As organisations grow and mature, they tend to become increasingly aware of their cyber security needs. In commercial environments, this awareness translates into having at the very least, a firewall installed within the office premises. And today, most companies do at least have a firewall to protect them from malicious websites and cyber-attacks. This brings up the question: why do firewall often fail at preventing ransomware attacks?
The quick answer is: your firewall might need a booster!
Firewalls offer network centric protection and when setup effectively, can do an amazing job at stopping cyberattacks targeting network devices like file server or printers. But cyberattacks today are targeting humans. Cybercriminals are exploiting psychological weaknesses like curiosity or stress to increase users' chances of making a mistake. In this new scenario, it is the users’ action – clicking on a link, downloading a file, that enables the cybercriminal to install spyware and trojans within the company network.
Our company firewall did not stop a phishing or ransomware attack. What did we do wrong?
Unfortunately, traditional cyber security setups based on firewalls might just not be enough faced with these type of attacks. To understand why this is the case, we have analysed three scenarios below. They are based on Mike O’Leary’s book Cyber Operations: Building, Defending, and Attacking Modern Computer Networks.
Cases studies
Each case starts with a situation in which a cybercriminal plans an attack. For each situation, you can see how well the threat is handled by:
- a firewall
- a DNS protection system based on blacklisting
- AP Lens – Private Browser strategy based on DNS + whitelisting
1. Phishing attempt
Situation: The attacker creates a website via typosquat technique to induce the user to think they are on their own bank website, hence tricking them into providing sensitive information to the attackers themselves.
2. Malware activated in the network
After the attacker manages to get a user to run a malware software on their Windows workstation VICTIM-1PC within the internal network, the attacker will try to use a reverse shell to call-back the attacker’s system itself (aka C&C server with an external IP). For the attack to succeed, the call-back must be allowed out through the network firewall. This call-back traffic most often appears like a normal web traffic. It is difficult to determine whether the attempt at communicating is a malware call-back or whether it is a user trying to visit a website.
3. Stealing data using covert channel
Situation: In a firewall protected network, the attacker will try to find out which ports allow traffic out of the network before gaining a foothold in the network, in this example it could be UDP port 53.
Zero trust security and AP Lens whitelist-based protection
Based on DNS whitelist, AP Lens – Private Browser enhances the security attributes of DNS based security services by adding the feature of the whitelist. By using a whitelist and zero trust mindset, AP Lens does not rely on potentially flawed criteria to identify websites that could be malicious. It simply considers all websites that have not been vetted and included in its whitelist, as potentially dangerous. These “unknown” websites, that constitute on one hand, the greatest part of the internet, but on the other, count for a small percentage of the users’ traffic within an organisation, are then loaded through a cloud-based browser and served to users in form of “preview”. The user is safe from executable malicious code as well as protected from phishing attempts via lookalike domains.
Knowledge pills:
Firewall and DNS
In the constant cybersecurity arms race, experts have been focusing on intrinsic vulnerabilities of – among others – traditional network security based on firewalls. A firewall is a network security system that monitors and makes decisions on incoming and outgoing network traffic based on predetermined security rules. The purpose is to establish a barrier between a trusted network (protected by the firewall) and an untrusted network, such as the Internet. Apart from potential errors made by humans in the process of firewall configuration, the attention has been recently focused on how existing firewalls vulnerabilities can be resolved with the help of technologies such as the DNS.
The Domain Name System (DNS) is central to the operation of modern networks, translating human-readable domain names into machine-usable Internet Protocol (IP) addresses. In other words, DNS servers make it possible for people to input normal words into their browsers, such as aplens.co, without having to keep track of the IP address for every website.
Protective DNS (DNS) services characteristics
Because of the DNS ability to resolve domain addresses, cyber security services built around this protocol are able achieve protection from threats that normally go undetected by firewalls.
A recent guidance document by the USA National Security Agency on “Selecting a Protective DNS Service” for example, identifies four such cases:
- PHISHING
. Phishing websites created to maliciously collect information, including access credentials by tricking the user into believing they are navigating a legitimate website. Phishing websites use techniques such typosquats – or close lookalikes of common domains. PDNS can protect users from accidentally connecting to a potentially malicious link.
- MALWARE
. sites that serve malicious content or those that used by threat actors to command-and-control malware. These include for example, sites hosting malicious JavaScript files, or domains that host advertisements that collect information for undesired profiling. PDNS can block and alert on known malicious connection attempts.
- DOMAIN GENERATION ALGORITHMS
. Sites with programmatically generated domain names that are used by malware to circumvent static blocking. Advanced malware – including some botnets – depend on the ability to communicate with command and control (C2) infrastructure. Cyber threat actors use domain generation algorithms (DGAs) for malware to circumvent static blocking – either by domain name or IP – through programmatically generating domain names according to a pre-set seed. PDNS can analyse domains’ textual attributes and recognise potentially malicious ones based on certain characteristics for example, high entropy
- CONTENT FILTERING: PDNS
can use a categorization of various domains’ use cases (e.g., “gambling”) and warn or block on those that are deemed a risk for a given environment.
Reference:
National Security Agency and Cybersecurity & Infrastructure Security Agency, Selecting a Protective DNS Service, https://media.defense.gov/2021/Mar/03/2002593055/-1/-1/0/CSI_Selecting-Protective-DNS_UOO11765221.PDF
Mike O’Leary , Cyber Operations: Building, Defending, and Attacking Modern Computer Networks, https://www.oreilly.com/library/view/cyber-operations-building/9781484242940/