What Just happened?
Oct 24, 2023
There are those who want to make it happen. And there are those who watch it happen. Then there are those who ask, “what just happened?”
Regardless of your disposition, each of these perspectives illustrates a vital role in cybersecurity operations. And when asking “what just happened?”, the more relevant information available during incident response or cyberthreat investigations, the better. Among the many forms of such information, that pertaining to DHCP, DNS, and IPAM (DDI) can provide critical clues as to incident forensics.
For instance, when investigating a potential advanced persistent threat (APT) malware download of code updates, the first step in connecting to the malware command and control (C2) center nearly always leverages DNS. After all, DNS enables the malware to query for a given domain name, enabling the malware author to dynamically configure the C2 IP address to which it will connect. By identifying this incident during the DNS query phase of the connection attempt, you can halt the malware download process before it starts.
The Cygna Labs DNS Firewall Service provides a real time feed of nefarious malware domain names, as well as names and IP addresses of DNS servers of ill-repute. Identifying such queries and responses in flight enables you to modify the DNS response to either redirect the querying device to an in-house remediation portal or to otherwise deny proper resolution. You can even permit the resolution but log the query for investigation for suspicious but not proven nefarious resolution data.
Should the query succeed, enabling connectivity to the C2 center, other layers of your defense in depth security strategy may well detect and mitigate this activity. The Cygna Radar VitalQIP appliance package and stock Sapphire appliances from Cygna Labs provide detection and shutdown of DNS tunnels. DNS tunnels relate to the exfiltration of sensitive data via the DNS protocol.
If you’re of the type to watch it happen, Cygna Labs offers several monitoring, reporting, visibility, and forensics products. Our Cygna Radar, Cygna DDI Guard and Sapphire IPAM Auditor provide vibrant reporting and investigation features to facilitate DDI visibility across your network.
NIST Cybersecurity Framework 2.0
And if you’re the type to make it happen, Cygna Labs offers a diverse portfolio of DDI security solutions to help you implement the recommended identify, protect, detect, respond, and recover operations as part of a unified cybersecurity strategy as defined by the National Institute of Standards and Technology (NIST). NIST is presently updating the framework for unveiling in 2024, so visit our DNS security resource center to learn about what’s coming and how it impacts your foundational DNS-DHCP-IPAM (DDI) network services.