[00:00:00] TK Keanini: All right, I'm gonna get started. I only got 20 minutes to tell my story. So this is a session about DNSFilter. It's about DNS. My background is I've been CTO for quite some time. My first Black Hat I think was in '97 so I've been doing this for a little bit. That's probably all you need to know about me.
The agenda's actually pretty well structured for a 20 minute talk, so if you have to take away just one thing the message is that it's not sufficient anymore to just use DNS as a resolver. That really is the punchline. It has to offer you some protection and to degree that it can. We'll talk a little bit about the data science there, but.
In the same way that nobody uses HTTP anymore, that went away. That, that's what I'm talking about in DNS. Like we, we should only be using protective DNS, not just DNS and we'll get into the granularity there. I wanna actually take some time to explain why data science matters so much to the actual realm of protective DNS.
And then I'll close out by, okay. By just going through some real world examples so you can actually see it in play. I'm gonna assume that I don't need to explain DNS to any of you. And but I do wanna point out that it's 42 years old. Okay. Like it is 42 years old since it first got started.
And just let that, settle in because most of the people waiting for my plane at the airport were younger. They weren't even born yet, frankly. It has gotten a lot of abuse over the years. So that's this middle section. Just like any other protocol, it has gone through a ton of abuse.
Why? Because from an adversarial perspective, it actually has a lot of surface area. It's everywhere. And if an adversary can take control of DNS, it's actually easier. For them to route to a honeypot, to a C2, to anything they need you to go to through DNS easier than anything you can do with BGP or any other networking protocol.
So from an adversarial point of view, it's actually incredibly attractive and it happens so early in the session that it's highly opportunistic for them. The last part here, protection via DNS. The reason I'm not saying that DNS is the end all, be all. What I'm saying is it has the first chance to offer you protection and it's freaking everywhere.
Like it is everywhere. Your refrigerator is making DNS calls, your car is making DNS calls, like you don't have to install something more. It's already there and it should offer you protection. So that's really the punchline to all of this. As we get into it, I wanna actually talk to you about if I'm doing things that aren't just resolving names, then I need data science.
So I'm gonna explain a little bit about why data science matters. So people are probably familiar with typo squatting. It comes in two forms. One, one is that. All of these registers domains are counting on the fact that you're gonna mistype something and they're gonna, you're gonna go to a lookalike page and you're gonna be in trouble.
The other one is that in a phishing attack a URL will use what's called a homoglyph. It's when like a capital eye is replaced with a lowercase l You know, your senses, your visual senses are basically going through a fraudulent link because it's. Actually not what it really should spell. So in, in terms of our global view, we see almost a thousand of these type of squatting things daily, and I just want to give you an example of what the data science is behind it.
If I type in telegram.org I have algorithms that'll compute all of the registered domains that are closest nearest to this. So what you're looking at now here is the similarity scores. These are all registered domains on the internet. These should be blocked. They just have no reason to exist other than to trap you.
Okay? And you should just take that off your plate. Let the protective DNS do this. You don't need to go type this in. And frankly, you don't need to compute membership to this set. Just let the protective DNS do it. The other thing that is, I think, unique to protective DNS, like you really can't handle list to you and just go punch it into your filter is.
This idea of fast flux. I'm gonna quickly go over this tycoon 2FA. So tycoon 2FA some of you may know is a phishing as a service. So if you're an attacker, you can pay these guys for their phishing capabilities. They have been operating for about two and a half years. Okay? And the reason they're still operating is because they evade detection.
Through fast flux DNS. So we analyzed about 12,000 of the FQ dns that there being fast fluxing. And let me tell you how ephemeral this is. A, they'll burn a subdomain after about 10 or 15 queries. Okay? So that list, it's burnt already. You can punch it into your deny list, but it's already gone. So without data science, it's literally impossible to operate at machine scale.
To block this stuff. Alright. I know block, that's, we're at a security company, but I gotta say this, we block probably four or 5% of the time. That other 95%. When you're experiencing us, we wanna be the fastest resolver for you. We wanna basically get in the way when we need to get in the way, but frankly, most of the time we just need to stay out of the way.
Okay, so you can go to DNSPerf on any given day, and DNSFilter will be faster than most of the people that have larger budgets than us. And how we do that is we run dual, any cast networks, and we have a ton of points of presence so that we just play the physics game. We're usually closer to your resolver than the rest of these characters.
And again, DNSPerf, this is, real science. This is not a commercial. So again, about 180 billion DNS requests per day is what we process. Alright. Two use cases and we're outta here. Alright. The first one is a very classic case. Employees sent a email. It's from some somebody didn't know. It gets through one of the safeguards.
It's the email security lets it through. It ends up getting to the. The inbox of this person. So the endpoint protection nothing really to be triggered there. Next thing that happens, and again, this is to exemplify how well positioned DNS is for protection, okay? The first thing that's gonna happen before the connection is made is get host by name, and that is gonna call to the resolver.
And if it's calling to a bad domain, we're gonna block it. So all this is saying is, look, DNS resolution happens. When we gives back the ip, it's going to actually call connect and make a TCP connection. And then, everything else flows through HCBS. Now in order to be effective you pretty much have to catch it at the DNS level and and that's what we're exem amplifying here.
It's also nice to have a ledger of the activity that's happened before and after the block. DNS really does play a pivotal role in. Help compliment the other systems you have in place. Alright, this next one is is a little more complicated. So this customer has a soc and so this analyst is monitoring a soc.
They also have some endpoint protection, let's say Sentinel one or some EDR. What happens here is. There's a there's a alert that comes to the sock and basically it says that there's been some benign PowerShell activity. And so this analyst is is pretty experienced.
He says, I better go investigate and quickly. He goes into the DNSFilter logs, and again, this is the, so the general ledger of what's happening in DNS over time, and he finds out that, there was a ba, basically a Greek website that was visited a sort of a fake capture was presented and and we went ahead and blocked it.
We just knew it was a malicious site. Okay analyst basically finishes this thing goes to interview the person. Sure enough, the person had gone to a Greek banking site or something and clipped and basically got presented with this Luma Steeler. Some of you may be familiar with it, but it's gonna present you something outside of the browser, and this is why PowerShell is used.
The assumption is that the reason Luma Steeler is so effective is it bypasses a lot of the browser the rbis of the world because it's calling out to PowerShell to actually present this this credential Steeler. So it looks like a capture, but then it's trying to instruct the person to, to carry out these PowerShell commands.
It looks like this. So if you ever see this, that's basically Luma Steeler. So in that case, again, the DNS blocked it. Fine. But here's the other thing is this same analyst went back and looked at the logs and found four other users that had been affected that day. We had blocked them, but frankly, the other safeguards didn't catch it.
Again, just an example of where DNS plays a role in your overall scheme and how pervasive it is, frankly across your infrastructure. 'cause it's basically in your stack. Alright, here are the takeaways. I'm just gonna say this again. It is not sufficient anymore to just resolve. 42 years ago it was okay.
It is no longer. Okay. So you need some form of protective DNS. I don't care if you use DNSFilter or whatever you use, but use it. The other thing too is the reality is almost nothing on the internet. I would say less than 1% of everything on the internet needs access to everything on the internet.
That's just a rule. Okay. So get with it. If your refrigerator probably needs to get to some updates, that's all it needs to do. Put an allow list there and walk away. If it's, if you're afraid of fast flux, block due domains, like anything less than, 15 days old is probably, maybe okay, maybe 30 days.
But you'll take a whole lot of threat off the table from these players because they need to register. A new domain to one evade or two, just stand up a new threat. It really doesn't matter how advanced the attack is. DNS is always in there. Like you can get the shiniest AI out there from an adversary.
It's still at some point is gonna call DNS, and chances are if let's say you're blocking new domains, you're done, like you walk away. So I know I'll get off my soap box, but basically protective DNS is really where it's at. And the question I leave you with is how do you tell which one is better?
Like in, in the world of 10 protective DNS offerings, which one offers you speed, precision, and efficacy and. Getting that benchmark together for yourself is probably a really good takeaway because yes, you need protective DNS, but which one? Alright, that's it. Thank you very much.
Want to learn more about protective DNS? Watch the extended webinar version of this talk: What Does DNS Need to Be When It Grows Up