Protect Your Network With DNS Data

Protect Your Network With DNS Data was originally featured in the TAG Cyber Security Annual (Q3 2021), which also named HYAS as a Distinguished Vendor for 2021. Join HYAS CEO, David Ratner for an exclusive interview where he shares his thoughts on why the NSA and CISA recently issued guidance on the importance of DNS data.

Download the full report here.

SOC analysts are overburdened with data. This “noise” makes it difficult for them to decipher which indicators of compromise (IoCs) are actionable and which are priority. Without the data, however, understanding what bad actors are doing, where they are, what domains and infrastructure and domains they’re using, etc., is impossible.

While SOC tools may spin out terabytes of data per day, DNS data remains one of the lesser used categories of data for threat intelligence, investigations, incident response, or contextualization. However, DNS data is a rich source of information that allows companies to identify bad actors and the domains they are using to execute attacks. It allows defenders to monitor adversary campaigns and prevent attacks. As such, PDNS — protective DNS — is becoming a key capability that even the U.S. government is getting behind. HYAS, a PDNS provider based in Victoria, Canada is helping companies identify adversary infrastructure and communications. We spoke with David Ratner, CEO at HYAS about this growing space.

TAG Cyber: The NSA and CISA just put out guidance about incorporating DNS data into security operations. Why did this happen now?

HYAS: 2020 was an interesting year for a variety of reasons, but one thing that happened was the rapidly changing work models created a dramatically expanded attack surface for bad actors. This, combined with a set of high-profile supply-chain and ransomware attacks, really made people realize that, despite all of the investment in cyber security, organizations were not as protected as they needed to be. Organizations needed to be more proactive and focus on prevention vs incident response, and change the game from traditional defense. Looking at the DNS egress of an organization is a key part of interrupting the kill chain and stopping attacks before they start. Detecting communication with command-and-control structures, and acting on changes to an organization’s “DNS fingerprint”, are exactly the kind of early warning signals that should be immediately integrated into a modern security architecture for advanced security, clearing a safe path for the organization to follow.

TAG Cyber: Why don’t companies use DNS more readily as a data source for identifying IoCs?

HYAS: DNS is often a part of the infrastructure that “just works” and people may be either unwilling to touch it, lest they accidentally break something critical, or else may not fully understand it, and therefore be unsure about how to properly effect change. Nevertheless, it’s vital to understand the role it plays in modern attacks, from ransomware to malware and supply-chain attacks, and even phishing. Most all attacks, regardless of how the bad actor establishes their initial foothold inside the network, utilize communication between some program or malware inside the organization and the bad actor’s command-and-control (C2) infrastructure outside the enterprise. For instance ,in a ransomware attack, often Cobalt Strike or other sophisticated software is deployed to navigate the enterprise and identify the best location in which to deploy the ransomware. It’s exactly this kind of communication which shows up loud and clear when looking at DNS egress and specifically at “what changed, why did it change, and what does this mean”. This is exactly the point of protective DNS and HYAS Protect implements this automatically without human involvement.

TAG Cyber: What are the top use cases for incorporating PDNS into an enterprise security program?

HYAS: A key use case for Protective DNS is visibility – one of my mentors used to tell me that you can’t expect the right thing to happen for anything that you don’t inspect, and if you aren’t inspecting where your outbound traffic is going, you therefore lack the visibility to understand what’s happening on your network. Visibility could include knowledge about active infections, suspicious or unwanted network traffic, or even other network events that are leading indicators of something nefarious – for example, if the number of lookups for “no-such-domain” skyrockets one day, or the number of direct-to-IP communication is suddenly a lot larger, that points at something new in the organization that at least needs to be investigated, if not something nefarious occurring.

A second key use case is compliance. For example, NIST recently released NIST SP 1800-30B “Securing Telehealth Remote Patient Monitoring Ecosystem” where they recommend the use of a Protective DNS solution. Additionally, having the proper Protective DNS solution in place is also a requirement for CMMC Compliance, specifically under standard SC.3.192.

TAG Cyber: Tell us a little about HYAS Insight and HYAS Protect.

HYAS: HYAS, the expert in adversary infrastructure and the communication with it, focuses on using our unique knowledge to not only disrupt and detect attacks but help our customers change the game, avoid playing traditional defense, and stop attacks before they happen by being proactive. HYAS Insight is used by Fortune 100 organizations around the world not just to rapidly understand “what happened” but identify everything needed to know to counter fraud or understand an attack and either involve law enforcement or adapt one’s defenses to proactively get in front of future attacks by the organization – the first step in an active defense is knowing one’s enemy. HYAS Protect is an automatic Protective DNS solution that uses all the same data to proactively extend a “protective shield” around an organization by analyzing the DNS traffic in real time and being able to block and/or alert on untrusted or nefarious communication. It can run as an organizations’ external DNS resolver, be integrated with third-party agents on devices to address hybrid work-models, and is flexible enough to be easily integrated into a security architecture without having to act as the external DNS resolver. Both HYAS Insight and HYAS Protect are SaaS solutions that can be API-integrated into commercial and proprietary solutions and are deployable in minutes with minimal if any configuration and maintenance required.

TAG Cyber: What some of the things that DNS data can tell analysts that other security data cannot?

HYAS: First and foremost, DNS data can tell analysts what conversations are happening between their organization and the outside world – understanding where devices in the network are communicating is a critical first step to understanding what may need additional inspection and analysis. While Protective DNS is not a zero-trust solution, evaluating the validity and trustworthiness of any network connection is clearly an important part of an overall zero-trust approach.

Second, DNS data can also tell analysts what network traffic is being attempted, which even if not successful can often identify suspicious or nefarious internal activity – great examples are sudden increases in lookups on invalid domain names or direct-to-IP traffic (which will often appear as a DNS lookup on an in-addr.arpa address).

In general, analyzing the DNS data provides an analyst with high-fidelity leading indicators before bad things happen, and often provide advanced data points on where to more deeply inspect inside the organization. One of the more difficult things an analyst has to do is prioritize their work in an environment with competing priorities. Protective DNS provides high-confidence data that won’t waste their time. The use of DNS data from a Protective DNS solution like HYAS Protect provides a strong signal with a low false-positive rate that allow analysts to optimize their time and focus on the real issues for next-generation protection.