Dark Reading is part of the Informa Tech Division of Informa PLC
This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.
Everything You Need to Know About DNS AttacksIt's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask.
Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted.
Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Incident Readiness and Building Response Playbook
In this special report, learn the Xs and Os of any good security incident readiness and response playbook.
Tweet This
1 Comments
User Rank: Ninja
7/24/2019 | 2:58:10 AM
When the actor tried to access the network, their session was moved to a honeypot or an area on the network that was external to the production environment. The application would pull information from varying switches, IDS, routers and firewalls; it would make a determination if the packets were suspect; the system would isolate that traffic from other parts of the network even if the switches were different (not all functionality but enabled certain protection mechanisms). The solution was light-years ahead of its time. They used all aspects of flow, network, log data; the system would create a baseline and identify anomalies based on traffic patterns, use and application characteristics. The system would effectively block or move individual ports like SMTP (25, 110), Web (80, 443), RPC (111), SMB/CIFS (135-139) to honeypots if the policies identified the session as being problematic. It would record, report and notify of any changes before the individual came into the office.
So I agree that this can done, but one of the concerns is based on target movement (the bullseye is constantly adjusting). So there needs to be intelligence built in the application because the different attacks can be manipulated or changed on the fly; also by tying together similar attacks, based on region and type, faster processing mechanisms can be employed to address similar problems (i.e. Polymorphic APTs or different methods used by nation states).
Algorithms are good in certain regards but since the variants or attacks are morphing using varying techniques, does the algorithm allow for a sliding scales (adjustment), that is why machine learning will be essential in evaluating attack vectors and their level of penetration (the next level of cybersecurity evolution).
As a result, the tools should be able to unravel traffic flows (learn), user access (normal behavior), remote penetration techniques (scanning) and varying interrelated traffic patterns (correlational analysis, similar to big data), this will be a game changer. This is a major task, not to say that is cannot be done, but there are considerations outside of the algorithm that should be evaluated and improved as attacks improve.
Todd