Why do you need to use a trust based defense technology for DNS? No matter what vendors will claim about their AI and machine learning, they do not have have the time, intelligence and context to protect your organization from asymmetric threat actors that can change or decoy their techniques, tactics and procedures (TTPS) at will.
Attacks are very targeted and don’t last long
For example, a recent malware and phishing study conducted by Google and Standford University found the following.
- 91% of phishing campaigns distributed less than 1,000 emails.
- 99% of malware campaigns distributed less than 1,000 emails.
- 89% of malware campaigns last just one day.
- 80% of phishing campaigns last less than one week.
- Traffic to phishing pages has been found to disappear within a few hours after detection.
Research shows many sources of IoCs are grossly behind
Another study highlights how threat intelligence is usually very latent. In the Quality Evaluation of Cyber Threat Intelligence Feeds Study, May 2020, security researchers found it takes up to 21 days for Indicators of Compromise (IoCs) their way into feeds.
Source: International Conference on Applied Cryptography and Network Security (ACNS), May 2020
“Based on this analysis, we find that the first examples of successful indication in figure 2 are the exception rather than the norm, surprisingly we find that it takes on average 21 days before indicators are included in a list.”
Compared to the Google study data, this is an untenable reality when trying to defend against potentially destructive threats such as ransomware.
Industry security performance reports highlight the problem
The industry data on security efficacy shows there’s a serious problem with the traditional approach to DNS-level security. As the example published by AV Test in February, 2020 below, the figure shows “top” DNS security vendors have serious detection rate challenges. With the best DNS level performance at 72.6% detecting “known” IoCs, one can imagine what the actual rate of detection is against zero-day or rarely observed attacks. When you put 72.6% in the context of a spear phishing or ransomware attack, it doesn’t take many cycles for threat actors to be successful once. These rates of detection unfortunately align with the recent events like the SolarWinds supply chain attack where very benign and “low utility” domains exploited and evaded traditional defenses.
These are just a few of the reasons why Securd took a complete and different approach on classifying domains. Assuming every domain is a threat changes perspective, manner and methods to determine if a domain should be resolved or blocked.