If your SOC team’s focus is on detecting anomalies in intrusion prevention system (IPS) and end point traffic, you’ve got a security problem. Malware and exploit kits have become sophisticated enough to avoid IPS detection, infiltrating your perimeter and stealthily inflicting damage over time, under the radar.
The threats keep increasing and changing, but many companies’ security levels aren’t keeping pace. Enterprises are up against a variety of bad actors, from disgruntled “free agent” hackers to organized crime syndicates to state-backed attacks. No matter the “face” on the other side, you need to be prepared for them all.
A simple, cost-effective security fix
Being better prepared doesn’t necessarily mean purchasing an expensive new security system. What if you could greatly improve your SOC’s powers of detection by integrating data you already have? Think about this: more than 90% of malware attacks involve a domain name lookup to connect back to bad actors’ command and control infrastructure. By integrating your DNS data with your broader security ecosystem including endpoint technologies and vulnerability scanners, your system becomes smarter and the SOC team can better detect and prevent against cyber attacks – of many different types. This is something that’s relatively simple to do and can have a big impact on detection, prevention, analysis and investigation, as I’ve outlined in a previous blog. Why not move DNS data integration to the top of the to-do list?
DNS-level detection of malicious activities
Detecting anomalies and gleaning network context from DNS data can help your SOC protect against a variety of APT and malware activity. For example, Operation Cloud Hopper is a large-scale, long-term, state-backed cyber attack likely based in China. It’s targeting managed IT service providers (MSPs) and using them to infiltrate customers’ networks and steal intellectual property and other sensitive data. Operation Cloud Hopper has involved multiple attacks in the last two to three years and more than 70 varieties of malware. Operation Cloud Hopper’s C&C infrastructure primarily uses dynamic DNS domains, which are interconnected in a complex web.
Ransomware has proven to be a profitable business for cyber criminals, growing by 400% from 2015 to 2016. How profitable is it? Security news site CSO reported that ransomware raked in $1 billion in 2016. By integrating DNS data into your broader security ecosystem, you can detect and prevent APT and malware activity at the DNS level, and prevent attacks such as phishing malware and ransomware, exploit kits and others.
Even teenagers today can pose a threat to major corporations that have sophisticated cyber security. In one example, five young adults (ages 14-21) with something to prove successfully took down one of the Netherland’s largest internet providers with a DDoS attack, leaving 1.8 million customers without internet access for two days. Beyond providing the intelligence to detect and identify a DDoS attack faster, a hybrid DNS security solution with self-protecting DNS servers covers IoT devices and on- and off-premise users to protect against DNS DDoS attacks like reflection, amplification, protocol exploits and cache poisoning and can maintain service availability even when under attack.
Actionable Threat Intelligence in the DDI environment
Each of the three types of cyber attacks profiled above could probably have been detected by integrating DDI (DNS, DHCP, IPAM) services, which contain rich data, into the broader security ecosystem. Using a at the DNS level provides a critical additional layer of security and real-time threat intelligence that can be leveraged to help assess risk, prioritize alerts and perform forensic research. Do you know if or how your SOC team is integrating DNS data for data correlations and threat analyses? Only by digging in at the DNS level can you know what’s going on inside your network in real time and better protect your enterprise from malicious attacks.