Domain Intelligence from Full-Scope Cyber Threat Intelligence: An Introspective

‍

Alex Applegate here. I’ve been a Cybersecurity practitioner for about twelve years now. I happened into DFIR work by accident during my doctoral studies after fourteen years as a military software engineer.

I’d planned to remain in software development until I was exposed to the tremendous potential and importance of intelligence-driven cybersecurity. Even now, I’m sometimes overwhelmed by the complexity and urgency of the problem space. We are confronted by highly capable and motivated adversaries, and to paraphrase an infamous quote from the Irish Republican Army, we have to be lucky every time, and the “bad guys” only have to be lucky once.

And is that not the crux of the challenge?

With the possible exception of maybe the most capitalistic of us in the industry, at the core security professionals are driven by a desire to stop malicious activities.

The slogan when I worked at Mandiant was “Find Evil. Solve Crime.” It may still be, I’m not sure, but I definitely had a feeling at the time that it was something we believed in.

I’ve seen a lot in this industry:

• I was at Mandiant when the APT1 report was made
• I was at CrowdStrike when the DNC Hack was investigated
• I was on a team that engaged with a number of Departments of State during election cycles to monitor for suspicious network activity

‍

During that same time frame, we all worked through the rise of Ransomware, the emergence of the dark web, supply chain attacks, and certainly enough major data breaches to make anyone paranoid.

And in that time, I’ve held roles across the spectrum of the industry, from SOC Analyst, to Threat Hunter, Reverse Engineer, Intelligence Analyst, educator, and Researcher. My goal in intentionally navigating each of these roles wasn’t so much a search for a role that fit – they are all tremendously challenging, exciting, and engaging – as a search for a position that could make a big enough impact on the ever-escalating arms race between practitioners and adversaries. A race that, by the terms defined earlier, our adversaries are winning – that is getting past our defenses – with frightening regularity.

‍

So, short of maybe a jump over into Data Science or Artificial Intelligence and designing sophisticated novel models to classify threats before we even know about them (which is also very important work), being a full-scope cyber threat intelligence analyst and researcher is about as far up the ladder of abstraction as you can go.

It’s an opportunity to look at the broad scope of huge data sets to uncover obscure patterns so we can cull them at the earliest possible points in the threat chain. But late last year I was invited to take a position that makes that job much more difficult due to a severely curtailed scope - that of being solely a domain intelligence researcher.

Why take on a role that eliminates so many of the most effective tools in our industry?

For three primary reasons: Privacy, emerging technology, and personal impact.

‍

Privacy

We live in an age where there is a tremendous amount of digital exposure and risk. In the name of offering the greatest level of protection possible, every threat intelligence operation thirsts for more telemetry, more data to analyze, and we invariably ask customers to lay open their most valuable secrets so that we can better protect them.

This is often achieved through some detection and response agent, taps, spans, an array of network monitoring devices, and copious amounts of log files.

There are naturally non-disclosure agreements and strict contracts in place, but such vulnerability can be understandably discomforting for a client. In the name of safety, we are asking for a frightening level of exposure.

At one point, the depth of our visibility led a client’s engineer to refer to [my employer at the time] as a bunch of hackers that could steal everything. It would never have happened, but the level of access we required certainly enabled us to do irreparable harm to a company.

Even behind all of those protections, rogue employees sometimes exist and accidents do sometimes happen. And as I’m sure you’re well aware, even with that tremendous level of access, we still didn’t manage to stop every threat before they did any damage.

‍

So what could be done to mitigate some of that vulnerability for a company looking to protect themselves? For DNSFilter’s part, as was mentioned earlier, we narrow our focus to examining only DNS request traffic.

While there is visibility of a requesting IP address, there is no visibility into any aspect of the file system, nor fixed or volatile memory, nor is any other portion of the network stack analyzed.

In fact, we only have read access to the packets that are routed through us - we have no look-back access to any of the requesting systems. So this would address a significant portion of the concern about any kind of privacy concern, but it comes at the cost of a majority of the customary artifacts we depend on for defeating threats.

This is clearly a difficult limitation, but according to the IDC 2022 Global DNS Threat Report, 88% of organizations experience an attack that leverages DNS, up from 79% just two years ago.

So while DNS-based security is not a complete solution, stopping a new threat before it gets into an organization, or blocking an existing threat from getting out of the organization at that scale, can greatly reduce the scope of threats that need to be accounted for otherwise.

‍

Emerging Technology

DNS is hardly a new technology. In fact, it’s one of the oldest internet protocols. So old that it wasn’t really designed with security in mind.

There have been attempts to address security issues in DNS, but there are still significant challenges to solve. It’s not that the Intelligence-Driven Cybersecurity industry has everything figured out, either. But those processes are much farther down the path toward maturity, and as was discussed earlier, suffer from privacy issues when handled by a third-party vendor.

Working on security for customers as a DNS Resolver not only limits research to a fraction of traditional CTI telemetry, but it must be able to be performed QUICKLY and EASILY, essentially without disrupting a customer’s internet traffic more than a few milliseconds at worst, or it will not gain acceptance.

Complex operations and database lookups won’t suffice. And the threat could take almost any form, flow in either direction, and can easily be changed by an adversary with minimal effort. There are some very difficult problems to solve, and customer expectations are high.

‍

Personal Impact

This leads directly into the third justification for such a shift. Every day is a new challenge with nearly boundless opportunities as a researcher. There is a very real possibility that any given problem we encounter doesn’t have an adequate solution yet. There is every chance to make significant growth consistently, whether that growth is for the industry, as a professional, or on a personal level.

I moved into the security industry with a desire to make a difference.

I’ve made each of my career choices along this path with a sense of overwhelming challenges and moving up the levels of abstraction to get in front of the never-ending deluge of threats and the best ways to protect individual privacy.

I want our capabilities to reach a level where, even if bad actors know everything that we know, they still can’t escape us. That parity may come in the span of my career, or it may not, but stepping into a role as a DNS Threat Researcher positions me to feel like it’s possible.

DNS Security by itself will likely never be a panacea that solves the threats facing us on the internet, but it can be a more vital part of an effective layered approach that allows us to mitigate malicious activity at the perimeter without exposing our customers to attack surfaces beyond their control.

‍