Cybersecurity has garnered plenty of mainstream attention lately—but for all the wrong reasons. The past year has been marked by a seemingly unending stream of major companies and organizations coming forward to admit they were the victim of a data breach or malware attack. When cybersecurity measures are working well, the end users are never even aware of them. So when ransomware suddenly becomes a household term, you know something is seriously broken with our approach to cybersecurity.
The extent of the problem is borne out in the statistics. The total number of companies that suffered data breaches in 2020 was 1,108, a high that was already exceeded by the end of September, when the total rose to 1,529 (a 17-percent increase)—and the year isn’t even over! Supply chain attacks are also on the rise, but are often a woefully overlooked attack vector in an organization’s security stack. A recent survey revealed that 83 percent of organizations suffered an operational technology breach during the previous three years.
The uptick in major breaches and ransomware incidents has already affected spending priorities, prompting 91 percent of organizations to increase their security budget in 2021. While this is a positive development overall, it underscores the futility of simply throwing more money at a broken system. If a fundamental change isn’t made to their existing security stack, these companies will continue to fall victim to the same threats they always have. It’s a cat-and-mouse game that they will always lose.
So that’s the bad news. The good news is that by augmenting our cybersecurity focus on a fundamental feature of internet architecture, we can start protecting ourselves in a proactive manner. Organizations often view cybersecurity as a wall around their organization’s network, keeping all of the nasty bits of the internet at bay while their critical data stays safely protected within. Unfortunately, in the modern landscape, a determined threat actor will eventually find a way to bypass their target’s defenses—whether by taking advantage of an unpatched exploit, successfully carrying out a phishing scam, or exploiting a compromised device on the network (an avenue that is gaining momentum as more devices join the Internet of Things). Cyber criminals are now organized to an unprecedented degree, allowing them to launch coordinated attacks tailored to their target.
To properly address the new breed of cyber threats, we must approach network protection from a more foundational level. Protective DNS (PDNS) solutions use the Domain Name System to alert and/or block communication with domains associated with bad actors. At some point during every attack, whether the threat is external or coming from within your own network, the malware, ransomware, or other intrusion needs to communicate with an external domain for instructions and attack progression, often referred to as “command and control.” These communications use DNS to identify the external domains. That’s what makes protection at the DNS level so versatile and effective.
There are a plethora of PDNS solutions available on the market, but not all are created equal. The most basic PDNS rely on block-and-allow lists compiled from publicly available security sources. Essentially, malware is distributed, someone gets hit, and then everyone else races to block the domains involved. These legacy and basic solutions revolve around a “hope-and-pray” strategy that the organization isn’t one of the unlucky ones impacted by an attack before a block-list is updated.
More sophisticated solutions use advanced threat intelligence to proactively identify and block suspicious domains, and actually perform automated analysis in real-time. DNS is a fundamental necessity for Internet communication, so simply blocking all DNS traffic is clearly not a viable option—your employees, devices, and systems need to use DNS constantly during the course of normal business. That’s why a PDNS’s ability to intelligently monitor DNS traffic, alerting or blocking automatically as required, is such a critical consideration.
In fact, this is an especially vulnerable phase of the cyber kill chain that goes woefully overlooked. Once malicious code infects a network, it initiates a reconnaissance phase before causing real damage, stealing and/or encrypting data. This reconnaissance phase is necessary for it to worm its way through the network, identify critical assets, and impact as many devices as possible while targeting specific devices, like backup infrastructure. During this phase, the malware needs to communicate with its command and control (C2) system to report information and be issued commands. If these DNS calls are detected, they can be cut off, rendering the intrusion inert and unable to carry out its work. Essentially, it becomes like a bomb whose trigger has been disarmed. By dismissing the “security wall” mentality and analyzing outgoing traffic at the DNS layer, organizations can proactively protect themselves by noticing, alerting upon, and blocking DNS calls from infected devices—taking advantage of the malware’s reconnaissance phase and rendering it inert.
This paradigm shift may get a little nudge from the federal government as it rushes to implement new security standards in the wake of recent high-profile breaches. In fact, just this March, the National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) issued a joint statement explaining protective DNS and the valuable role it can play in preventing cyber attacks. As new requirements are put into place, PDNS is likely to become a necessity for government contractors and industries that fall under its regulatory scope, as well as a critical factor in various compliance standards.
Ultimately, however, the operational risks that a security breach exposes your company to is reason enough to explore enhancing your security stack with a PDNS solution. The security industry may be broken, but thankfully, we have the tools at our disposal to fix it.