A Different Approach to Security

Michael Hunsucker

by Michael Hunsucker

IT personnel charged with the responsibility of protecting an organization from cyber security attacks today are faced with a daunting and seemingly impossible task.   The constantly evolving attack landscape from malware, phishing, APT’s, viruses, ransomware,  botnets, C2 callbacks, malvertising, etc…  push most companies today into a state of being continually comprised at multiple levels whether they realize it  yet or not.   The traditional approach to security that relies on providing protection at the perimeter layer with multiple stacked security solutions such as firewalls, proxies, anti-malware,  anti-virus, VPN are mostly reactive and simple not capable of handling the variety and sophistication of attacks that are evolving daily.  To make matters worse, the proliferation of cloud based SaaS, PaaS, BYOD and mobile endpoints throughout enterprises have pushed much of an organizations data and corresponding attack vectors outside of an enterprises ‘ perimeter security solutions and control.

A different approach that pushes the protection layer higher up in the stack and across a broader spectrum is needed.    The reality is that the majority of all cyber attacks originate in the DNS layer of the Internet well before they approach your perimeter.   The stages or “kill chain” of a typical attack are summarized below.

  1. Reconnaissance:  Social media, trolling harvesting email addresses, online behavior, etc..
  2. Staging/Weaponization:  Payloads are built and prepared.  Networks and hosts are utilized to stage initial payloads, malware drop hosts, and botnet controllers.
  3. Delivery: Various web and email techniques are used to launch the attack.
  4. Exploitation:  Known vulnerabilities, zero day exploits, user initiated actions are triggered.
  5. Installation:  Weapon installs access point usable by intruder.
  6. Command and Control (C2): The compromised system(s) callback to the originator via botnet etc.. to establish control remotely.
  7. Action on Objective/Persistance:  Intended action is taken such as data exfiltration, data destruction,  ransomware encryption, etc..

Most perimeter security products are reactive and will not even be aware of an attack until after it has been launched and the exploit attempt begins (stages 3-4).   A DNS layer approach that can detect redirections, exploit/phishing domains, bogus mappings, callback domains, staging/malware/botnet infrastructure, command & control callbacks, etc… are much more proactive by identifying and stopping attacks before they get to your perimeter.

Additionally, because DNS solutions are cloud based and managed at the DNS layer, they can provide protection both on and off of the corporate network which perimeter solutions typically struggle with.   A few DNS focused solutions have emerged recently in the security market and should be given a strong look to complement your existing perimeter security solutions.   Cisco recently purchased the market leader in this space OpenDNS which I will describe in a bit more detail.

On a daily basis, OpenDNS processes over 80 billion requests, blocks 7+ million malicious requests, and identifies 60K+ new attack models.   OpenDNS requires no hardware of any type and can be deployed across your entire enterprise in a few hours.  It is non-invasive and non-disruptive, requiring only a couple DNS changes to your internal network.

We deployed OpenDNS internally at Sovereign Systems in an afternoon and within the first day stopped 1401 botnet/command & control attacks and 11 malware/drive-by attacks across our relatively small footprint; all before they reached our perimeter.   This type of DNS level solution requires no client agents and protects every device on your network over every port and protocol.   Cisco performs advanced statistical modeling analyzing terabytes of data in real-time to learn activity and threat patterns to identify new attack infrastructure before threats are launched.    This analysis is all performed in the cloud, transparently and non-invasively.

Another pretty cool feature is the ability to provide protection to endpoints outside of our internal network.    Like many organizations, Sovereign has a fairly mobile workforce with sales and engineering resources scattered all over the country in remote sites which typically means that they are outside of our corporate perimeter security protection defenses (even with VPN connectivity).

OpenDNS has an optional Roaming Client that will redirect endpoint traffic through Cisco’s OpenDNS servers providing the same level of protection that they get when they are on the corporate network.    Note this is not a heavy anti-virus agent but a very small footprint that redirects DNS traffic and also automatically detects DHCP changes which are typical on endpoints.

This combination provides an “always on” type of protection for virtually all of your infrastructure whether they are on or off of your network.   It should be noted that solutions like OpenDNS do not replace the need for firewalls, anti-virus, etc… but are a piece of what should be a layered security approach that protects more attack vectors and can better react to the constantly evolving attack strategies that are being utilized today.