Two Can Play at that Game: Thinking Like a Malicious Adversary

When we set out to counter cyber threats, you can draw a number of parallels from actual battles.

When we set out to counter cyber threats, you can draw a number of parallels from actual battles. Sun Tzu says it best in The Art of War: the most important part of any battle is not the fight, but the preparation. Because before you set off into battle, you must first know your enemy.

It’s the foundation of any combat strategy, including cyber security. Because a malicious adversary has two intentions: fool the target and avoid being blocked. You need to know how bad actors do this through DNS and how they weaponize domains. That should be the starting point of your cyber security tactics.

DNS is relevant throughout the kill chain as domains are used throughout the process, from installation to delivery to command and control. They come in to play relatively early in the process, and bad actors start by identifying the types of domains or even the domain generation algorithms they’re going to use. The better you understand how these bad actors operate, the better (and earlier) you can spot them.

With that being said, putting yourself in the mind of your adversary puts you at a great advantage, because if you don’t know what you’re fighting, how can you expect to fight it? DNS is crucial to developing a counter strategy and can be used to spot nefarious patterns or intents that may elude existing security defenses. 

Cyber security professionals can use this approach proactively, like policy-setting in DNS Edge; by anticipating your adversary’s next move, you can preemptively block certain known bad domains. They can also use it reactively, like conducting malware forensics on something malicious that’s been found.

If you’re looking at something malicious that’s already taken place, you can see what damage has been inflicted, domains the malware has reached out to, and who else on the network might have been infected. There is tons of rich DNS data that can provide invaluable insights. By combing through DNS logs, you’ll be able to see who else was communicating out to it, and pair logs with individual machines and assets.

You need to give some credit to these malicious actors, because they know your cyber defenses inside out, and are experts in cleverly navigating through your cyber walls. Never underestimate their tactics. By gaining an in-depth understanding of how, why, and when they create these bad domains, your threat hunting will be that much more effective.

Critical conversations on critical infrastructure

Find out how your peers are managing their networks through profound change. Watch this series of live interactive discussions with IT pros & join the debate in Slack.

Join the conversation

Read more

To better see the threats on your network, try DNS

DNS is a vector used in most cyber attacks. When it comes to DNS, BlueCat can enhance visibility, detection, and containment of threats to your network.

Read more
Webinar: Threat Protection

BlueCat Solution Architect Steffen Probst discusses how intelligent security from BlueCat uses DNS to protect internal and external traffic against threats.

Read more
Keeping networks secure during unprecedented WFH

As we work from home, DNS over HTTPS (DOH) use is up by 1,500%. Learn what DNS tells us about network security and how BlueCat and Cisco Umbrella can help.

Read more
Domain Generation Algorithms 101

Dissecting the malware technique that keeps threat hunters guessing. For cybersecurity professionals and threat hunters, it can feel like advanced…

Read more