Akamai Diversity

The Akamai Blog

Too often, we are so focused on our day-to-day that we neglect to consider the bigger picture. I have been writing about recursive DNS and threat intelligence, Domain Generation Algorithms (DGAs), and DNS-based data exfiltration assuming that the vast majority of readers are familiar with the business impact of malware, ransomware, and phishing. Turns out, that isn't necessarily the case.

HTTP2 is the second major version of the HTTP protocol. It changes the way HTTP is transferred "on the wire" by introducing a full binary protocol, made up of TCP connections, streams and frames, rather than simply being a plain-text protocol. Such a fundamental change between HTTP/1.x to HTTP/2, meant that client side and server side implementations had to incorporate completely new code to support new HTTP2 features - this fact, introduces nuances in protocol implementations, which in turn, might be used to passively fingerprint web clients.

In the last few posts, I talked about why recursive DNS (rDNS) combined with threat intelligence makes for such a simple-to-deploy security solution that effectively mitigates and prevents advanced, targeted threats. Not to belabor the point, but the recent punycode phishing news makes the effectiveness of rDNS plus threat intel even more evident. Identifying punycode domains lexically through a combination of rDNS and threat intel is quite straightforward, either by detecting phishing attempts to popular domains or by just identifying abnormal usage of different language variants.

The Domain Name System - the DNS - is the foundation of the internet. Beyond connecting IP addresses with web requests, DNS provides the basis for both the detection of and protection from global cyberthreats before they reach an organization's corporate network resources --particularly given that more than 90% of malware uses DNS for command and control. This presents a tremendous opportunity for service providers to utilize their DNS infrastructure to provide security services to their business customers, which have a tremendous need for stronger, more proactive cyber protection.

The State of the Internet Report is growing up - with this issue, it enters its tenth year of publication.  Over time, it has matured in many ways, including its length, design, and the content it includes.  Looking back at that first issue (all 17 pages of it), for the first quarter of 2008, we find that the report covered:

Overview

Can you imagine anyone buying a car without airbags and without seat belts? I bet you can't!

So why is it that we buy computers without Antivirus software already installed, home routers without a firewall already installed or connected devices (IoT) that are lacking proper security controls?

With cyberattacks affecting SMBs at an alarming rate, business owners are challenged with putting strong enough security in place to protect them from the average $20,000 price tag per incident. Ransomware, in particular, has hit the SMB sector hard. As stated in a recent study by Arctic Wolf Networks, last year saw a 433% increase in ransomware attacks against SMBs1 - a number that is expected to grow.

Written by Avi Aminov and Or Katz

Overview

Imagine you are standing in the middle of a crowded train station and want to have a private conversation with an old friend. You've been waiting for the perfect time to contact him and get some advice on how to move forward with some important life choices.

But you couldn't wait any longer, and now you're on a train platform. There are many people around you. They're watching every move you make and listening to each word you say. You really, really need this conversation to be private!

Last time I talked about how a proactive approach to defending against targeted threats using cloud-based recursive DNS and threat intelligence just makes sense. Taking this proactive approach early in the killchain can help mitigate known and unknown threats before any IP connection, file download or execution even happens.

So, what are some of the common targeted threats and/or DNS-based techniques that we run across? We generally see malware, ransomware, and phishing. Most of which leverage some form of command and control (C2) callbacks. We also observe plenty of blacklist evasion and some cases of DNS based data exfiltration - all helped along by a general lack of visibility into enterprise DNS traffic.

Taking a Defense in Depth Approach to Ransomware

By now you've most likely heard about the WannaCry (a.k.a. WannaCrypt) ransomware that began wreaking havoc in parts of the world this past Friday (May 12, 2017). Given Nominum's, now part of Akamai, broad, deep view into DNS data from our service provider customers around the world, we were able to gather insights into how WannaCry made its way onto subscriber networks around the globe (see the WannaCry: views from the DNS frontline in our Data Science blog for more thoughts).