Current security practices rely on a reactive approach to counter malware, ransomware, phishing, and supply chain attacks. After a successful attack or infection, security experts and systems research the circumstances and methods, and utilize the resulting intelligence to prevent the same attack vector from having an impact in the future.
The obvious drawback is that a successful attack or infection has to come first.
UltraDDR (for UltraDNS Detection and Response) uses a next-generation approach that is proactive instead of reactive. Rather than shifting through evidence of an already-impactful cyber-attack to counter additional attacks, this solution focuses on what happens before an attack to identify and mitigate risks.
How UltraDDR works. Like all DNS protections, UltraDDR relies on analysis of DNS traffic. DNS is the basic system that translates a human-readable domain name (“google.com”) to an IP address (“64.233.160.121”) that a computer – and any other connected device, from a mobile phone to a smart appliance – uses to establish communication with a remote domain.
Bad actors also rely on DNS – heavily. More than 91% of malware and ransomware uses DNS to communicate with C2 (command and control) resources that deliver instructions on what actions to take. Nearly every phishing attack uses DNS to trick the victim into visiting a nefarious website.
Before cybercriminals can launch these attacks, they need to pre-stage what we call “adversary infrastructure” – the C2 infrastructure for malware and ransomware, and the websites and other online resources that convincingly imitate a legitimate website for phishing fraudsters. This infrastructure has to be in place before the first attack is launched, before the first beacon is sent, before the first phish is delivered – and before the criminals can exploit any intrusion.
UltraDDR leverages this necessary pre-staging by continuously discovering and mapping adversary infrastructure as it is created. It then populates the results into a proprietary data lake, a massive and sophisticated resource comprising data that spans multiple years. It is continually updated with billions of data items every day, including the daily detonation of hundreds of thousands of pieces of malware to extract the C2 infrastructure.
UltraDDR watches the Domain Name System (DNS) for outbound queries, and therefore understands what domains and infrastructure devices inside the enterprise are trying to communicate with. For each DNS query, UltraDDR performs a real-time decision process that leverages both machine learning and a large number of intricate logic gates based on the knowledge in the data lake, the communication patterns, and associated elements. This process drives stoplight classifications for outbound DNS queries — green (permitted), yellow (suspicious), or red (malicious).
For any communication that is deemed suspicious (yellow), UltraDDR utilizes its “Watch Engine”, a unique capability that queues up and performs further advanced analysis on the queried destination and ultimately determines whether to move to red (block) or green (permitted).
Together, these capabilities result in a focus on attacker infrastructure instead of on each discrete exploit, which enables a fundamentally new and next-generation approach to proactively identifying, countering, and mitigating attacks.
UltraDNR in action. Like other protective DNS services and DNS firewall solutions, UltraDDR watches outbound DNS queries, and denies access to sites that violate company internet usage standards and domains that are deemed to be malicious.
The difference lies in how domains are identified as malicious. Conventional solutions update a single data point on the allow/deny list after an infection has been witnessed or an incident is included on an FBI Flash report. But that can only happen after successful attacks have taken place. In the interim, more damage can be done.
Recent analysis of phishing campaigns, for example, concluded that it takes an average of 16 hours after the first victim visit to a malicious site for intelligence about the domain to be widely disseminated. That lapse allows for many more victims to reach the site, and many more networks to be compromised.
By contrast, UltraDDR is continuously discovering and mapping adversary infrastructure and populating the results into UltraDDR’s proprietary adversary infrastructure data lake, continuously updating the relationship graph as new knowledge is ingested. That includes potential adversary infrastructure that has not yet been made active by the cybercriminal.
As UltraDDR watches the Domain Name System (DNS) for outbound queries from protected devices, it leverages the knowledge in the data lake combined with communication pattern analysis to determine if a domain should be blocked or allowed.
This determination occurs in real-time. This proactive approach to identifying and blocking malicious domains provides a fundamental advantage in preventing an unfolding attack from penetrating your network and causing damages or data loss.
UltraDDR shifts your security defenses from reactive to proactive – getting your enterprise ahead of attackers and significantly improving your IT security posture. Contact us today to learn more and set up an UltraDDR demo for your enterprise.
