What is Protective DNS?

Protective DNS is a cybersecurity defense that uses the DNS protocol to prevent endpoints (laptops, workstations, servers, IoT devices, etc.) from acquiring an IP address (A record) to connect to a malicious or untrusted destination. Protective DNS is also known as DNS filtering or a DNS firewall.

Open DNS Resolution is a Security Vulnerability

Open and uncontrolled DNS resolution is a security vulnerability. Attackers relentlessly use cheap, disposable, and compromised Internet resources to stand up domains and websites to attack your employees and organization at will. If your endpoints, servers, and devices can resolve and connect to any random domain on the Internet, this should be considered a serious cybersecurity vulnerability. Cybercriminals are doing the following with DNS before they attack your organization.

  • Before compromising a victim, attackers may purchase or new and existing domains to use for targeting. Domains can be purchased or are acquired for free. In some cases, domains are compromised, and they are used as a vehicle to download, spread or command malware.
  • Attackers may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. These links are hosted websites, and domains the attackers acquire or build. In some cases, “trusted” and “established” websites are used.
  • Attackers often develop techniques, tactics, and procedures (TTPs) to prevent the detection of their communication to Command and Control (C2) domains. Attackers’ pre-attack activities include grooming domains to make them appear to be legitimate. Attackers leveraged this tactic in the Solarwinds attack.
  • Overall, protective DNS services such as Securd enable defense against 15+ security categories of cyber threats.

Features of a Protective DNS Service

While there are some common PDNS security features in the industry, new capabilities and strategies must defend against modern threats. Bad actors have too much agility on the Internet. They can stand up new domains, websites, and infrastructure with little or no effort. Advanced persistent threat groups have the resources, patience, and methods to bypass reactive defenses. Without a zero-trust approach (assuming everything is hostile first) will fail to mitigate unknown and emerging threats.

A protective DNS solution must be able to:

  • Block new domains in real-time from the second of registration or creation.
  • Enable the delay in the resolution of domains with certain characteristics.
  • Control the number of potential domains allowed to attack your organization.
  • Collapse and harden all outbound DNS resolution at the time of a malware or ransomware incident.
  • Provide real-time and historical visibility into all outbound DNS traffic for incident response and analysis.

Why Protective DNS must be Trust Based and Highly Restrictive

Why do you need to use a trust based defense technology for DNS? No matter what vendors will claim about their AI and machine learning, they do not have have the time, intelligence and context to protect your organization from asymmetric threat actors that can change or decoy their techniques, tactics and procedures (TTPS) at will. 

Attacks are very targeted and don’t last long

For example, a recent malware and phishing study conducted by Google and Standford University found the following.

  • 91% of phishing campaigns distributed less than 1,000 emails.
  • 99% of malware campaigns distributed less than 1,000 emails.
  • 89% of malware campaigns last just one day.
  • 80% of phishing campaigns last less than one week.
  • Traffic to phishing pages has been found to disappear within a few hours after detection.

Research shows many sources of IoCs are grossly behind

Another study highlights how threat intelligence is usually very latent. In the Quality Evaluation of Cyber Threat Intelligence Feeds Study, May 2020, security researchers found it takes up to 21 days for Indicators of Compromise (IoCs) their way into feeds.

Source: Conference: International Conference on Applied Cryptography and Network Security (ACNS), May 2020 https://www.researchgate.net/publication/341385656_Quality_Evaluation_of_Cyber_Threat_Intelligence_Feeds

Source: International Conference on Applied Cryptography and Network Security (ACNS),  May 2020

“Based on this analysis, we find that the first examples of successful indication in figure 2 are the exception rather than the norm, surprisingly we find that it takes on average 21 days before indicators are included in a list.”

Compared to the Google study data, this is an untenable reality when trying to defend against potentially destructive threats such as ransomware.

Industry security performance reports highlight the problem

The industry data on security efficacy shows there’s a serious problem with the traditional approach to DNS-level security. As the example published by AV Test in February, 2020 below, the figure shows “top” DNS security vendors have serious detection rate challenges. With the best DNS level performance at 72.6% detecting “known” IoCs, one can imagine what the actual rate of detection is against zero-day or rarely observed attacks. When you put 72.6% in the context of a spear phishing or ransomware attack, it doesn’t take many cycles for threat actors to be successful once. These rates of detection unfortunately align with the recent events like the SolarWinds supply chain attack where very benign and “low utility” domains exploited and evaded traditional defenses.

avtest-dns-feb-2020-securityperformance

Source: https://www.av-test.org/fileadmin/pdf/reports/AV-TEST_DNS_Protection_and_Secure_Web_Gateway_Test_Feb_2020.pdf

These are just a few of the reasons why Securd took a complete and different approach on classifying domains. Assuming every domain is a threat changes perspective, manner and methods to determine if a domain should be resolved or blocked.

Protective DNS Features for Any Organiation

Securd can be used by any business, regardless of size or location. It takes most administrators less than 5 minutes to get started. Securd offers the following features:

Security Features

  • Zero Trust Protection
  • Timed Grey Wall for New Domains
  • 15+ Security Categories
  • URL Level Blocking
  • DNSSEC Enforcement
  • Implicit Deny/Allow Egress
  • Custom Allow Lists
  • Custom Block List
  • Domain/Hostname Blocking
  • IP/CIDR Blocking
  • Real-time Analytics & Logs
  • Historical Passive DNS Logs
  • SIEM/Log Analysis Integration
  • Incident Response Tool Integration

Deployment Features

  • Cloud-Based SaaS
  • Simple Web-Based UI
  • Multi-Tenant/ Multi-Site Support
  • 100% Uptime Global Anycast DNS
  • 10ms Query Response Times
  • Real-time Policy Changes
  • IPv4/IPv6 Support
  • DoH & DoT Support
  • Custom TTLs
  • Multiple Policies Per IP
  • Custom DoH Urls
  • Agent/Agentless Deployment Options

Comply with CMMC SC.4.199

In January 2020, the US Department of Defense (DoD) released the first version of its Cybersecurity Maturity Model Certification (CMMC) standard. Starting December 2020, DoD contractors will be required to be accredited to the standard. Protective DNS filtering from Securd will enable your organization to comply with CMMC DNS filtering requirements for different cyber maturity levels.

Reduce the Threat of Phishing and Malware

However you want to call it, Protective DNS, DNS firewall, or DNS filtering. DNS-level security from Securd protects your endpoints and end users from malicious sites and the hostile Internet. Powered by patent-pending DNS & URL defense, zero-trust DNS filtering controls access to the Internet and keeps your end-users and endpoints safe. Start protecting your end users wherever they are in less than 5 minutes. Start your free trial today.