Greywalls reduce risk by limiting unwitting end-users from temporarily interacting with domains, host names, and URLs with zero histories, reputation, or generated by an algorithm. DigitalStakeout PDNS greywall uses observation data and reputation intelligence to determine immediate access to domains and host names. The greywall is designed and tuned to mitigate real-time cyber-attacks where end-users and endpoints attempt to connect to phishing sites, ransomware downloads, malware commands, and control when threat intelligence, indicators of compromise and heuristics cannot be used to detect a threat.
How Does the DigitalStakeout PDNS Greywall Work?
Here are a few things that DigitalStakeout PDNS greywall is designed to do.
The grey wall knows what domains are trustworthy enough to be resolved. This is done through a learning period.
The grey wall must also be aware of untrusted domains that are not allowed to be resolved for X time frame.
The security administrator determines the temporary block time in the greywall.
A temporary block can be as short or as long as set in a security policy.
In most cases, the temporary block is established for a range of 1 hour to 90 days.
This temporary block provides security tools, providers, and the information security community to discover, assess, and distribute protection or intelligence to mitigate a cyber threat.
Better than Zero Reputation and New Observed domain lists?
Advanced threat actors understand they need to manufacture and plan attacks very carefully to avoid detection. In some cases, they will "groom" a domain to make it appear trust worthy. With millions of domains being updated and cycled on a monthly basis, global block lists malicious domains slip through the cracks.
With DigitalStakeout PDNS, you can create multiple companies. Each company greywall is isolated. This means that new domain observation and greywall analytics are contained to that tenant. The domain may have been observed by hundreds of endpoints in the past 90 days. However, what matters is when the domain first interacted with your endpoints. Administrators get to set the rules on when this new domain can be resolved, if ever.
What's an Example of How the Greywall Would Block a Threat?
End-user Clicks on Phishing Link
A threat actor registers a domain and within 15 mins, launches a phishing campaign. An unwitting target end-user is tricked on clicking on a phishing link. The end-user attempts to visit
https://some-evil-phishing-site.example.com/phishing-attack/login.html Endpoint Initiates A DNS Lookup
The end-user’s system attempts to access the domain some-evil-phishing-site.example.com. For the endpoint to connect to the domain, it needs to get an A record with an IP address.
DigitalStakeout PDNS Order of Operations
Before the grey wall feature in Securd allows its DNS server to resolve the DNS query, it runs relevant checks to allow or deny it.
For example, the greywall would determine if the DNS query to some-evil-phishing-site.example.com has been observed before.
The greywall would decide if some-evil-phishing-site.example.com was has characteristics that don't allow it to be be implicitly trusted.
If the DNS query matches any block criteria, it will be denied. The user would be redirected to a block page with the reason why it was denied. All the blocked traffic would be logged for a security administrator to review.
Based on Policy, DigitalStakeout PDNS Releases the Greywalled Domain
Once the grey wall criteria for phishing-site.example.com expires, DigitalStakeout PDNS greywall will allow a DNS query to continue. With DigitalStakeout PDNS, this would lead to additional measures to assure that phishing-site.example.com is not an active threat. The greywall is just one of many layers of protection.
If the DNS query does not match any additional criteria in the security policy, DigitalStakeout PDNS global recursive DNS servers will continue to process and resolve the request. The accept is recorded in passive DNS logs available for review and analysis in the DigitalStakeout PDNS Portal.