Security Categories You Should Be Blocking (But Probably Aren't)
by Rebecca Gazda on Apr 17, 2023 10:00:00 AM
At DNSFilter, we offer a machine learning-powered DNS security platform that enables users to block as much as a third of all security threats in as few as three clicks. But for some of these categories, between 75 and 98 percent of our customers are turning those protections off. In this article, we will explore some of the potential reasons why and offer some guidance as to why they should reconsider that choice.
Recent analysis of our customer data reveals that five out of our eight threat categories are utilized at 50% or less in their DNSFilter deployments, with three of those categories being allowed on 90% or more of customer deployments. It’s hard to pinpoint why this would be the case, each client has an individual set of needs and different levels of security outside of DNSFilter. Maybe our customers are protecting against these threats in other ways, but if not, I am here to tell you why you should consider updating your policies to adopt blocking of these categories.
The top threat categories being “allowed” currently are:
VERY NEW DOMAINS / NEW DOMAINS
I’ll combine the threat categories in the top spot and in fourth place here, just to consolidate the definitions.
Very new domains are domains which have been registered in the last 24 hours. New Domains are domains which have been registered in the last month—both of which have a high probability of serving malicious resources.
Adoption of this category is highly recommended because the vast majority of damage done with malicious websites is done within the first few days of existence. Botnets, fast-flux domains, typosquatters, and domain hijackers all depend upon the first few days after domain registration before they are picked up by threat intelligence services to do most of their damage. The Very New Domains category mitigates this threat by letting a user know that the site is operating in that high-risk window.
But according to our data, over 97% of policies created on our network do not include blocking this particularly malicious category (Very New Domains). By far, it is the least implemented category. Part of that is because it’s also our newest threat category. At No. 4 on our list of least-blocked-threat-categories, more are taking advantage of “Very New Domains,” with over 26% of policies including New Domains (blocking domains under 30 days old).
We cover New Domains in our Annual Security Report, get it now.
Cryptomining sites include sites which serve files or host applications that force the web browser to mine cryptocurrency, often utilizing considerable system, network, and power resources. The worst case scenario here is that threat actors steal CPU cycles and consume mass amounts of power.
If a cryptominer is installed on several endpoints, then the cost incurred by additional power consumption could be significant. And if there is any kind of a time-sensitive operation being performed on any of the endpoints, whether rendering animation, running calculations or analysis, storing logfiles, or even serving up a web-page, then it can cause severe lag. Additionally, cryptominers are rarely an unwanted application with a singular purpose. They often include additional functionality that allow them to act as intrusive malware or operate command and control functions.
Over 92% of DNSFilter network policies don’t block the cryptomining category. With the rise of cryptocurrency, this is a huge missed opportunity for organizations to add more protections to their network.
Translation sites perform translation from one language to another, usually performed by a computer. This may seem like a benign category, however these sites may also be used as a means to circumvent content filters. Translation sites might be something you legitimately need to do your work. If this is the case, proper education about the risks of circumventing content filters is imperative to maintain security on your network.
Over 91% of policies at DNSFilter do not include translation sites.
PROXY & FILTER AVOIDANCE
These are sites that provide information or a means to circumvent DNS based content filtering, including VPN and anonymous surfing services. This is probably obvious, but worth noting, that if the people on your network are going to sites that circumvent DNSFilter or other security measures, those security measures are not going to be as effective.
We’re happy to see that this category is a bit more enabled than the others, with only 55% of policies lacking Proxy & Filter Avoidance.
These and all of our threat filtering categories are available by going to Policies > Filtering > Threats and ensuring the threat category is selected.
Adding these additional threat categories to your instance as a DNSFilter user is paramount in protecting yourself from new and emerging threats. While Very New Domains is the least enabled category out of all of our threat categories, it’s arguably the most important. After all, 20% of all newly registered domains are malicious.
If you’re not yet a DNSFilter customer, take it for a spin and get a two-week free trial today.
The impending Cisco Umbrella RC End-of-Life has many Umbrella users concerned about their next steps and questioning which protective DNS solution might be able to fill the gap for their organization.
Industry State of the Art
This month there was a high level of focus on compliance issues spanning several focus areas from governments and oversight agencies around the world. And while there were actions taken with regard to specific vulnerabilities, a larger spotlight was placed on bigger picture security considerations in a more general context.
TL;DR: SASE is broadening—it is about more than just access! It is about endpoint protection and user-based access…and it's called Security Service Edge (SSE). All of the aspects of the joint NSA and CISA guidance on Protective DNS (PDNS) and user-level policies are part of the secure category, originally launched by Gartner in January 2022. Regardless, it’s been interesting to see the NSA and CISA create guidance recognizing the breadth of cyber...