Protect Your Network, Protect Your House: Takeaways from the Capital Cybersecurity Summit
On November 14 and 15, the Northern Virginia Technology Council hosted the second annual Capital Cybersecurity Summit in Virginia.
Key takeawaysThis key takeaway was generated through LLMs crawling the page and coming up with an overview of the content.The article reports on the Capital Cybersecurity Summit and argues that modern cyber threats have evolved from ‘‘burglary’’ style data theft to ‘‘home invasion’’ style advanced persistent threats (APTs) that live inside networks, exploit naive DNS behavior, and enable lateral movement and external command-and-control. It emphasizes that conventional perimeter-focused defenses and DNS firewalls that monitor only north-south traffic are insufficient, and recommends client-facing DNS security that inspects the source and intent of every DNS query to block malicious queries at the endpoint and stop east-west movement and beaconing. The operational impact described is that CISOs should treat DNS as a strategic cybersecurity asset—deploying client-level DNS protections to detect stealthy malware, prevent internal abuse of infrastructure, and reduce the risk of long-term breaches.
Why is DNS especially important in defending against modern advanced persistent threats?
The article explains that DNS is a critical tool for APTs because its ordinary resolution behavior can be abused: attackers can search for sensitive files, receive external instructions, and build command-and-control channels via DNS queries. Because DNS is commonly seen as mundane infrastructure, many security teams overlook it, yet 91% of cyber attacks utilize DNS. That combination of widespread use, naive default handling, and visibility into both internal name resolution and external communications makes DNS both a high-value attack vector and an effective place to detect and disrupt stealthy beaconing, lateral movement, and other APT behaviors when monitored and enforced appropriately.
What are the limitations of traditional DNS firewalls and perimeter-based defenses according to the article?
Traditional DNS firewalls and perimeter-focused defenses primarily track north-south traffic at the network boundary, which assumes attackers are outside and only exfiltrate or query externally. The article argues this model fails against home invasion-style attacks, because modern attackers can already reside inside the network, perform lateral (east-west) movement, and use internal DNS behavior to blend in. Once adversaries are internal, the network boundary loses value; perimeter controls miss internal malicious queries and the patient, low-noise behaviors that characterize APTs. Therefore, defenses that only monitor external DNS traffic cannot reliably detect or prevent internal command-and-control and lateral abuse.
How does client-facing DNS security improve detection and prevention of stealthy malware?
Client-facing DNS security inspects DNS queries at the endpoint or source, enabling visibility into both the origin and intent of each query rather than only observing traffic at the boundary. By blocking malicious DNS queries at the client level, this approach prevents east-west lateral movement that attackers use to leverage internal infrastructure, and also stops north-south beaconing used to trigger external commands. The article compares this to placing a watchdog in every room: it provides more granular, distributed enforcement that can identify patient, sneaky malware that would otherwise evade perimeter controls and remain on the network for extended periods.
On November 14 and 15, the Northern Virginia Technology Council hosted the second annual Capital Cybersecurity Summit in Virginia. With a number of industry-leading speakers and over 350 attendees, one of the hot topics of discussion included the importance of a well-educated, cybersecurity-savvy workforce in creating a more empowered society.
The evolution of hackers, bad actors, malware, and subsequently cybersecurity protocols, inspires an interesting comparison: If you know there is a burglar in your neighbourhood, you wouldn’t think twice to protect your home by any means necessary. And if the burglars changed their tactics, wouldn’t you? Bad actors move fast. You have to move faster. Ignorance is no longer an option. It’s time to educate, prepare, and protect yourself, your network and your data.
Do your cybersecurity protocols prevent burglaries, or home invasions?
Cybersecurity used to be about preventing burglary. The thieves wanted data, and only data – personal information, trade secrets, intellectual property. Once they had it, they usually left the rest of the network untouched.
In today’s landscape, however, cybersecurity protocols should be focused on preventing home invasions. While data remains a valuable target, criminals have discovered that by taking their time, watching patterns, and becoming an intrinsic part of the network themselves, they can gain access to much more valuable assets.
Home invasion-style cyber attacks use your network as a weapon. Criminals are aggregating the computing power of your infrastructure and using it to attack networks in ways you’ve never seen.
DNS is a critical tool for the advanced persistent threats which plague the internet with home invasion-style tactics. Using the naïve characteristics of DNS resolution, bad actors can search for the critical files they want, receive instructions from outside, and develop command and control right under your nose.
91% of cyber attacks utilize DNS, and it’s no wonder – most IT security personnel see it as an uninteresting piece of infrastructure as opposed to a cybersecurity asset.
What can we do to protect ourselves?
DNS filters and firewalls are a step in the right direction, but most are still based on the old burglary model. Out on the network boundary, a DNS firewall can track external network traffic – the simple “north-south” queries. But addressing advanced persistent threats requires insight into internal DNS activity.
Breaches are the new normal, and they rarely happen overnight. In fact, malicious actors are probably on your network right now, searching for the right information or waiting for instructions. In this new home invasion paradigm, the network boundary quickly loses its value – there is no longer any separation between internal and external.
A client-facing DNS security system is like putting a Doberman in every room of your house rather than just one on the front porch. By looking at the source and intent of every DNS query, client-facing DNS security systems can identify even the sneakiest, most patient malware.
By blocking malicious DNS queries at the client level, IT security personnel can prevent lateral, “east-west” movement that allows cyber criminals to maliciously leverage the naïve properties of DNS. As an added bonus, it also protects against suspicious north-south traffic, preventing the “beaconing” behavior which most advanced persistent threats use as a trigger for action.
As advanced persistent threats grow more potent, CISOs need to look for cybersecurity assets wherever they can – even in the most mundane-seeming infrastructure systems. DNS-based security takes cybersecurity to the next level by using this under-appreciated infrastructure as protection against this new breed of home invasion-style attacks.
Published in:
BlueCat provides core services and solutions that help our customers and their teams deliver change-ready networks. With BlueCat, organizations can build reliable, secure, and agile mission-critical networks that can support transformation initiatives such as cloud adoption and automation. BlueCat’s growing portfolio includes services and solutions for automated and unified DDI management, network security, multicloud management, and network observability and health.
Related content
How to map your network with user-defined links in Integrity X
Map your network with user-defined links in Integrity X to define and manage custom relationships, such as dual-stack and NAT environments.
Automate your DDI modernization path by migrating with Micetro
Automate cross-platform DNS and DHCP migration with Micetro to reduce risk, eliminate manual effort, and modernize infrastructure faster.
Your journey to intelligent NetOps begins at Cisco Live
Visit BlueCat’s booth or book a meeting now to learn more about how our solutions can help you build a network that supports constant change.
Replace BIND and ISC with Micetro DNS/DHCP Server (MDDS)
Tired of patching and manually configuring BIND DNS and ISC DHCP? Discover how Micetro MDDS appliances can replace them for modern DDI.