Threat Identity…The First Line of Defense

Last quarter, we discussed zero trust and identity in regard to remote application access. This focus was primarily looking at enterprise users seeking to gain access to applications on a network where there are no boundaries: The internet. In the concept of zero trust, the internet is considered hostile and users are accessing resources from multiple devices and from many different locations. With this in mind, it is critical for organizations to be able to identify:


DevOps Connect:DevSecOps @ RSAC 2022

Again, we are trying to gain a better understanding of “supposedly trusted” users to applications based on who the user is, what they are authorized to access, and what is the score of the device/user which runs through some policy database to make an authorization determination.  Through asking ourselves these questions (as well as many more) and through policy controls, enterprises can lower their risk exposure to accessing these applications and resources. 

However, going through this questioning exercise is not only great to understand users who we are establishing some sort of trust to access resources, but can and should also be used in gaining an understanding and security posture for protecting your corporate IT users and the resources they are accessing. These come in the form of advanced threats such as phishing, malware, command and control (C&C) and data exfiltration strategies aimed at reaching deep into corporate IT resources through one of the most common means: the endpoint. 

There are many security philosophies, technologies and solutions in the market that provide endpoint protection. A quick Google search on endpoint protection will yield many companies.  Gartner publishes their Magic Quadrant (MQ) report on an annual basis looking at companies who are leading in various spaces and endpoint protection is one of those categories.

While there is no silver bullet that addresses all security concerns. IT and security groups within enterprise organizations must take a Zero Trust approach in identifying these threat in order to address and mitigate those threats.

Taking a deeper look at the process a threat actor uses in surveying what’s available, we can refer to the security kill chain.

TCB2.pngThe malicious user first starts off with some reconnaissance. They study user behavior, some common fallacies to corporate resources and protection, whether newly released patch alerts are slow to be deployed within organizations, etc. Then, the malicious packages are created and developed. Next, a mechanism or vehicle needs to be used to deliver the malicious software to the target. The open internet is the most common and most available vehicle, so this is the preferred method. Once the package has successfully made it to the endpoint, then the code looks for open or weak resources / doors to install the package. This is done as covertly as possible, many times without the user being aware malicious software is being installed on their machine. This is not a quick process.  Threat actors look under corporate security’s radar as long as possible seeking to not alert monitoring systems of their malicious activity with the task of discovering some vulnerable devices on the network.  Once the machine is compromised, or at least partially where the malicious software can perform some remote commands, the software can then make attempts to call out or call back to the threat servers on the net.

There are a host of endpoint protection companies who provide software such as antivirus protection to continue to update and look for signatures matching known threats, and this is a good line of defense. However, there is another line, or better yet, first line of defense that is often overlooked. And that is… DNS. 

As we know, DNS is the protocol that has been around from the early days of the internet and is used to translate hostnames to some IP address for computers, routers/switches, phones and any other IP connected device to reach a destination. The reason that it is overlooked is because DNS is typically the first thing that occurs when a device wants to connect to another destination. A DNS lookup is performed, or a DNS lookup had been performed and is in cache (to help speed performance) to convert that to some IP address. Going to the previous illustration of the kill chain, once the malware is on the endpoint, again that endpoint is not only computers, but could also be Internet of Things (IoT), advanced threats such as phishing attacks and malware attempts to make call home command over DNS.

DNS protection should be corporate IT’s first line of defense in any network, e.g. corporate offices, branch offices, IoT and remote users/workers. IT should have optics into this angle to understand not on the performance of DNS for “good” users, but to also be aware of malicious users/software which could be using the same vehicle to inflict something less desirable. 

Looking back at the kill chain, IT and security must partner in looking at each of these parts of the kill chain and take appropriate actions to protect their users and data.

TCB3.pngThrough research, Akamai has invested heavily in looking at this kill chain, as well as the underlying threats which look for weakness in this flow. Considering malware, phishing, C&C and Data Exfiltration, DNS is a common vehicle used in the kill chain.  DNS is used in sophisticated email phishing attacks by creating false email campaigns which includes an http(s) link which still evades corporate anti-phishing training. Users are still convinced some email that is received is valid and from a valid user(s). In C&C infected devices, malware could already have established back-door communications using a sophisticated domain generated algorithm (DGA). This is a technique where the malicious attacker uses an algorithm to register and generate random domains which cycles through until it makes a successful DNS request and connection. 

In each of these types of attacks examples, DNS is used to make the connection. Therefore, DNS must be the first line of defense in evaluating request leaving the enterprise.  Intelligence in identifying hostnames across a dB and team of security analysts in a constant changing environment. No matter what stage the threat – early or late – in the kill chain, applying DNS protection as the first line of defense can identify and protect corporation valuable data.

Therefore, a secure in-depth defense posture is achievable with a multi-layered approach to security combining DNS protection, endpoint protection, and a threat intelligence that continually adjusts to newly formed attacks on a frequent basis.

*** This is a Security Bloggers Network syndicated blog from The Akamai Blog authored by Tommy Cormier. Read the original post at: