What is a DNS Greywall?

A DNS Greywall is a proprietary DigitalStakeout Securd feature that uses zero trust DNS security analytics block security threats.

Why is a DNS Greywall Needed to Combat Security Threats?

The DigitalStakeout Securd grey wall is designed and tuned to mitigate real-time cyber-attacks where end-users and endpoints attempt to connect to phishing sites, ransomware downloads, malware commands, and control. Greywalls reduce cyber risk by limiting unwitting end-users from temporarily interacting with domains, host names, and URLs with zero histories, reputation, or generated by an algorithm.

How Does the DigitalStakeout Securd DNS Greywall Work?

The DigitalStakeout Securd grey wall feature knows what hosts and domains are acceptable to connect. The grey wall must also be aware of new and untrusted host names that should not be connected.

First, the security administrator trains the grey wall to baseline all acceptable and frequent trustworthy domains. Second, the security administrator determines the temporary block time of a connection to a grey walled host name or domain. A temporary block can be as short or as long as the security administrator establishes in a security policy. In most cases, the block is established for a range of 1 hour to 90 days. Third, the security administrator changes the security policy from “learn” to “enforce.”

This temporary block provides security tools, providers, and the information security community to discover, assess, and distribute protection or intelligence to mitigate a cyber threat.

DigitalStakeout Securd Grey Wall Blocks New Cyber Threats

This is a simple example how the DigitalStakeout Securd grey wall blocks new and novel cyber attacks hosted on malicious or compromised domains. After training the grey wall, security and network administrators have total control on when “new” domains can be resolved by endpoints.

1. End-user Clicks on Phishing Link

A threat actor registers a domain and within 15 mins, launches a phishing campaign. An unwitting target end-user is tricked on clicking on a phishing link. The end-user attempts to visit https://some-evil-phishing-site.example.com/phishing-attack/login.html

2. Endpoint Initiates A DNS Lookup

The end-user’s system attempts to access the domain some-evil-phishing-site.example.com. For the endpoint to connect to the domain, it needs to get an A record with an IP address.

3. The Greywall Blocks Untrusted Domains

Before the grey wall feature in a DNS firewall allows the DNS server to resolve the DNS query, it runs relevant checks to allow or deny it. For example, it would determine if the DNS query to some-evil-phishing-site.example.com has been observed before. It would decide if some-evil-phishing-site.example.com was dormant for some time, or just registered. If the DNS query matches any block criteria, it will be denied. The user would be redirected to a block page with the reason why it was denied. All the blocked traffic would be logged for a security administrator to review.

4. DigitalStakeout Securd Admins Decide When to Release Untrusted Domains

Once the grey wall criteria for phishing-site.example.com expires, the grey wall will allow a DNS query to continue. With Securd, this would lead to additional measures to assure that phishing-site.example.com is not an active threat. If the DNS query does not match criteria in the security policy, Securd global recursive DNS servers will continue to process and resolve the request. The accept is recorded in passive DNS logs available for review and analysis in the DigitalStakeout Securd Portal.

Start taking opportunities away from cyber adversaries.

Let’s Get Started