Malware and phishing are major threats in the digital landscape, and Security Operations Centers (SOCs) deal with them daily. These malicious software types use various techniques to keep control once they have infiltrated target systems, with one of the common methods being the use of Domain Generation Algorithms (DGAs). A DGA is a type of software routine inside of malware that generates many pseudo-random domain names, which are then used by the malware to establish a connection to their command-and-control (C2) servers. These domain generation techniques make it particularly challenging for security systems such as anti-virus software and firewalls to detect and block malware. Standard malware prevention solutions might block one or two domains, but with DGAs creating thousands of new ones, the malware or ransomware can continually evade detection and continue controlling the infected endpoint.
Protective DNS solutions play a crucial role in defending against DGAs by analyzing DNS query data to identify and block potentially malicious domains. This proactive approach interrupts malware’s command and control communications, making it a very cost-effective way to block malware at scale.
Introducing UltraDNS Detection and Response.
Vercara’s UltraDNS Detection and Response (UltraDDR) is a next-generation Protective DNS solution that is designed to detect and block DGAs domains and other malicious domains and infrastructure. Using advanced detection techniques such as Artificial Intelligence (AI) to block DNS queries proactively empowers businesses to stay ahead of bad actors and protect themselves against future threats.
With capabilities to stop ransomware and phishing attacks, enforce internet usage standards, and provide company-wide protection, UltraDDR is a secure, reliable, and cost-effective cloud-based protective DNS solution.
Backed by cyber threat intelligence.
Cyber Threat Intelligence (CTI) plays a huge part in any Protective DNS, and UltraDDR is no exception. Specific to DGAs, UltraDDR has several CTI inputs that make it more effective at detecting and blocking queries for DGAs.
Vercara uses reverse-engineered DGAs to generate a CTI feed for each malware family. This feed contains potential domains that can be used by that family. This feed, consisting of millions of DGA domains, is updated daily and includes all known permutations such as date, magic value/seed, or word dictionaries.
We use this DGA domain feed as a list to search our DNS query data from our recursive and authoritative DNS server logs. This gives us a listing of all the DGA domains that have been queried for, have been registered, and are responding to queries.
The active domains and their details are then, in turn, fed into the Adversarial Infrastructure Data Lake as seed data for dynamic scoring and identification of previously unseen domains.
The four detection engines of UltraDDR.
As we discussed in our whitepaper, UltraDDR employs 4 different detection engines for defense-in-depth against ransomware, other malware, phishing, and other attacks.
Lists Engine.
The Lists Engine allows UltraDDR customers the ability to bring their own block lists and allow lists for FQDNs, domains, IP addresses, CIDR blocks, and registrars. These lists can be sourced from an external CTI feed and imported via URL, which you can learn more about here.
Categories Engine.
The Categories Engine uses Vercara-provided CTI feeds in 17 categories. Customers can enable blocking on a category with just one button click. There are 2 categories that include domains used by DGAs:
- Bots/C2
- Malware and Ransomware
Decision Engine.
The Decision Engine uses artificial intelligence techniques to determine if a previously unseen or recently changed domain is malicious in nature.
The Decision Engine is supported by an Adversarial Infrastructure Data Lake. This data lake houses a decade’s worth of DNS resolution data, Cyber Threat Intelligence feeds, DGA domain query logs, domain registration details, registrar reputation, and other data elements. Our DGA CTI feed is ingested as seeding data by the Decision Engine, which establishes correlations to identify instances where domains use infrastructure previously employed by malware using DGAs.
Ruleset Engine.
The Ruleset Engine allows administrators the ability to build custom rules to augment and extend the other engines of UltraDDR. For instance, a common configuration to block DGA domains and other types of abuse is to block domains that are less than 90 days old. DGA domains, because they change over time, are frequently newly registered domains that this rule can block.
The Ruleset Engine can also be used for a large number of other use cases, such as advanced geo-blocking, blocking troublesome TLDs, and blocking query types such as TXT and HINFO that are frequently abused for C2, DNS tunneling, and DNS exfiltration.
Detect and block Domain Generation Algorithms with ease.
The good news is that UltraDDR, by design, detects and blocks Domain Generation Algorithms with a minimum of onboarding and configuration. This enables organizations and their SOC to focus their efforts on other security priorities, knowing that their DNS queries are being monitored and malicious domains are being actively blocked.
To learn more about UltraDDR and how it can help your organization develop a proactive security stance, visit our product page.
