DNS is the foundation of the Internet, connecting users to the Internet's vast resources. However, this makes it a prime target for cyber adversaries, as an exponentially expansive world of domains makes it easy for attackers to leverage compromised and disposable domains. Securd's Greywall offers a proactive approach by adding zero trust to DNS filtering. By adhering to these best practices, organizations can significantly enhance their cybersecurity posture, protecting their assets from the ever-growing cyber threats. In the complex world of cybersecurity, an adaptable and forward-thinking tool like Greywall, paired with vigilant best practices, is invaluable in safeguarding digital assets.
Here are the essential DNS Security and logging best practices for Securd users:
Intelligent Threat Assessment
Use Greywall's ability to learn domains by zone. After learning mode is disabled, Greywall will block every unknown hostname - established domain or DGA; every out-of-scope DNS query will be blocked.
Temporary Block Duration
Setting an appropriate temporary block duration can be a game-changer. It's recommended to adjust this based on the potential risk and frequency of domain interaction, with the option of blocking from an hour to 90 days. Endpoints with few modifications should have longer duration configured in resolution delay time.
Isolate Greywalls
Create multiple companies, ensuring that each Greywall operates in isolation that maximizes your use of zero-trust principles. This DNS compartmentalization ensures that each domain observation and analytics process is specific to its tenant, eliminating the risk of less sensitive endpoints influencing your aggregate DNS security posture.
Endpoint-Based Interaction
Understand the significance of domain interactions with your endpoints rather than relying solely on global observations. Focus on the first interaction time and correlate this data with other logs to see why DNS queries occur.
Configure Rules for New Domains
Don't allow blind and domain resolution. Your endpoints will only resolve a fraction of the DNS. Why would you permit them to resolve and connect to anything in this threat environment? Use Greywall's capability to set specific rules for new domains, ensuring they are observed and analyzed before being trusted.
Active Logging and Analysis
Constantly monitor and log all DNS queries, especially those that are blocked. Real-time DNS Logging will offer insight into potential threats and provide valuable data for threat intelligence.
Continual Re-evaluation
Once the temporary block duration ends, don't automatically assume the domain is safe. Use Greywall to re-evaluate and subject it to further security checks. Leverage DNS rank and other threat intelligence and data enrichment to determine the trustworthiness of a hostname.
Educate and Inform
Users are the first line of defense. Educate them about potential threats, ensuring they understand the significance of the block pages they might encounter. Custom block pages in Securd allow you to create teachable moments to educate your users about the activity they just engaged in.
Regular Review and Audit
Threat actors will adapt to your defenses. Periodically review DNS logs, blocked traffic, and your Greywall configurations. Continuous review ensures DNS security optimization and timely identification of patterns that might indicate emerging threats.
We hope these high-level best practices provide a roadmap to improving your endpoint security posture, reducing the frequency of malware incidents, and accelerating incident response and threat hunting.