Skip to main content
  • Cybersecurity

How a critical CIRA DNS Firewall threat feed works

By Rob Williamson
Marketing Manager

We recently welcomed Nick Bustin, Product Manager with Akamai Technologies Data Science and Threat Intelligence to present a webinar on the unique benefits of their cyber threat detection. This feed provides the core block list for the CIRA DNS Firewall.

We’re providing a summary of the presentation here, and the full video can be seen here.

The threat landscape is evolving very quickly and the challenge of cybersecurity is to stay one step ahead of the hackers and thieves. They are able to quickly and easily spin up new online threats that look legitimate and so a response has to be equally quick to mitigate the risk. The quality of the tricks they use is quite high and if you aren’t watching closely then you won’t catch it. Moreover, if you manage users’ desktops, then you already know that 100 users times 100 emails and 100 websites visited is a lot of potential for a simple and reasonable mistake. And even a .005% daily “failure” rate can spell ransomware (if you are doing the math that is one per day for your organization).

Sure is tempting to click on, isn’t it? Remember, not all threats come in through phishing.

First off, who are the threat actors?

You have individuals/script kiddies.  Sounds lame? It is the worst because even though they aren’t particularly sophisticated and they use script and spray and pray as many targets as they can. The fact that easily available tools are there for them to use just shows how simple this all is.

Then you have criminal organizations that were classified as being, medium sophistication. While they leverage scripts, they can be incredibly targeted. They also may have their own development staff to help modify and improve the tools. In many cases even state-sponsored. The difference is that the motivation is money.  

Finally, you have the state actors. Either directly with places like North Korea doing direct attacks to generate revenue for the state, semi-sponsored groups that operate safely inside some states as long as they don’t attack their home country and states themselves looking to destabilize other places.

The impact is huge. The presentation cited a recent U.S. DoJ report about an organizer in a hijacking group that compromised tens of millions of debit and credit cards and caused billions in damages. Yes, that is one bad actor with a result that has a “B” in the dollar amount. In the U.S. alone, the Internet Crime Report published by the FBI showed that in 2020 reported crimes totaled $4.2 billion in losses up from $700 million in 2019 – and that is just what was reported.

This is evident in the types of attacks. Phishing/vishing/smishing and pharming has taken off exponentially while other forms of attack, while also growing are doing so more linearly.

In short, whatever one does, one should always prepare for the worst. With defence in depth, every possible measure should be taken to reduce cyber-risk and DNS blocking is classic way to reduce risk.

An exponential increase in targeting end users because it is fast, easy, and it works.

COVID-19 – a perfect storm in pictorial format

Threat actors pivot very quickly to exploit trends.

Blue shows malicious domains containing the word “corona” while orange shows those that contain the word “covid”. The trend is apparent right after New York shut down due to the virus. If there is a hot topic that generated higher user clicks, then the baddies are on it.

Akamai Data Science Goals

The presentation outlined three core goals as it relates to data science:

  • Coverage – Protect against wide-ranging and emerging threats.
  • Precision – Minimize the risk of blocking legitimate requests because a key aspect of security is keeping users happy.
  • Agility – Be able to respond very quickly to stay ahead of the threat actors who can spin up a phishing website in under two minutes.  

These goals are important because they illustrate that you want to make sure your security is fast, non-intrusive and doesn’t block legitimate sites from functioning. Why? Because if your users are annoyed then they will try to get around your controls – humans are funny that way.

In terms of coverage, Akamai has over 500,000 servers distributed around the world to give them a lot of intelligence into decision-making based on internet activity. They also process over 3 trillion queries daily on the DNS side. Akamai analysis brings these sources of intelligence together and compliments them with commercial and open-source threat feeds.

With this information, every net new DNS query is automatically quarantined. It may surprise you to know that the vast majority of new DNS queries/domains that appear somewhere in the world are malicious. So, when the initial query occurs it is automatically quarantined and analyzed. This is done via a combination of machine learning and, when needed, human threat researchers. The end result is a streaming threat list that is continually added to the CIRA DNS Firewall block list. In fact, many malicious sites get on the list while the bad actor is still testing them. In addition to intelligence, many malicious DNS lookups are algorithmically generated – something that can be used for proactive blocking.

Flubot – A current example of domain generation algorithms

Flubot is a particularly hot topic right now and so we will use this real example that uses a fake courier delivery message as a lure to install an application.

If it is a highly targeted attack and not yet on a block list then once the malware is installed, we can look at the machine-generated domains to detect and block the command and control.

Since these are known, they can be predictively blocked from activation. You can see below that the code in the threat can be analyzed and blocked predictively.

Domain generation algorithms (DGAs) can be reverse-engineered for predictive blocking

Notably, the algorithms can be like real viruses, in that the developers can create variants – so this is a constant battle but an important piece of work to help protect organizations using the CIRA DNS Firewall.

Okay – billions of queries, what kind of analyst can look at that (aka how does machine learning work?)

Machine learning is needed due to the massive volume of data. Clustering can be used to recognize when many, apparently unique domains that come from single IP addresses, known or not known to be commonly used by a threat actor. It also analyzes the DNS record for patterns that may identify similar sources. In reality, there are hundreds of systems and subsystems used to detect nefarious activity and the activity is complemented by continuous manual research.

Contribution to defence-in-depth

To conclude, the CIRA DNS Firewall (or any DNS-based security layer) is a recommended best practice by almost all cybersecurity frameworks but it is only a benefit if it compliments your other layers. With the unique threat intelligence that Akamai provides as part of the CIRA DNS Firewall, you are getting extra protection and that is the key to success. There is no point in having layers if they all use the same intelligence.  

In fact, 30% of all the blocks that the CIRA DNS Firewall sees on the network come from the unique intelligence provided by Akamai. The remaining 70% comes from the various threat feeds that also comprise the overall list and those, like the Canadian Center for Cybersecurity list that CIRA layers-on.

In short, if you are consuming lists and/or have a firewall in place that blocks threats, we can say that for our customer base that the additive DNS layer is proving very effective, requires no direct maintenance and management, and is non-intrusive to the end user.

About the author
Rob Williamson

Rob brings over 20 years of experience in the technology industry writing, presenting and blogging on subjects as varied as software development tools, silicon reverse engineering, cyber-security and the DNS. An avid product marketer who takes the time to speak to IT professionals with the information and details they need for their jobs.