UltraDNS Detection and Response (UltraDDR)

Most solutions address malware, ransomware, phishing, and supply chain attacks using reactive approaches: an infection occurs, the circumstances are researched, and resulting intelligence is applied to prevent the attack vector from having a future impact. UltraDDR’s approach is fundamentally different – it focuses on what happens before the attack occurs. Before an attack can be launched, bad actors need to pre-stage “adversary infrastructure” that provides malware with instructions on what actions to take (command and control infrastructure), and the sites that phishing fraudsters build to convincingly look like legitimate target websites.

These actions must occur before they can launch the first attack, send the first beacon, and deliver the first phish before they can exploit any intrusion. Vercara focuses on discovering and mapping this adversary infrastructure and then leverages this knowledge combined with real-time communication pattern analysis to identify and prevent attacks before they happen, thus shifting to a proactive security paradigm.

UltraDDR fundamentally determines maliciousness differently than Umbrella does by using three core components:

1. A proprietary adversary infrastructure data lake
2. The real-time decision process
3. The “Watch Engine”

UltraDDR is continuously discovering and mapping adversary infrastructure and populating the results into UltraDDR’s proprietary adversary infrastructure data lake. Utilizing machine learning, UltraDDR continuously updates the relationship graph as billions of data items are ingested daily.

UltraDDR watches the Domain Name System (DNS) for outbound queries and therefore understands what domains and infrastructure devices inside the enterprise are trying to communicate with.

For each DNS query, UltraDDR performs a real-time decision process that results in a stoplight classification — green (permitted), yellow (suspicious), or red (malicious) — based on the knowledge in the data lake, the communication patterns, and associated elements. During this real-time decision process, for any communication deemed suspicious (yellow), UltraDDR utilizes its “Watch Engine”, a unique capability that performs further advanced analysis on suspicious communications that ultimately determines whether to move to block or greenlight.

No, you do not need to turn your EDR solution off. UltraDDR is complementary to any EDR solution you use by providing proactive protection when a user makes a DNS request out to the public internet. UltraDDR compliments your existing security solutions with authoritative knowledge of attacker infrastructure and unrivaled domain-based intelligence.

To implement the UltraDDR solution, first speak with your Vercara account team and obtain a portal login by providing the main user’s email address of the account. Then you will need to provide a list of netblocks that Vercara expects recursive queries from, your company name, user account name, and if you need API access.

UltraDDR provides portal and API reporting for your locations and/or deployed clients to determine where malicious DNS requests come from.

if(test.isValidation()){
//Pause for 2 seconds in validation
test.pause(2000); } 
else{ 
//Pause for 20 seconds during load test 
test.pause(20000); 
}

If, even after using “isValidation()” to reduce pause time, you’re still running past the two-minute limit, you will need to use the local-validation service. As with a load test, there is no time limit for script execution when using the local validator. Once you have verified the script works as expected on your local machine, upload the script and check the “Bypass Validation” option in the script editor. Finally, it’s advisable that you run a small load test to ensure the script behaves as expected.

Yes. UltraDDR can be used to customize and easily enforce corporate internet usage policies at the user level to improve productivity and ensure global workforces aren’t distracted by non-compliant sites. Administrators may choose from 17 categories to block: Malware and Ransomware, Phishing, Spyware, Hacking/Warez, Anonymous Proxies, Gambling, Adult, Pornography, Violence, Social Media, Dating, Drugs, Alcohol, Sports, Bots (C2), Gaming, Discrimination/Hate.

Users that are on your premises are automatically protected when UltraDDR is used as your organization’s recursive DNS solution. For users that are off your premises — or for hybrid scenarios in which users can be on-premises or off-premises at will, your administrators can deploy UltraDDR agents onto your users’ devices to ensure UltraDDR policy is enforced. The UltraDDR Agent is will soon be available for Windows, macOS, iOS, and Android platforms.

The most common error is the converted script expecting 3xx response codes, but seeing 200 instead. This is usually caused by ads, which were originally redirected to register a unique impression. When the converted script attempts to replay the same request, it is caught by the ad server as a duplicate, and the response is altered to prevent additional (false) ad impressions. The fix is as simple as removing the faulty requests or changing the expected response code to what was actually returned. For example:

c.get("http://example.com/ad?req=12345", 301);

Change to:

c.get("http://example.com/ad?req=12345", 200);

The second most common issue is content from third-party domains. The blacklist requests directive from the original RBU script will not be maintained in the Basic script. Our recommendation is to remove any third-party requests from the script. Here is an example of requests that would be removed:

c.get("https://connect.facebook.net/en_US/all.js", 200); 

c.get(https://ssl.google-analytics.com/ga.js", 200);

An SWG provides multiple functions that your enterprise may or may not need with protective DNS being just a component. In a Secure Web Gateway, all the traffic from your users goes through a web proxy and is evaluated. This can lead to performance issues. With UltraDDR, your organization finds malicious activity more quickly and accurately at the first step in the kill chain. The decision-making is based on DNS queries made by company users or equipment, eliminating the bottleneck in network traffic that a SWG creates.

Users that are on your premises are automatically protected when UltraDDR is used as your organization’s recursive DNS solution. For users that are off your premises — or for hybrid scenarios in which users can be on-premises or off-premises at will, your administrators can deploy UltraDDR agents onto your users’ devices to ensure UltraDDR policy is enforced. The UltraDDR Agent is will soon be available for Windows, macOS, iOS, and Android platforms.

The most common error is the converted script expecting 3xx response codes, but seeing 200 instead. This is usually caused by ads, which were originally redirected to register a unique impression. When the converted script attempts to replay the same request, it is caught by the ad server as a duplicate, and the response is altered to prevent additional (false) ad impressions. The fix is as simple as removing the faulty requests or changing the expected response code to what was actually returned. For example:

c.get("http://example.com/ad?req=12345", 301);

Change to:

c.get("http://example.com/ad?req=12345", 200);

The second most common issue is content from third-party domains. The blacklist requests directive from the original RBU script will not be maintained in the Basic script. Our recommendation is to remove any third-party requests from the script. Here is an example of requests that would be removed:

c.get("https://connect.facebook.net/en_US/all.js", 200); 

c.get(https://ssl.google-analytics.com/ga.js", 200);

Yes. Your on-premises recursive nameservers will continue to resolve queries for internal resources. UltraDDR will resolve queries for internet-based traffic.

Yes, though please check with your Vercara Sales Engineer to ensure your VPN has been tested with UltraDDR.

Yes, when a site is blocked, UltraDDR can be configured to ensure that a “block page” is shown to the user.