MEMBER NEWS: CUJO AI’s Kestas Malakauskas on next gen cyber security
Author: Kestas Malakauskas, SVP Cyber Security, CUJOAI
Broadband customers are bringing millions of new smart devices into their homes. The number of connected devices might reach 30 billion by 2020, and this is just one of the conservative estimates. However, it’s difficult to secure all of these devices using traditional signature-based and blacklisting methods.
DNS traffic is getting encrypted
Domain Name System (DNS) is a protocol that dictates how computers exchange data on the Internet. It turns a user-friendly domain name into an IP address that computers use to identify each other. When a person types in the domain name (or URL), the DNS query is sent to a DNS server. It looks up the IP address of the domain name they are trying to access. DNS protocol is unencrypted by default.
Most security vendors still heavily rely on techniques such as DNS firewalls and DNS blacklisting that perform DNS query checks of known bad domains. In 2-3 years, all DNS traffic will be encrypted and analysis of DNS traffic will not help to spot and stop malicious activity on the network.
Apple has recently made the feature available for devices that are managed by Mobile Device Management (MDM) platforms and plans to roll it out to the general iPhone (iOS 11 and up) population shortly. Also, Google announced that it’ll be adding “DNS over TLS” on Android.
While encryption introduces more security and privacy for broadband homes and consumer space, there is also a downside of this trend. Network operators are more challenged to protect communication channels and identify compromised devices/attacks. When DNS traffic becomes encrypted, it becomes challenging to monitor ingress/egress network flows.
Traffic will become more prone to various exfiltration attempts. Network operators and companies using DNS blacklisting services as their key security controls will struggle to identify potential attacks and data exfiltration attempts. In addition, Next Generation Firewalls (NGFs) performing traffic DPI and looking for malicious behavior will be prone to evasion.
Finally, DNS PRIVate Exchange (DPRIVE) initiative and all the efforts are gaining more traction, and DNS encryption may soon become an internet standard.
New types of threats are emerging
DNS blacklisting approach is inherently reactive, relying on human analysts to respond and validate millions of security events weekly. There are between 200 000 and 300 000 new malware samples released every day. Tracking of these issues gets increasingly complex.
DNS firewalls are used mostly within the Delivery or Command & Control attack phases. The focus is solely on blocking known bad destinations, rather than on proactively detecting possible threats & anomalies.
The pace at which cyberattack patterns and malicious infrastructure develops is rapid. Techniques such as Fast flux and DGA are used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts. It creates attack infrastructure that is more resistant to discovery and counter-measures. Such techniques make DNS blacklisting a very expensive security control to maintain.
Another growing technique is to hide the threat in encrypted traffic. The use of encryption has grown as a way of protecting payloads, but it can also conceal bad traffic from security systems. Threat actors are also using popular cloud services for command and control, making malware very difficult to find with traditional security tools, because it looks like normal traffic.
As a result, DNS firewalls will become ineffective as a security inspection datapoint.
Privacy is Becoming a Priority
Continued privacy concerns and regulations will drive the growth of encrypted channels and protocols across the Internet. On 25 May 2018, General Data Protection Regulation (GDPR) will come into effect. It will protect the data of the citizens of European Union member states. This also includes non-EU organizations that use the data of EU citizens.
According to the regulation, all organizations will have to improve their security measures, including data assessment, security standards, and privacy policies. This regulation will reform the overall cybersecurity landscape and introduce comprehensive security controls.
DNS blacklisting is not able to protect against Internet of Things (IoT) hacking, too. The latest innovative shift in technology enables encryption to be implemented easily. It will be the norm to provide data confidentiality and integrity for interconnected IoT ecosystems, and DNS blacklisting will not protect smart devices against this attack vector.
The next generation of cybersecurity is powered by artificial intelligence
CUJO AI takes an innovative approach. Our security controls are driven by machine learning algorithms and artificial intelligence. Such methods allow us to detect fresh zero-day exploits and spear-phishing attacks that have not appeared in any blacklist feeds or detect anomalies in the behavior profiles of IoT devices.
Instead of relying on known malicious domain blocking, CUJO AI security focuses on behavioral analysis. This way, we ensure network security for both browser-enabled and Internet of Things (IoT) devices.
Contact us and learn more how network operators could benefit from our solutions: