In a digital landscape where cyber threats evolve more swiftly than the defense mechanisms, the concept of proactive security stands as the cybersecurity Holy Grail—the elusive state of pre-empting malicious activity, rather than reacting to it. One emerging champion in the realm of proactive cybersecurity controls is Next-Generation Protective Domain Name System (DNS). This solution stands as a sentinel at the gateway of the internet and has the potential to redefine how we approach and fortify our digital perimeters. This blog dives into the significance and implementation of this technological advance in safeguarding against the cyber perils that dwell in the shadows of the web.
What is proactive threat detection?
Early computer viruses and other malicious software, commonly referred to as malware, used removable media like floppy drives to spread from computer to computer. As computers were connected to Local Area Networks (LANs) and subsequently to the Internet, malware exploited these networks to spread, download additional tools over the Internet, and be controlled remotely. This increase in connectivity enabled swift malware distribution across systems, presenting significant cybersecurity risks and challenges for network security experts. As a result of this shift, a series of network-connected malware attacks occurred in the late 1990s and early 2000s with names like ILoveYou, Melissa, and Nimda. Networking added insecurity to computer systems, but it also provided the means to defeat that insecurity. The security industry developed a set of protective measures for the connected world that included:
- Online updates for anti-virus definitions
- Policy enforcement via Group Policy Objects
- DNS blocklists of FQDNs and domains
- IP and network blocklists
Security Operations Centers (SOCs) and Computer Emergency Response Teams (CERTs) also started to build their own blocklists as part of an incident response. When they clean up an infected computer, a proactive security activity is to collect Indicators of Compromise (IoC) that can be added to one of the several types of blocklists that they maintain. Over time, they started to share their blocklists with other organizations and the concept of Cyber Threat Intelligence (CTI) was born as a sort of “herd immunity” from large-scale virus infections. As the practice of collecting and exchanging Indicators of Compromise (IoCs) evolved and became even more commonplace as a proactive cyber defense, the innovative concept of Protective DNS emerged. This approach involves the deployment of a filtering DNS resolver that integrates a comprehensive array of blocklists and enhances cybersecurity measures. Protective DNS is designed to enable proactive cybersecurity by preventing access to malicious domains by resolving them to a sinkhole page, thereby contributing to a more secure digital environment.
Attackers Also Innovate
As SOC and Blue Team capabilities evolved and their detection and blocking became more effective, attackers and their tools also evolved and adapted. Some of these innovations took place inside of how they used DNS for malware delivery and command and control (C2):
- Distribution Networks use DNS entries to direct traffic, employing chained CNAME records for redirection
- Domain aging was another scheme, where dormant or “parked” domains were awoken to deliver malicious traffic, defeating some basic Protective DNS solutions that used domain age as a blocking criterion
- Domain Generation Algorithms (DGAs) were developed to create and register domains on the fly that are resistant to typical blocklisting
- The Fast-Flux technique constantly and rapidly changed DNS records, obscuring the attackers’ infrastructure, benefitting from IP reputation scores of other services, and raising the bar for discovery
- DNS Tunneling found a way to transport other kinds of malicious traffic through DNS queries and responses, often bypassing network firewalls entirely
By changing their IoCs more rapidly than SOCs and CERTs could identify them through malware and incident analysis, cybercriminals were able to stay one step ahead of the defenders and a more reactive approach to cyber defense. For a while, these attacker innovations swung the advantage back their way.
Next-Generation Protective DNS and Proactive Security
The constant escalation of the arms race between attackers and defenders led to the development of proactive cybersecurity measures in the form of Next-Generation Protective DNS solutions. These innovative systems transformed the traditional DNS and IP blocklists into a dynamic, real-time, and powerful tool for proactive security. With Next-Generation Protective DNS, organizations can detect adversarial infrastructure as it is provisioned and deployed and before it can be used against a target.
IoCs become seed data
Next-Generation Protective DNS has a far broader view of the DNS system than the traditional IoC blocklist approach of Protective DNS. Next-Generation Protective DNS systems are designed to process trillions of DNS requests and use advanced analysis to identify malicious infrastructure—servers, network blocks, domains, and routing—proactively and before they are used in an attack. By using IoCs as seed data and enriching them with active data collection, Next-Generation Protective DNS solutions can identify the similarity between a new domain and previously malicious domains. Next-Generation Protective DNS incorporates predictive analytics and machine learning models that can identify a pending campaign—those quiet steps that preclude a major cyber offensive. These proactive security measures transform the defensive mindset, and the implications are vast.
Proactive Security Examples
Let us look at domain aging as an example. Domain aging is a technique used by attackers who know that most protective DNS solutions block newly registered domains. To age a domain to use in a phishing campaign, attackers do the following:
- Buy a domain and park it with the registrar
- Wait 12 months for the domain to age
- Change nameservers and start making the domain active
- Set up their hosting infrastructure on servers
- Create A and AAA records for the domain
- Provision TLS certificates for their servers
- Set up outgoing emails in a phishing campaign
Inside this process, there are numerous indicators that a Next-Generation Protective DNS can use to provide proactive cyber defense:
- Registrar has been known to be used by phishing gangs
- Domain registration details are the same as in previous phishing campaigns
- Nameserver changes from well-known parking nameservers
- Nameservers previously used in a phishing campaign
- Addition of A and AAAA records
- A and AAAA records answer with the IP addresses of compromised servers with toolkits installed
- IP addresses for A and AAAA records are in a netblock serviced by bulletproof hosting
- TLS certificate provisioning is visible in Certificate Transparency feeds from the Certification Authority
The Benefits of Proactive Cybersecurity
Proactive security is more than just a buzzword; it is a shift in effectiveness and economics to benefit security teams and minimize and eliminate some of the problems that SOCs and CSIRTs face.
Reduced number of cybersecurity incidents.
By catching threats earlier, Next-Generation Protective DNS can significantly reduce the number of cybersecurity incidents and attacks faced by organizations. This offers cost savings and helps maintain trust with customers and stakeholders.
Real-time adaptations to new threats.
Malware and its capabilities evolve over time. The proactive security controls of a Next-Generation Protective DNS adapt to this evolution and provide “futureproofing” for any new innovations that malware will adopt.
Does not require a “Patient Zero”.
Initially, threat intelligence feeds gathered Indicators of Compromise (IoCs) in response to malware infections, indicating that an incident was necessary before IoCs could be blocked. With malware increasingly using the Local Area Network (LAN) and file shares for dissemination, the presence of a “patient zero” exposes additional systems to potential infections.
Reduced time-to-detect.
Waiting for IoCs to be harvested from incidents and disseminated to SOCs in traditional CTI models means that detection and blocking always lag behind malware innovations. The proactive cybersecurity defenses inside Next-Generation Protective DNS can detect malicious infrastructure before it is used.
Early threat detection means reduced impact.
When a system is compromised, early detection means that the attacker has less “dwell time” on the system, and their actions can be neutralized earlier. This reduces the amount of damage they can cause to the infected system.
Reduced SOC and CERT burnout.
Reduced incident load can reduce the amount of staff burnout and churn as SOC and CERT staff work on less repetitive and laborious responses. These teams can also be redirected into performing more interesting work like threat hunting or detection engineering.
Reduced employee downtime.
Fewer incidents mean less loss of employee productivity due to their IT system being unavailable or a loss of data from a system reset or reimaging.
Proactive threat hunting means cost savings.
Early threat detection translates to blocking threats before they can be used to exploit a system. This direct preservation of resources—both human and capital—is immeasurable in preventing the loss or compromise of critical assets.
Compatible with anti-virus solutions.
By providing protection in the network, Protective DNS is compatible with other anti-malware solutions such as endpoint clients and can provide some offload in dynamic updates and real-time monitoring. It also can protect devices such as Internet of Things (IoT) that cannot run an endpoint client.
Proactive cybersecurity makes incident response easier.
A critical aspect of proactive security is how quickly an organization can identify and respond to a threat. Protective DNS not only detects threats but strategically places organizations in a position of strength with actionable insights and a clear, informed response strategy.
Enhanced network visibility and control.
Protective DNS provides detailed insights into both East-West and North-South network traffic, offering a unique perspective that increases the probability that every irregularity is detected and no hidden network activities elude observation.
Vercara UltraDDR Enables Proactive Defense
Vercara’s UltraDNS Detection and Response (UltraDDR) is a proactive, next-generation Protective DNS solution. Our cutting-edge solution uses:
- A multi-petabyte data lake with 10 years of DNS data to identify and block malicious domains, servers, and other infrastructure before it is used in an attack
- Blocklists and allowlists that enable blocking based on Vercara-provided domain categories to enforce Acceptable Usage Policies (AUPs) and to block known malicious domains, and features
- A ruleset engine that allows administrators to set advanced policies.
A proactive cyber defense is a better defense.
In an age where a malware incident can paralyze businesses, the significance of maintaining a hardened, proactive security stance cannot be overstated. Next-Generation Protective DNS represents a monumental stride forward in building a more effective defense. It champions an innovative approach to cybersecurity that is not merely reactionary but pre-emptively vigilant. Businesses and organizations of all stripes now stand at a juncture. Will they continue relying on the old methodologies, perpetually playing catch-up with the cyber adversaries? Or will they recognize the value of turning the tide with proactive measures that thwart threats before they manifest? The writing on the digital wall is clear—those who arm themselves with proactive security measures and Next-Generation Protective DNS are primed for the challenges of the digital frontier. It is time to take the reins and steer toward a fortified future. Ready to enhance your protection with a Next-Generation Protective DNS solution? Visit our UltraDDR page or contact our sales team to learn more.
