Black Hat 2023: The DNSFilter Recap with David Elkind & Nick Saunders

I sat down with David Elkind, Chief Data Scientist, and Nick Saunders, Product Manager, to talk about how Black Hat went for the DNSFilter team. The three of us attended numerous briefings, trekked through the business hall, and put a few miles on our DNSFilter Nikes.

“What was your favorite talk?”

David already published his thoughts on LLM and generative AI talks in particular (and the inability to escape them), and he had one favorite by CyCraft Technology. 

In our chat, David had this to say on the CyCraft talk: “As the chief data scientist, I spend all day every day thinking about different kinds of AI machine learning models and how they can fit into the DNSFilter product and just the broader security landscape… [CyCraft is a] company that does incident response and their approach, I thought, was very clever. They wanted to find a better way to find malicious command lines on Windows…And what they realized was that a large language model, since it's designed to parse natural languages—human languages—it might also be very effective at parsing command lines and understanding and interpreting the command line and therefore making inferences about risk…and all sorts of other questions that you really want to answer in a security setting.”

As for Nick’s favorite talk, he was a fan of a slightly different AI talk that focused on phishing: Devising and Detecting Phishing: Large Language Models (GPT3, GPT4) vs. Smaller Human Models (V-Triad, Generic Emails). “Well, speaking of the main topic du jour, I did a track on LLMs in phishing, which I thought was a pretty interesting application. A lot of the ones were focusing on how to identify malware with an LLM, but this one is actually putting it to use to create pretty convincing-looking emails.”

And that’s what a lot of talks at Black Hat centered around: AI is moving quickly, and we need to be aware of the malicious applications that are already in-use so that we can combat them. 

In a way, this was highlighted in the keynote by Azeria (AKA Maria Markstedter) where she discussed how reactive companies have been in regards to AI. It actually mimics how companies reacted to the proliferation of the iPhone. Security wasn’t necessarily taken into account, but companies moved quickly to make sure they were at the bleeding edge. 

Similarly, threat actors have always done the same. They are some of the earliest adopters. 

Despite the overwhelming number of AI talks, David was happy to have more to choose from. “It used to be that finding the AI or machine learning talks—which are my area of interest—would mean I would find, you know, three or four [talks], and then I'd have to figure out what I would do. But this year…they were all stacked up, and I had to pick which machine learning talk I wanted to go to at a particular time slot, which is a little bit stressful, but I was glad to get more content.”

Where in the world is protective DNS?

One thing I noticed in attending numerous briefings (some related to DNS, others around general security precautions to take) is that protective DNS was sometimes left out of the conversation where it probably should have been included. 

I asked David and Nick why they think protective DNS doesn’t get mentioned in these security conversations when we’re talking about how to block these threats.

David: “Well, there's definitely an attitude that because DNS is so old and so fundamental that there's no real need to think about security because all the security stuff has already been thought about, right? ‘There's no new terrain to be covered’, I think. And that's probably a bit of a simplification because it's so fundamental. That means that it's going to be everywhere, it's going to be omnipresent, and it's going to be a very powerful tool if you can find a way to misuse it. So continuing to level up the protective capabilities of DNS is going to be a key part of security going forward.”

Nick: “ It is basically table stakes is kind of how I could see it as well. The reason people aren't bringing it up as an explicit solution is, as David mentioned, it has been around for a while.”

But protective DNS is fundamental to securing organizations, and the very first layer of defense. When we’re talking about simple but powerful actions organizations can take to secure their perimeter, this is the big one. Though…we might be biased.

David summed it up nicely when talking about protective DNS and securing DNS in general: “It's definitely part of our job to raise awareness about the different ways that DNS can be protected, right? There's all the privacy components like the encryption and things like that. There's the authentication piece as well. But there's also the filtering component, which is determining which queries are related to malicious activity and how we should handle those.”

How should you start handling that malicious DNS traffic? Start your free trial of DNSFilter today for step one. 

Maybe next year the topic du jour should be protective DNS.