By David Ratner, CEO of HYAS
The cyber world is filled with lots of scary threats and new buzzwords, none of them bigger than AI. As boards, CEOs, and security leadership teams decide where to put their energy and time going forward, I’m going to propose the perhaps controversial recommendation. More important than identifying a strategy against any particular attack vector, type of intrusion, or buzzword is actually getting the confidence to run your business regardless of how techniques and attacks change. This is true operational resilience, commonly referred to as business continuity.
Early in my career, I was responsible for the engineering and support of clients around the world running WAP gateways. (Wow, does that make me old – for those too young to remember, the Wireless Access Protocol (WAP) gateway was a solution at the mobile operator to provide Internet to mobile phones before the use of straight IP as we do today). Nearly every operator on the planet used the WAP gateway. The problem to be honest was the solution’s stability. It had a classic architecture – a centralized listener for requests coming from mobile phones and multiple worker processes to broker each phone’s individual connection to the Internet. The connection between the listener and the worker processes was tenuous, and any time the listener crashed and rebooted, all the worker processes had to be restarted, leading to outages for any and all mobile devices currently trying to utilize the service.
I was asked by the COO to run the team and stabilize the system, as the team was furiously trying to identify every defect in the listener and fix it so that the listener would run “bug free” and not crash. Unfortunately, if you’ve ever dealt with software, you might recognize this as a near-impossible task. Instead, I proposed a fundamental architectural change that would keep the worker processes available and running even if the listener rebooted, meaning that clients would not experience a service outage. Rather than try and identify every potential source of failure, we architected the system to be resilient against failures, to the delight of our clients worldwide and relieving significant stress on multiple teams.
This story has direct applicability today. Too many times we focus on fixing a specific problem or symptom when we could architect the overall solution to be resilient against a class of problems. My recommendation to security teams everywhere is to learn from this (true) story. There is always time to implement a particularly specific solution against a particularly specific attack vector. Prioritize your time and focus on implementing operational resiliency.
And how do you go about implementing resiliency? It all starts with visibility. Often CISOs and security leaders tell me that one of their biggest concerns, if not the most important one, is lack of visibility and understanding of what’s happening in their environment and on their network “right now”, in real-time.
Think about how attacks fundamentally work today. Regardless of how an attacker breaches the perimeter, their malware/attack still needs to beacon out for instructions – for lateral motion, privilege escalation, data exfiltration, and even encryption. The infrastructure it beacons out to, commonly called command-and-control (C2), by definition must be created and established prior to launching the attack, and DNS-routable on the Internet. The digital exhaust common to any attack today, therefore, is the beaconing activity to command-and-control. The metadata inside an organizations’ environment that can be turned into key intelligence is the DNS lookups of command-and-control, because that’s the first step that occurs after any breach. If you can combine (i) visibility in your environment into all outbound requests for communication with (ii) expertise in what is, and what isn’t, command-and-control or adversary infrastructure on the Internet, then you can ensure that any breach can be identified and stopped in near real-time. This is how you implement true business resiliency.
So let’s talk about these two pieces – visibility into outbound communication and adversary infrastructure expertise. The first part can be achieved with a Protective DNS (PDNS) solution. It’s part of the reason that CISA and the NSA recommend the use of PDNS today as part of the Shields Up initiative. It’s estimated that over 93% of all malware uses DNS to communicate with command-and-control – mostly because of how easy it is to block a given IP and how easy it is to change IP addresses and/or the command-and-control hostname via DGA or other techniques. You don’t need to look at the content of the communication, so the protocol that the bad actor uses doesn’t matter, and neither does encryption of the content. It’s also a great mechanism to see infections in IOT devices and other connected devices in the organization because they use the network just like any other device, and therefore the outbound communication to command-and-control can still be observed at the DNS level. And depending on the architecture, it even works for an OT or production environment, seeing the anomalous communications from severs, databases, and other production devices. It’s an incredibly simple-to-deploy yet comprehensive solution to obtain the required visibility.
The key is matching this visibility against expertise in adversary infrastructure so that you can make a well-informed and accurate decision about whether or not the destination is command-and-control. Many have tried to solve this problem by detonating and analyzing new malware in real-time but this strategy fundamentally hinges on hope – hope that the malware is detonated, the command-and-control is understood, and added to a deny list before you get attacked by it. Hope is not a strategy that allows a security practitioner to get a confident, good night of sleep. A new strategy is required – one that fundamentally relies on expertise and intelligence in adversary infrastructure, and seeing the build-up of it in real-time, to change the game from “hoping the solution helps” to having the confidence to move business forward.
Visibility into all outbound communication and comparing this in real-time to an adversary infrastructure intelligence source, is exactly the resiliency strategy that organizations of all sizes need to prioritize as they consider their 2024 roadmap and set of initiatives. It is more important than blocking any specific attack vector, and more important than following the buzz-word bingo of the day. The priority needs to be making sure that your organization has resilience built into the architecture – in part because everyone will unfortunately be breached, and in part to provide a backstop and detection method for whatever new attack vector gets utilized and weaponized in the future. Replace legacy allow-and-deny lists and all other approaches tenuously built on the strategy of hope, and instead rely on up-to-the-minute intelligence of adversary infrastructure to identify and stop cyber attacks in your environment. Only then will you, the security team, the CEO and the Board have confidence in the face of ever-changing attacks. And the ability to get a good night’s sleep isn’t a bad benefit as well.
About the Author
After obtaining his Ph.D. in Computer Science, David Ratner has spent his career in various areas of software and technology, from writing code to scaling and growing venture-backed, private-equity owned, and public companies. Currently he serves as the CEO of HYAS and leads both the long-term vision and the day-to-day mission to bring game-changing solutions to HYAS clients around the world. Previously, Ratner was the CEO of Realm, which he sold to MongoDB in 2019. Ratner has international B2B experience in all geographies, over two million lifetime flight miles, is a martial-arts black-belt, and currently resides in Silicon Valley.