to block bad domains, IPs, and nameservers with superior security, reliability, and performance 
  • Investigation and Static Analysis: Enable security operations center (SOC) teams investigating incidents to evaluate suspect domains or perform a static analysis of DNS egress traffic 

To understand how you can leverage your organization’s existing DNS threat intelligence with help from HYAS Protect, give us a shout