With the recent influx of news reports regarding security incidents, more Chief Information Security Officers (CISOs), Chief Information Officers (CIOs), and IT professionals are reviewing current security infrastructures, policies, and practices to identify potential weaknesses in their security posture. This has long been best practice, but with the progressive use of various attack and threat vectors now employed by malicious actors against businesses, this practice must be constantly in play and the execution plan must be dynamic, adjusting to the ever-evolving security threat landscape.
So, the question and challenge becomes, how does one accomplish this without incurring the added complexity involved in implementing sophisticated security measures and countermeasures? How can I, as a security professional, protect critical enterprise assets without convoluting and degrading my end users' experience and productivity with cumbersome security protocols.
A solution to this challenge can be met through Akamai's Enterprise Threat Protector (ETP). Akamai's approach to security at the Domain Name System (DNS) level complements existing security infrastructures such as secure web gateways (SWGs), next generation firewalls (NGFWs), endpoint anti-virus protection, and others. ETP identifies the potential threat early in the kill chain process, addressing a large percentage of command and control (CnC), malware, ransomware, and phishing attacks at the DNS lookup layer.
DNS is at the core of all things internet. Whether workstation, laptop, mobile device, or internet of things (IoT), the first step towards any connection is a DNS lookup. This lookup is what's needed to get the address of the particular device or resource the device is seeking to communicate with. By inspecting these DNS queries against databases of known bad domains and IP addresses, ETP, as a DNS resolver, can stop connections to known malicious sites.
As a security professional, you should not rely on a static database of known bad sites, but seek a service that continually updates, categorizes, and adjusts to emerging and varied threats. Take, as an example, the server of a legitimate hostname becoming infected with a malware virus. During a given period of time, users connecting to this site may have unknowingly downloaded a virus on their machine. Meanwhile, the owner of the server may have identifed the malware, cleansed the server, and placed it back into production. In this dynamic example, to stay up-to-date and relevant, your security solution would have to:
- Identify the hostname and begin tracking it.
- Change/elevate the category of the hostname once it's known to contact a virus. At this point you would want to stop all activity to this site and alert users that the site trying to be accessed is malicious.
- Change/reduce the category of the hostname once the server owner addressed the virus.
This is just one example of the diversity and progression of the hundreds of threats and thousands of DNS queries per day that need to be inspected, evaluated, and responded to in real-time.
ETP enables this flow to be simply accomplished, layering additional security at the DNS level without the complexity of another security point solution. With the DNS resolver pointing external DNS queries to Akamai, ETP receives the DNS queries, evaluates them against a robust and ever-evolving database of bad IPs/hostnames, categorizes them (track/increase/reduce confidence), and reports on all of these critical data points.
In one use case, a customer enabled ETP to begin DNS protection within 15 minutes of receiving access to Luna Control Center, the central portal to configure, manage and report on all Akamai services. After a few days of running, ETP reported hundreds of CnC, malware, and phishing threats that were unknown to the enterprise and thousands of Acceptable Use Policy (AUP) violations. Though the single pane of glass provided by the Luna dashboard, the customer fortified their security posture early in the kill chain without negative impact on the end user or service interruption.
Two weeks ago at Akamai EDGE, we enabled ETP on the 2017 Akamai Edge Wi-Fi and identified some interesting traffic. Below are a few screenshots of the threats we detected. In this example, we observed a domain called "sport-express.biz" and we saw multiple resolved IPs for that hostname.
Figure 1. Threat event details page.
Double clicking into the intelligence of the domain, we see this domain is sinkholed in the security community. You will see that Akamai began tracking this threat back in January 2017.
Figure 2. Intelligence data on "sport-express.biz".
For a more information about Enterprise Threat Protector, and to register for a free trial, visit akamai.com/etp.