On September 22, 2021, five top InfoSec experts joined Hack, No! for a panel discussion titled Reducing Your Ransomware Risk—an Intelligent Approach. The hour-long event probed the latest onslaught of ransomware attacks and how organizations can best protect themselves. Panelists included cybersecurity veterans Chris Usserman and Craig Sanderson from Infoblox, Ben April, Chief Technology Officer of Farsight Security and John Pescatore, Director of Emerging Security Trends from SANS. Cricket Liu, Executive Vice President and Chief Evangelist at Infoblox moderated the discussion.
Cricket got things rolling by having panelists characterize ransomware compared to malware. All agreed that ransomware is essentially a different class of malware. It relies on many of the same tactics, such as command and control and exfiltration. Chris Usserman noted that ransomware is now being offered up as a service and, as a threat category, has grown much more structured.
The discussion shifted to the central role that DNS plays in ransomware attacks. The panelists agreed the open nature of DNS from a security standpoint and its ubiquity are key to its use in ransomware activity. On the flip side, the panelists noted that DNS architecture, because of its ubiquity, is ideally suited to protect against ransomware exploits. Through DNS, organizations can not only detect suspicious domains—along with the devices that attempt to access them—but they can also glean additional network and operational context to respond to threats.
As Craig Sanderson observed, in a world where users are accessing on-premises and cloud infrastructure from any location, DNS provides a unique view across environments. “The beauty is quite often in the simplicity,” he stated. “So having that kind of global visibility and control, that’s what you need to do now, because you don’t know where your users are going to be. The assets are constantly moving around. The data’s moving around. You need something which you know is going to be any time, any place, anywhere. And DNS is essentially that.”
The conversation moved to a discussion of how DNS architecture is used to bridge the silos between networking and security teams. John Pescatore related how in the wake of work-from-home scenarios with COVID, organizations had to make changes to their VPN remote access architectures. In the process, networking and security organizations had to work together to solve access issues, using DNS as a common framework for doing so.
The discussion then shifted to the use of DNS in Response Policy Zones (RPZs). Cricket noted that typically, domains listed in an RPZ are reputational in nature. Ben April countered that in his company’s experience, there is also an observational component to RPZ, where domains whose reputations are not yet known see sudden unexplainable spikes in activity that warrant further caution and exploration.
Cricket then transitioned to a comparison in the efficacy of next-generation firewalls versus DNS architecture. The consensus was that DNS architecture offers additional advantages. For starters, it incorporates threat intelligence at levels that next-generation firewalls do not. In addition, a DNS security architecture can use machine learning algorithms to screen for malicious domain traffic, allowing legitimate traffic to move unimpeded while blocking access to dangerous destinations.
Viewers of the webinar were invited to send along questions. Among the ones the panel discussed had to do with which tools to use to spot secondary targets after a compromise has taken place. Ben said that his top recommendation was to track metrics, such as total traffic volume by host, as a way to spot potential exfiltration activity. Chris seconded the idea of monitoring, saying, “The best way to get that visibility is to have off-box visibility. You need to have instrumentation around what’s happening on your network. Behavioral analytics, both from the user perspective and the system.”
Cricket brought the discussion back to the topic of ransomware specifically with another viewer question, this one on the tactics that are most successful in thwarting attacks. After a brief back and forth on the value of rigorous backup and recovery, panelists talked about the necessity of bridging gaps between networking and security using common data (e.g., DNS and DHCP) that enables organizations to proactively examine their environments for anomalous activity.
The event wrapped up with some closing thoughts on protecting organizations from the scourge of ransomware. Craig Sanderson summed things up best, saying “You need to use all the tools available to you and DNS is already there. I mean it’s not like you have to come and find new infrastructure. You already have DNS, just consider repurposing it to add an extra layer of defense.”
Interested in listening to the complete discussion? You can tune in here.