DNS Protection
DNS Protection is an important measure for securing the use of webapplications, which is more and more common today. DNS Protection blocks access to malicious DNS servers as a user. Within the supply chain, cybercrime is often setup with the use of malicious DNS Servers. On this page you will learn, why DNS Protection is an important asset for your organization.
Ask for a demo
Protect the gray zone of unkown domains with Whalebone DNS Protection
DNS protection has become an essential security measure for protection users from malicious and unknown DNS domains or in short the “gray zone”.
These are the uncharted territories of the internet where potential threats lurk, unrecognized by conventional security systems until it’s too late. Enter Whalebone Immunity – a groundbreaking solution designed to fortify your defenses against these unseen perils.
Whalebone Immunity leverages advanced AI-driven threat intelligence and real-time domain analysis to provide robust protection against the myriad dangers that populate the gray zone. Unlike traditional antivirus and firewall solutions that rely heavily on known signatures and pre-defined threat databases, Whalebone Immunity operates on the cutting edge, identifying and neutralizing threats from unknown domains before they can cause harm.
90% of cyberattacks happens via DNS
You might think that firewalls can be enough for protecting users accessing malicious domains on the internet, but unfortunately they aren’t.
Traditional security tools are often reactive, depending on updates and patches to recognize and mitigate threats. They rely heavily on a database of known threats, which means new or evolving threats can slip through the cracks until they are identified and added to the database. This lag time can be exploited by cybercriminals to cause significant damage.
Cybercriminals often use Domain Generating Algorithms (DGA) that generate a large number of Domains in seconds, in order to frequently change the domains they use to launch malware attacks.
Domain Generating Algorithms (DGA)
The domains act as a meeting point for malware C&C servers. The generators have to deliver domains that are predictable for the two communicating entities. But for security researchers, these domains should be as unpredictable as possible.
The domain generation algorithms follow the three element structure:
- A base element called a seed. It can be a phrase or a number that hackers can change when they need it. The seed must be
known to both sides of communication: client and source. It is important because the threat actors need to know in advance which domain name the malware will use. - An element that changes with time. It will be combined with the seed in an algorithm. The word „time” does not refer to a date or hour, but rather to a certain event of the moment.
- Top Level Domains (TLDs). The ”body” constituted from the seed and the time element is combined with available TLDs.
Homograph spoofing
Domains can be registered in multiple alphabets and character sets. Homograph Spoofing is when a bad actor registers a domain which will look similar to a known domain by using a different alphabet or replacing a letter with a similar one.
Try copy and paste: www.gооgle.com
How it works?
- The bad actor has a server running malware and he points a domain to it.
- The bad actor infects a host malware to query for the attacker-controlled domain.
- When the DNS resolver routes the query, it creates a tunnel from the attacker to their target, allowing them to get data, remotely control the host, or otherwise take the next step in the attack chain.
Assets out of Network Attacks
Company owned and managed devices now move between many networks. Hybrid workers, workers in field, travelling workers, point their DNS traffic to their ISP or public wifi. Companies lose control over the security of the DNS traffic on these devices
How it affects you?
- Public wifi networks are ideal for dropping malware and man-in-the-middle attacks.
- Employees working from home rely on their ISP. ISPs have typically don’t filter DNS traffic because it results in customer call in.
- These devices come back into your network and infect your network
Compromised Credentials
Companies often don’t have credential policies in place. Users reuse the same password across multiple sites. The dark web is full of sites offering login details and personal data.
How it affects you?
-
A bad actor can gain access to your network via a stolen login and password.
-
Leaked personal data of your customers, employees, patients, etc., naturally results in financial and reputational damages
Protective DNS Protection
Protective DNS (PDNS) is a security service that analyzes DNS queries to stop threats, using the existing DNS system. It blocks access to malware, ransomware, phishing attacks, viruses, harmful websites, and spyware at the source, making your network more secure.
PDNS uses Response Policy Zone (RPZ) functionality, a policy-driven DNS resolver that responds based on set criteria. It checks both domain name queries and returned IP addresses against threat intelligence, using real-time data from public and private sources to compile a list of sites with known malicious content. The DNS resolver then blocks connections to these dangerous sites.
When PDNS encounters a malicious or suspicious query, it can respond in various ways. It may block access to the requested domain by returning an NXDOMAIN response, indicating no IP address for the domain. It can also redirect the request to an alternative page that informs the user that the original domain has been blocked. Additionally, PDNS can “sinkhole” the domain, providing a custom response and preventing or delaying further cyber threats like ransomware or command-and-control protocols. This approach allows cybersecurity teams to investigate and respond to threats while they are still active.
DNS Spoofing
DNS Spoofing refers to any type of malicious activity that alters DNS records returned to the user and thus point him/her to a malicious domain. These typically include DNS hijacking, cache poisoning, and man in the middle attacks.
DNS hijacking happens when a user’s query is improperly resolved and sends the user to a malicious domain instead of the domain they wanted.
Cache Poisoning is when a bad actor alters the DNS record to send the user to a malicious site that resembles the legitimate site. This is used a lot for login pages and stealing login credentials.
Man-in-the-middle is when a bad actor inserts himself into communication between two parties, impersonates both of them, and gains access to the information the two parties are sharing.
How it works?
Typically, there are 3 steps:
- Recon – MAC address, software version and know vulnerabilities, communication protocols, encryption algorithms, DNSSEC being used.
- Access – Bad actor accesses DNS recursive server and adds fake DNS entries to reroute DNS queries to his server.
- Attack – clients now start going to the fake login page for their bank and the bad actor has just stolen your login credentials and starts emptying your account.
IoT based attacks
Printers, cameras, servers, medical equipment, industrial machines — anything connected to the internet is both vulnerable and a vulnerability for the network.
How it works?
In vast majority of cases, you can’t install an end-point protection to them, which is often abused by hackers, adding the devices to C&C network for DDoS attacks or using their embedded legacy software for a supply-chain attack.
Malware in General
Malware is any malicious software
How it works?
Malware is any malicious software. It needs to infiltrate the network, gain a foothold, spread, and then take some action — no attack is a simple process and a successful attack means that network’s security measures failed on multiple occasions.
Adding a DNS layer to the security perimeter means that if malware falls through the standard security stack, there still a chance to stop it from spreading and causing damage.
Phishing
Using fake messages, websites, banners, etc. to scam users, often to make them disclose their credentials or to download malware.
How it works?
To launch a phishing attack, the attackers need a domain — and if it pops up in any of Whalebone databases, if any user tries to access it for example through an e-mail which looks like it came from HR, they are stopped immediately.
Supply Chain Attacks
Using a vulnerability of a trusted 3rd-party software to sneak behind the security perimeter to gain foothold in the target network, spread malware, etc.
How it works?
The attackers find a vulnerability in a software which is widely used and use it to smuggle malicious payload into the network. Unfortunately, given that the trusted software is trusted by security measures, there is little anyone can do to prevent the drop. Nevertheless, it is possible to stop the consequence via severing the communication of the payload with the attacker.
Whalebone Immunity Solution as DNS Protection
DNS Protection with Sophos Firewalls
Since beginning of this year, Sophos launched DNS protection as part in their Xstream protection license of their XGS Firewalls.
Sophos DNS Protection adds an important value for existing or renewing firewall customers who get this added protection at no extra charge. It enables them to potentially consolidate and save from using another 3rd party DNS provider or start using a great DNS Protection solution without having to pay extra.
What adds DNS Protection to XGS Firewalls?
Sophos DNS Protection adds an extra layer of security to your network by blocking access to dangerous and unwanted domains across all ports, protocols, and applications instantly, whether from managed or unmanaged devices. It seamlessly complements and enhances your current network security measures and policy enforcement tools, and can be set up in just a few minutes.
Sophos DNS Protection offers a globally accessible domain name resolution service with integrated policy controls and reporting within Sophos Central. It leverages AI-powered threat intelligence from SophosLabs, providing real-time protection from high-risk domains worldwide. When a malicious domain is detected, it is immediately shared across all users, ensuring instant protection for everyone. By using Sophos DNS Protection instead of your existing public DNS resolver, you can prevent any device on your network from accessing domains associated with security threats and unwanted websites, all managed through policy controls.
Protection networks with Sophos DNS Protection
Access to the Sophos DNS Resolver is based on the originating public IPv4 address of the DNS queries. Hence, protecting individual devices for remote workers that move from network to network (or site to site) is not viable at this time.
Dynamic IP addresses are supported when used with a DynamicDNS provider.
Integrated Dashboarding and Reporting
Sophos DNS Protection also provides in-depth visibility into the domains visited from your network with comprehensive dashboarding and reporting.
Cross product integration
Sophos DNS Protection’s log data and intelligence are also shared with the Sophos data lake for Sophos XDR and MDR threat-hunting analysts to help detect active adversaries and threats operating on the network.
Frequently asked questions
Check our FAQ section where you can find the first questions that have been asked to us during the last months.
Contact usComment une solution de protection DNS telle que Whalebone Immunity peut-elle renforcer la cybersécurité globale ?
Les solutions de protection DNS renforcent la cybersécurité globale en :
- Empêchant l’accès aux sites malveillants : le blocage des domaines nuisibles au niveau DNS stoppe les menaces avant qu’elles n’atteignent le réseau.
- Réduisant le risque d’infections : en interceptant et en bloquant les domaines malveillants et les ransomwares, la protection DNS réduit le risque d’infections des terminaux.
- Protégeant contre les attaques par hameçonnage : le blocage de l’accès aux sites de hameçonnage empêche les utilisateurs de divulguer par inadvertance des informations sensibles.
- Amélioration de la visibilité : la fourniture de rapports détaillés sur les requêtes DNS aide les entreprises à identifier les activités suspectes et à y répondre.
- Simplification de la gestion : la gestion centralisée et l’application des politiques facilitent le maintien d’une sécurité cohérente dans toute l’entreprise.
Comment Whalebone Immunity améliore-t-il la sécurité du réseau ?
Whalebone Immunity renforce la sécurité du réseau en surveillant et en filtrant en permanence le trafic DNS afin de bloquer l’accès aux domaines malveillants connus. Il utilise des informations sur les menaces et une analyse des données en temps réel pour identifier et prévenir les cybermenaces, garantissant ainsi que les utilisateurs ne puissent pas accéder par inadvertance à des sites Web dangereux.
Pourquoi la protection DNS est-elle importante pour la cybersécurité ?
La protection DNS est essentielle pour la cybersécurité, car elle constitue la première ligne de défense contre les menaces provenant d’Internet. En filtrant les requêtes DNS et en bloquant l’accès aux domaines malveillants, la protection DNS empêche les menaces d’atteindre le réseau, réduisant ainsi le risque d’infections et de violations de données.
Pourquoi une organisation devrait-elle envisager de mettre en œuvre Whalebone Immunity ?
Une organisation devrait envisager de mettre en œuvre Whalebone Immunity pour :
- Renforcer la prévention des menaces : bloquez les menaces avant qu’elles n’atteignent le réseau et ne compromettent les systèmes.
- Améliorer la posture de sécurité : renforcez l’ensemble des défenses de cybersécurité en ajoutant une couche de protection essentielle.
- Simplifier la gestion de la sécurité : les politiques et les rapports centralisés rationalisent les opérations de sécurité.
- Réduire l’impact des cyberattaques : le blocage proactif des menaces minimise les dommages potentiels liés aux incidents cybernétiques.
- Garantir la conformité : respectez les exigences réglementaires en matière de protection des données sensibles et de sécurité des opérations réseau.
Qu’est-ce que l’immunité Whalebone ?
Whalebone Immunity est une solution de cybersécurité basée sur le DNS conçue pour protéger les réseaux contre les cybermenaces en bloquant les domaines malveillants et en empêchant les utilisateurs d’accéder à des sites Web dangereux. Elle fonctionne au niveau du DNS pour filtrer le trafic et protéger contre le phishing, les logiciels malveillants, les ransomwares et autres cybermenaces.
Quelles sont les principales caractéristiques de Whalebone Immunity ?
Les principales fonctionnalités de Whalebone Immunity sont les suivantes :
- Informations en temps réel sur les menaces : utilise des données actualisées sur les menaces pour bloquer les domaines malveillants.
- Filtrage DNS complet : surveille et filtre tout le trafic DNS afin de protéger contre les cybermenaces.
- Politiques personnalisables : permet aux organisations de définir des politiques pour différents groupes d’utilisateurs et de personnaliser les règles de blocage.
- Rapports détaillés : fournit des informations sur les menaces bloquées et les modèles de trafic DNS.
- Intégration facile : s’intègre facilement à l’infrastructure réseau existante sans nécessiter de modifications importantes.
Quels types d’organisations tireraient le plus grand bénéfice de l’utilisation de solutions de protection DNS telles que Whalebone Immunity ?
Les organisations de toutes tailles et de tous secteurs peuvent bénéficier des solutions de protection DNS, en particulier celles qui :
- Traitent des données sensibles : telles que les institutions financières, les prestataires de soins de santé et les agences gouvernementales.
- Disposent d’une main-d’œuvre dispersée : y compris les environnements de travail à distance et hybrides.
- Doivent se conformer à des réglementations strictes : les organisations qui doivent se conformer à des normes telles que le RGPD, l’HIPAA et la norme PCI DSS.
- Sont confrontées à un trafic web important : le commerce électronique, les établissements d’enseignement et les grandes entreprises.
Contact us for a demo
Are you curious to learn how Whalebone and Sophos can help you in having an extra security layer in the Supply Chain? Contact us for a demo via the below button.
