When we see a lot of accounts attempting to go to the same URL that is more concerning because it suggests something pervasive. In many cases, this is typo squatting, but in the past, we have seen spikes in things like drive-by bitcoin mining (a problem that has thankfully come under control somewhat). We have even had a customer that we spoke to see spikes going to a local golf course that had their site hacked shortly before a municipal golf tournament.
A few words on content filtering and reviewing that data
Content filtering can be a hot topic as it relates to individuals, but as it relates to business it is a commonly used tool for cybersecurity. Sure some organizations want to keep inappropriate content off the network (or consuming bandwidth) and can do that with policy and tools. Some operate public wifi where some content is possibly undesirable, and so discouraged. But it isn’t just about corporate censorship because there is a legitimate security need too. Certain types of content are just proven to house more threats. Moreover, many threats are housed in sites that look good. For instance, sites with downloadable activity and colouring book pages for kids (popular in the pandemic) are very often exploited as threat vectors. Online storage not approved by the IT team is also a threat because that is often how hackers distribute malicious content. And finally, anonymizers may be used by employees to do things that the IT team may not want them to do.
If you do content filtering, then reviewing the daily block report is not generally necessary or useful because it is almost guaranteed to be huge. From our experience, almost nobody does it outside of a SIEM context where they are looking to machine learning to spot behavioural changes. But this is a pretty extreme use of technology and only for well-funded IT security teams protecting really critical data. However, if you do choose to, make sure you understand the sensitivity of the issue.
To conclude, what are the core recommendations on evaluating DNS threat blocking?
- Identify botnets that could be on your network fast because they could represent a back door.
- Don’t sweat the total number of blocks if that is the normal state - but look at the spikes. Are they single user-generated? Single department? Is the URL particularly targeted (i.e. a typo-squatted domain on a large supplier)?
- Address spear phishing or pervasive threats appropriately with a mix of education and technology.
- Content filtering is an important part of security – but use it wisely.