A foundational approach to cybersecurity empowers CISOs to see abnormalities and block threats before they do damage.
by David Ratner, CEO, HYAS (www.hyas.com)
Constantly playing catch-up seems to have become the unfortunate norm in the cybersecurity industry. In the aftermath of a new emerging threat, CISOs rush to protect their assets from whatever vulnerability is being exploited and hope that they won’t be one of the first targets when a fresh exploit is discovered and the next inevitable round of attacks occur.
This reactive approach simply isn’t sufficient. New major exploits are being revealed with almost clockwork regularity. In 2020, the SolarWinds supply chain attack opened backdoors into thousands of organizations (including government agencies) that used its services, while late last year, the far-reaching Log4J exploit exploded onto the scene. However, even with these sophisticated new methods available to bad actors, sometimes the simplest approaches remain the most fruitful. Not long ago, it was revealed that T-Mobile had been breached by bad actors who convinced employees to switch their SIM cards to let them bypass two-factor identification — reminding us how effective social engineering can still be.
Add to this the mounting international tensions following the invasion of Ukraine, and you have a cybersecurity perfect storm. You know things are dire when the President of the United States uses his bully pulpit to warn American organizations they are likely to be the target of increased cyber threat activity and therefore have a responsibility to protect their infrastructure.
But what are your options for proactive protection when the notion of a walled-in network has been shattered by the proliferation of new IoT devices, growth of cloud services, and new hybrid work from home models? These developments have made the perimeter so porous that the old approach of simply hiding behind a firewall and keeping the rest of the world at bay is no longer feasible. So where do we go from here? As networks become less centralized and include more devices, we need to take a step back and start approaching security from a more foundational approach if we’re going to be able to actively adapt to new threats.
Bad actors are well aware of how to cover their tracks, but ultimately, they need to communicate back to the outside world once they are inside. By increasing visibility into DNS traffic, CISOs can detect, block, and respond to incidents more quickly as well as use this data to institute new controls and increase overall resiliency. This also meshes well with zero-trust policies by extending the concept of “who do I trust” to domains and infrastructure, both outside the enterprise as well as within. Abnormal communication patterns can indicate a breach while it is still in its reconnaissance phase — before it has done any damage. When malware first breaches a network, it doesn’t make its presence known right away. Instead, it gathers information about the network and attempts to infect key specific locations — current malware can even target backup data to hamper recovery after the attack. In fact, according to Microsoft, 99 days is the median amount of time between when a breach occurs and when it is detected.
However, this reconnaissance or dwell period also presents an opportunity to stop the malware before it has activated. In order to execute any commands or extract any data, malware needs to be able to communicate with its command & control (C2) architecture, which almost always involves DNS transactions at some point. Once this communication is blocked, the malicious software essentially becomes inert. It’s important to keep in mind, however, that average dwell time for ransomware is actually decreasing, making it even more imperative for organizations to notice and neutralize threats as early as possible.
So why aren’t more organizations taking advantage of protective DNS? After all, the common seven-layer model for cybersecurity places the endpoint protection (layer three) offered by protective DNS much higher than perimeter protection (layer six) and network security (layer five). The issue likely comes down to awareness. DNS is often thought of as an internet utility, something that just works, rather than an opportunity to enhance security posture. There is also sometimes confusion about the difference between protective DNS and IP filtering, with customers assuming they fulfill interchangeable roles. Security vendors haven’t helped the situation either, offering complicated, esoteric solutions (often focusing on specific processes) that promise to be a security panacea, while distracting them from foundational security and the value of visibility.
However, given the current threat landscape, protective DNS is getting vastly more attention, especially with the United States government being so vocal about the need to enhance our cybersecurity posture. In fact, the NSA and CISA have released a joint statement on the value of protective DNS solutions in fighting modern cybercrime.
CISOs will be glad to hear that these solutions layer into a company’s existing security infrastructure quickly, enhancing the value of previous security investments. But more importantly, they present visibility into network traffic like never before, giving you the ability to notice abnormalities and address them — providing enhanced risk management and ensuring you can keep business moving forward at full speed.