stop malware with securd dns firewall and web filter

How Securd DNS Filtering Stops Unknown Malware

Zero-trust means what it sounds like it does. In the case of DNS, our patent-pending capability distances you from Internet hostnames, domains and infrastructure that are not trustworthy for immediate connectivity with your end-points. This posts shows a real-life example of Securd’s zero-trust DNS filtering successfully defend against a malware attack.

Most registered domains are not trusted

From our perspective, the overwhelming majority of the valid traffic your endpoints and end-users will ever use on a repeated basis will be inside our top 10 million domains. Inside our top 10 million domains are where real-time threat intelligence, quality indicators, and other security analytics are paramount to stop bad actors from exploiting “trustworthy” and established infrastructure. Outside the top 10 million, things get ugly quick, and your risk of engaging with malicious or compromised hosts increases exponentially.

zero reputation covid domains

Trained greywalls fill the massive security gap

A DNS Greywall is a timing and asset restriction feature used to control your total potential attack surface. The feature uses observation data and reputation intelligence to determine access to domains and hostnames. Greywalls are designed and tuned to mitigate real-time cyber-attacks where end-users and endpoints attempt to connect to phishing sites, ransomware downloads, malware commands, and control. Greywalls reduce risk by limiting unwitting end-users from interacting with domains, hostnames, and URLs with zero histories, reputation, or generated by an algorithm.

Securd Zero Trust DNS Firewall Policy Editor

Um, exploits are built to evade detection

Anti-virus and malware detection is, for the most part, a game of wack-a-mole. It’s a never-ending game of exploiting software, evading analysis, and maintaining access for a long as needed. For the most part, 90% of modern malware does download from the Internet by using a DNS-based connection. In this example, we observed this malware attack for 24 hours, and according to our lookup on VirusTotal, the overwhelming majority of vendors show the sample as undetected.

malware goes undetected

Greywalling an untrusted domain

A DNS Greywall is a hostname and registered domain aware system. The grey wall knows what hosts and domains are acceptable to connect. The grey wall must also be aware of new and untrusted hostnames that should not be connected. The security administrator determines the temporary block time of a connection to a grey walled hostname or domain. A temporary block can be as short or as long as the security administrator establishes in a security policy. In most cases, the block is established for a range of 1 hour to 72 hours. This temporary block provides security tools, providers, and the information security community to discover, assess, and distribute protection or intelligence to mitigate a cyber threat.

  1. End-user Opens Password Protected Zip File
  2. User Opens Doc, Exploit Executes, Attempts Download From ——jih.com
  3. DNS Firewall Detects Query To Domain Is Not For A Securd Trust Ranked Asset
  4. Unranked Domain ——jih.com Is Temporarily Blocked, Activity Logged

Greywall blocks the domain

At this stage, the grey wall reduces cyber risk by limiting the end-user from interacting with the ——jih.com domain with zero history and reputation. Instead of being able downloading a file, Securd redirects the end-user to a block page with the reason for the denied connection. All the blocked traffic and passive DNS data are centrally logged for a security administrator to review.

vt_bae4f042c3772cc77df15192c2a332cc4fe52785e23f6075f9fdd969590c88a3_graph
undetected by av, blocked by Securd

Threat intelligence and feeds catch up

After 24 hours, threat intelligence is starting to be shared and distributed about ——jih.com. Other security technologies analyze the sample; others observe attacks, and the malicious domain and URL make its way to numerous feeds. At this point, Securd threat intelligence capabilities are also deploying this threat intelligence in real-time to our edge network. Any additional connection attempted to ——jih.com is now blocked by the Securd DNS Firewall malware host security category.

blocked malware from threat intelligence

Try Securd free for 14 days

Start protecting your network and endpoints from cyber threats in minutes.

GET STARTED

Get started now and you can cancel at any time.