Open in app

Sign in

Write

Sign in

58 — Securing DNS with Peter Lowe of DNSFilter

Shiva Maharaj Kontinuum
Cybersecurity: Amplified and Intensified
Published in
39 min readMar 20, 2022

Shiva Maharaj Kontinuum 0:00
Good morning. Today we have with us Peter Lowe and our favorite vam. Brian Weiss from high tech solutions. Peter, should I be giving DNS filter my money? Hey,

Peter Lowe DNSFilter 0:09
hey, a few minutes ago, just to call the recording some things I did say that not much to do with the product. So the big so, I mean, yes, obviously, because we’re the best in the business in

Shiva Maharaj Kontinuum 0:20
general. That’s it for the day. Thanks for coming. Yeah. So what exactly do you do over there, Peter, just so everyone has a little context.

Peter Lowe DNSFilter 0:27
So I head up the domain intelligence side of the company. So we have inside the company, the DST IP, which is main data science and domain intelligence. And together we own the research side of the company, we, we own the data, the DNS data, and the data sciences they’ve decided, and they look at the data and try to build out new information for us and defend intelligence, use that data, and try to make it better. So we have a tight feedback loop with them, where we process domain reports from customers to whether black incorrectly classified domains or new things that we missed. But we also ingest all the bad like 60 different feeds from different places that we pull in. And we have our trigger product behind the scenes, which content classification of websites to detect threats and classify because we have, you know, all sorts of different contact categories as well like social networking and job sites and idle content and stuff like that. That’s the sales pitch. What

Shiva Maharaj Kontinuum 1:35
type of threats are you guys seeing these days or working on identifying?

Peter Lowe DNSFilter 1:39
So I mean, obviously, we focus on the DNS side of things. And pretty much the usual stuff, I don’t know if the usual means much to you guys. But so we’re looking at DNS tunneling. We look at just malware that’s being hosted somewhere we we protect on two fronts. So we prevent people getting infected in the first place, or preventing getting attacked by hopefully stopping them ever getting to stuff that will is able to infect. But then afterwards, this, there’s a million other ways to get infected other than, you know, a domain. So it could be a URL, or buy or Pepsi or a dodgy USB stick or whatever, then then if that happens, then hopefully we can protect people against the we can mitigate the effects of being affected. So one of the big things we do is prevent access to C two servers, which is the main way of controlling a piece of ransomware that might be installed on your network. So if you are infected, that hopefully, you have actually won’t be able to do anything and won’t be told to encrypt any hard drives on your network. That’s one of the main things and and phishing is probably the single biggest thing that we protect against. And again, we try and prevent people from being affected by if they click a dodgy link in an email. So the other thing I should mention is that you do have to create a policy which protects you from these threats as part of DNS filter, you have to go in and say yeah, I don’t want I want to protect against phishing or malware. So yeah.

Shiva Maharaj Kontinuum 3:22
What type of threats are you guys seeing now? That, you know, Europe is on fire or Ukraine is on fire?

Peter Lowe DNSFilter 3:29
Ah, well, I mean, the types of threats are probably haven’t really changed. But where they’re coming from, has as perhaps changed a little bit. So we did we did something on this recently where we looked at malicious domains that we’d seen since August, and they’d actually been a quite a big uptick, coming from.ru events. Since since August, it’s overall it was something like one or 2% from from all the malicious events we’ve seen, but percentage wise, it was something like a 400% increase since then. So I don’t have the figures that actually I have, but yeah, it was. It’s it’s difficult to draw conclusions. But it supports a hypothesis that cyber activity has been increasing from that part of the world in the last few months.

Shiva Maharaj Kontinuum 4:38
Now, are you guys tracking the origin meaning, I guess, geographic origin, these IPs or these DNS queries,

Peter Lowe DNSFilter 4:47
we can too we do kind of but we don’t. We have where that where the request IPs are coming from, but that’s our clients. And we have the ideas that they resolve to. But that is, varies. And so there’s, you know, we’ve kind of it doesn’t change that much, really like the actual statistics though the numbers don’t vary that much between the deities and the geographic locations. So trade advisors, what we look at, is that fairly consistent.

Shiva Maharaj Kontinuum 5:24
Okay? The reason I ask is because we’ve been seeing a lot of C, two servers being stood up in South America and the Caribbean, more so than just being in Europe. That’s,

Peter Lowe DNSFilter 5:35
that’s really interesting. That’s something that I could look into. Yeah, spikes like that. The kind of thing that we look at, if if we noticed something. So how recent of these?

Shiva Maharaj Kontinuum 5:49
We started seeing it in late November? And then okay, it really took off in early January, I would say, Have you

Peter Lowe DNSFilter 5:57
done any investigation into the actual, like the service and everything has a particular any particular malware actor, or

Shiva Maharaj Kontinuum 6:04
it’s a lot of the usual players? Now, we’re seeing a lot more of lapses. But, you know, I think a lot of these ransomware operators, they operate in waves. And yeah, I’ve always been of the opinion when one particular group is not doing anything, they’re actually at home, refining their TTPs in their product to come back stronger. You know, whereas we rust, we, in general, the end users tend to rest on their laurels. But it’s just, it’s interesting, because we started seeing the spike, late last year, and especially early this year, and now, everything’s going on in Ukraine, which makes me wonder, have they been moving their area of operation? Yeah, it’s

Peter Lowe DNSFilter 6:48
very difficult to see, to say, isn’t it? I mean, what do you think, first of all, I mean, do you think that’s the case? Or do you think it’s just a coincidence?

Shiva Maharaj Kontinuum 6:59
I don’t believe in coincidences, I think, Okay. I think, deep down, some group of people knew what was going to happen. And if they’re smart, which most times they more times than not, they are smart, they will spread out their infrastructure, in places that are friendly to where they have been operating from. And traditionally, a lot of the ransomware groups, as far as I know, and I’m an idiot, so I know, nothing. I’ve operated out of the Ukraine, or a lot of the affiliates have been out of the Ukraine. So if they knew that was going to become a highly contested area, it would make sense for them to spread infrastructure outside of Eastern Europe.

Peter Lowe DNSFilter 7:41
That’s really interesting. I was thinking that that the hypothesis might be your inference might be that it was Russia themselves, who were trying to move their infrastructure away from Russia, like so the Russian government would be

Shiva Maharaj Kontinuum 7:58
I wouldn’t carve them out of that. I would say them, I’d say their affiliates, the operators. I mean, let’s look at it in three groups. Right. You have the Kremlin, then you have the actual ransomware group, and then you have the affiliates. Yeah. And I would say any one of those three groups, it would make sense for them to operate outside of Eastern Europe.

Peter Lowe DNSFilter 8:17
Yeah, what I found quite surprising, actually was, was that it seems there’s less of a connection, and then again, this time, and it it’s I don’t think as well, there’s less of a connection between the government and the groups themselves. And it’s definitely something but like, it feels like, in the past few weeks, there’s been less, fewer attacks that I would have expected fewer direct attacks on Ukrainian infrastructure.

Shiva Maharaj Kontinuum 8:45
You know, I was floating this idea with one of the one on Twitter with one of the guys from Recorded Future that I know. Oh, yeah. And I said, because everyone’s asking, Why isn’t Russia doing its cyber warfare? Right. Why is why hasn’t Russian cyber ops leveled the Ukraine? And yeah, I My thinking is, there’s already war and suffering going on over there. The world has been suffering with supply chain issues, if you look at some of the larger hacks in recent times, Denso, Nvidia chip manufacturers that will further constrain the supply chain. So I think that’s where the cyber warfare is gonna be. And if any country goes off for other countries in critical infrastructure, that’s a declaration of war. Not that, you know, sending troops in isn’t, don’t get me wrong. They’re right. You know, you don’t want to spill over into someone systems that gets a third party in to the Yeah,

Peter Lowe DNSFilter 9:44
I kind of agree. I think they’re also quickly reevaluating how they kind of do it as well. I think it might be ramping up. The thing to be was that surprised me was that it seems to be more like it’s cheaper. to send to lots of cyber attack that is to send real people it but maybe Russia just doesn’t care about that that side of things.

Shiva Maharaj Kontinuum 10:07
I just the plan is just to do it all. While Yeah, limit yourself. I mean, as bad as that sounds.

Peter Lowe DNSFilter 10:13
Yeah. Well, okay, so I saw a really interesting. This isn’t specifically to do with cybersecurity. But I saw a really interesting comparison of American companies versus Chinese companies that was, so people who’ve worked at Facebook and that tick tock, and they were talking about how in, in Tik Tok, they don’t have automated testing as part of the software development lifecycle. They don’t have like unit tests and stuff, they just have massive QA to that, because labor is so much cheaper, that they just this brute force it basically everything that’s released, even if it’s like a multi level theme, a little tiny feature. Oh, yeah. And they have specific product teams for each tiny feature. Because they have so many people working there, they don’t need automated testing. So but in Facebook, it’s a totally different situation. And also, there’s four times as many PhDs in China. So maybe that’s kind of similar thing with Russia, they just have more soldiers to throw at the issue. But you’re right, but definitely, yeah. Sorry.

Shiva Maharaj Kontinuum 11:16
How? Brian, you want to know if you want to hop in? Yeah. Sorry, Brian.

Brian J. Weiss 11:21
I’m enjoying the conversation. Yeah, I mean, I’d love to talk more about DNS filter, but we can talk about Russia more to

Shiva Maharaj Kontinuum 11:32
theatres from DNS filter. Let’s talk about Garth. How can Brian Trump? How is your intelligence in the company helping Brian protect his customers from Russia using DNS filter? Well, I

Brian J. Weiss 11:45
have I have a couple questions. I am curious kind of where you fit in on on the intelligence sharing, right? Because, obviously, you identify these IPs, you know, via DNS routes that are trying to happen that are malicious. Right. And that IP information is that’d be valuable for say, a firewall company for their definitions, right to kind of know that. So he talked a little bit about that. I mean, you gather all this intelligence? Do you get intelligence from other sources as well? Do you share out the intelligence you’re gathering? And how does that work?

Peter Lowe DNSFilter 12:20
So the big question, first of all, we do some limited intelligence sharing. And I’m part of a couple of groups that are specifically to do with CTI or DIC, threat intelligence coalition, and cyber threat intelligence, that kind of trying to work together to do more for each other. It’s a big industry has a big problem with sharing Intel. Because it’s part of everybody’s secret sauce is one of those gets your revenue, right? Yeah. And it’s the one of the key factors that people look at when they look, they’re choosing who can protect them best, who’s got the best route until it’s a bad thing for the world as a whole, because, you know, we could probably solve a lot of our problems, if everybody shared, they’re all threatened. So I would like to do both. Personally, I’m a geek, I’m a tech guy, I want to share more, but I’m limited in what I can do. But there are a couple of things that we’re looking at. This one group that I’m part of is it specifically, it’s got some really big people in it’s like Google and Microsoft and stuff. But it’s quite, quite small. And, you know, talking one to one, but it’s not very active. Also, we haven’t done starting soon, who’s going to be be focused entirely on threat intelligence. And one of the big things I’d like him to do is, is set up some regular way of threat intelligence sharing, so that we can, you know, give out the data that we have, in some way that doesn’t loses money basically yet, and you know, there’s a couple of ideas we got, which I don’t really want to go into the details of because

Shiva Maharaj Kontinuum 14:15
a live thing on the top with this is recorded, and we’ll put it out later. We won’t have to let everyone know what you’re talking about. Don’t worry,

Peter Lowe DNSFilter 14:22
right. Now, it’s a couple of things that we look at, I genuinely, I really hope they will, and I’ve got hopeful that things are gonna happen. There’s another challenge inside DNS built. We’re expanding a lot. So you know, last year, we got to a funding and it took a couple of months for that to be much allocated. And then we went through this massive high phase. We’re still in the hiring phase. So we’ve got a bunch of people coming in and we’re adjusting to subprocesses and my team has grown quite a bit. Which is great because I am able to Take off a few of my hats. Like I mentioned before, you know, at one point I was doing sales for web shrinker. I don’t know if you’re familiar with web checker. It’s the Yeah. No, sorry. No. So the story behind web checker is before 2018, I think it was DNS filter relied on intelligent speeds from external sources to classified domains. Then they came across web shrinker, which does, it’s an AI that can go off and automatically classify any website. And there’s a bunch of different indicators for it in there as well. What DNS filter, I liked it so much, they were a massive customer to begin with. And what flickr.com If you want to take a look, it’s still its own product, they acquired web shrinker. Partly because it was cost effective, but also because they didn’t want other DNS filtering companies to get their hands on it. So that’s one of the main things that does the content classification for DNS filter, and it’s able to proactively identify. So after I’ve derailed myself, though, a sales pitch

Brian J. Weiss 16:14
for where we know we’re talking intelligence, just kind of sharing it, right, because I see, I see, one of the issues I have is I have all these different security products that all get their own intelligence somehow. Yeah. And I’d love them to be able to share that intelligence or I’d love to be able to say, hey, DNS filter knows about all these bad IPs, why can I make sure my firewall is just auto blocking those all together? Right? Why is my firewall depending on a different set of intelligence that may not block that IP? So now I’m having to rely on DNS filter to do it. Right.

Peter Lowe DNSFilter 16:48
Well, he I, I see it coming from but I, there’s no silver bullet in security. There’s no

Shiva Maharaj Kontinuum 16:55
There’s the onion. Everyone says the onion works. Money?

Peter Lowe DNSFilter 17:00
Well, money, right? Well, I don’t know the funding is the silver bullet. But yeah, I began to notice a white, it’s an excellent, easy to deploy layer to protect you against a lot of stuff online. But you’re still gonna need other other ways. With IPs, you’re gonna get a ton of false positives as well. You know, shared service, you’re gonna block a lot of legit content, and DNS filter as a service. One of the focuses we have is, is avoiding close positives. For a Yeah, sure. Now,

Shiva Maharaj Kontinuum 17:30
I’ve never used a DNS filter. Actually, oddly enough, someone called me from the inactivity, yeah,

Peter Lowe DNSFilter 17:36
I’m out. I’m going, Hey,

Shiva Maharaj Kontinuum 17:37
I’m doing a demo with you guys. Tomorrow. Someone called me yesterday is like, Hey, have you heard of us? And like, I do an episode with Peter tomorrow. And I think it was probably like some outsourced sales company because he didn’t know what I was talking about. He’s like, Oh, well, can we set up a call? I’m like, Sure, why not? Let me let me, you know, take a look at it. With that said, is DNS filter agent based? Yeah,

Peter Lowe DNSFilter 18:00
we have a deployment method. It’s not totally agent basic and be based on other ways of using it. But you know,

Shiva Maharaj Kontinuum 18:08
so are you familiar with Sophos, the AV and firewall company?

Peter Lowe DNSFilter 18:13
I’ve heard of them. Yeah, I think small company. Things about Yeah.

Shiva Maharaj Kontinuum 18:17
I used to be a user of them. Brian here, is they part of their AV package allows for web filtering? Have you guys I’m just using them as an example. Because I kind of know, I spent a lot of time using them. I know very well. Is there any version of an integration between a DNS filter and something like a Sophos Endpoint Manager or Sophos endpoint protection agent where through API, you can feed your block list to them? So now, it’s one less agent for me, as a provider to drop onto something, especially with work from home?

Peter Lowe DNSFilter 18:56
I think was so close. I don’t know if we’re talking to them or not. I don’t know if there’s an integration in development or not. I’m sorry,

Shiva Maharaj Kontinuum 19:03
not for them. Just just the idea that where you’re feeding into an AV platform that already has a module to control the Windows Firewall?

Peter Lowe DNSFilter 19:14
I? That’s a really good question.

Shiva Maharaj Kontinuum 19:18
I think, yeah,

Peter Lowe DNSFilter 19:20
I’ll send you a discount code for three months. I like that.

Shiva Maharaj Kontinuum 19:23
30% better. But to me, I think that would be really interesting, because especially with most of the security products in some version of a command and control infrastructure, I would think it can save you as a company deadtime if you can integrate with their platform, feed them a block list, so to speak, or the policies and let that let their agent do the heavy lifting. Well. Yeah,

Peter Lowe DNSFilter 19:48
I mean, I can see that well. You made you know, if you want to integrate, integrate the solution, and that’s fair enough. I think that’s definitely something the company is looking at in the Problem are not the problem. But one of the challenges is is which rady come at it from do do we add that capability to our service? Or do we integrate with someone else’s already doing it? Or is there some kind of bridge that does, but there’s also advantages you get for DNS filtering that you won’t get from a from a secure web gateway, which is it’s faster, DNS lookups are, you know, sub 10 milliseconds. So you’re gonna get a response back saying that’s bad instantly, all by itself. But with the Secure Gateway, it’s gonna take a little longer to get that feedback. So,

Shiva Maharaj Kontinuum 20:37
okay, I just thought it would be an interesting way to add you guys in and you can’t you become more of a threat intel company, as opposed to a product company, if that makes sense.

Peter Lowe DNSFilter 20:49
Yeah, yeah. Yeah, it helps

Shiva Maharaj Kontinuum 20:53
the brains of the world.

Peter Lowe DNSFilter 20:55
You know, I, again, I don’t want to talk too much about the product, because I’m probably going to embarrass myself and say the wrong thing. But definitely talking about different ways we can have that kind of capability. So

Brian J. Weiss 21:08
So I mean, that that’s the IP at DNS filter, right, is you’ve got your threat intelligence, and you’ve got your efficiency at which you can deliver it, right. But there’s a couple other things too, that are kind of, you know, one of them’s already here, HTTPS, or DNS over HTTPS. I was wondering if we should dive into that at all. The other thing is your new app aware platform. I really like the direction that’s taking. I don’t know Shiva, if you want to dive into any of those.

Shiva Maharaj Kontinuum 21:41
Why not? Hey, as long as I learn something on both big topics, I would much prefer secure DNS, if Brian’s okay with that. We’re both on the journey by doing an encrypted DNS, encrypted DNS, sorry,

Peter Lowe DNSFilter 21:55
yes, yeah. Sure. So. So we’ve all we’ve supported DNS over TLS. Since day one, pretty much as far as I know. That is essentially the same protocol as DNS. But it uses a different port port, and it has an SSL handshake or TLS handshake that happens. So it’s like, the difference between HTTP and HTTP. It’s almost like that, and that was very close. Do t has been around since about 2016. I think the RFC was ratified was made official then do h will go as DOD and Doha, the two people call them was been around since about 2018. And the idea is to suppose to be more resistant to privacy invasions. Because by searching tunneling, DNS traffic over the HTTP port, which is port 4443. So it kind of looks like web traffic, it’s much harder to block. So you can’t just close off Port 853, which is the IoT and prevent encrypted DNS, it’s yeah, there’s a lot of issues with it as a protocol. Because it’s, in some places, it’s had almost the opposite effect. There, there are countries where they have naturally Managed DNS blacklist. And that’s been an easy thing for them to implement. And they can block the OT and just put in, I worked for gaming company while back and they had example.com as their main domain. But they also had preregistered example, one example two example three example, for example, five, all the way up to example fifty.com, because they were so used to getting added to the national blacklist, because gaming is illegal in Turkey. And they were just there was built into the system to switch over to your domain. That kind of thing is in places like that is real. And what DLH has done is it’s implemented a bypass to that. And now the country is going to have to invest more in deep packet inspection and other ways to control what people are looking at. So he was intended as a privacy thing, but it actually kind of didn’t work out that way. Also, some people might say that some companies who are providing decent service like Google and CloudFlare, may have had a vested interest in promoting it and making sure that the technology succeeded despite some of the issues. Another thing is the fact that it was implemented on the browser level to begin with. So you can configure your own direct server in Chrome, or Firefox. And that, again, bypasses any kind of system level DNS settings that you have. So for people, for example, at the beginning, if you use DNS filter, any of the people on your network and your end users could just go and change that their DNS server inside Chrome, and they wouldn’t be getting the protection from DNS. Well So, we do have a direct server. And it is available, I think there’s some details on the support website. But, and there’s other there’s like, there’s a whole bunch of other things like the fact that it’s being introduced in macOS and iOS, and Windows. And, um, you know, you could configure it 50 different layers and different apps, and it will be different, and you could miss one of them, and then that will be affected. It’s, I’m not a huge fan, I’ll have to say it’s slower as well, because it’s got the overhead of sending the HTTP packets back, as well as that they asked how old Sorry, I’ve still ranted, Shiva. All of the things, these things are being looked at. And they’ve been flagged and you know, there’s things like, if you have a group policy configured on my Android device, then Chrome won’t automatically try and use the prevented in use. And there’s a canary domain for Firefox and all sorts of things like that. And the DNS servers are being optimized so that it’s actually round trips are getting much closer to Standard DNS. But it shouldn’t really be like that in the first place. And there’s some people who will say, I’m completely wrong, by the way it had, it’s the best thing ever.

Shiva Maharaj Kontinuum 26:12
How, how does a DNS filter deal with this? And see two domains, or reservoir? or malicious editors?

Peter Lowe DNSFilter 26:22
What DNS? It’s tricky, is the real answer. Because if a DNS Filter Filter company, it gets bypassed, they can’t do anything. Really, there’s a couple of things actually, that’s not true, we can. So with Firefox, for example, there’s a canary domain, which means that it’s a special domain that we respond to in a special way. It’s called use hyper application heightened DNS dotnet. And if you query that to get a no error response, then Firefox will not try and use the do h. So it’s just a way of indicating that the network you’re connecting to, doesn’t want you to use anything different other than the system level, DNS server. Chrome has a thing where it tries to detect the Group Policy on the device. And that will work around the local doh settings. I think Windows has another way of looking at it. And I think Apple has another way for iOS and macOS. So there’s things that are, you know, workarounds, but it’s a pain in the ass, I have to say, there’s no this, there’s a new thing called DDR, which is dynamic, designated DNS resolver. And these are special domains, which you can query when your device connects to a network. And it can tell you what are the desired servers to be used? So you say what is underscore do h.something.arpa And it will give you back an IP address and how to access the or that you do. He will be the 70. So there are mechanisms that are being worked on.

Shiva Maharaj Kontinuum 28:08
Now, with your agents, can you force DNS resolution through your servers?

Peter Lowe DNSFilter 28:13
No, if the application doesn’t, doesn’t try and use the agent. Okay? It if if an app tries to connect externally to hopeful four, three on something, it’s going to be allowed. If it’s a browser, it’s going to be allowed. So we do h, it’s causes a real problem for companies like us.

Brian J. Weiss 28:34
Yeah. Now you see where I’m talking about, I would love your intelligence in my firewall, right?

Peter Lowe DNSFilter 28:39
Yeah. That’s, there’s a couple of I mean, I know you mean, but we would have to that that’s DNS filter would have to cooperate with Biola. Which, which you suppose but then someone else uses coffee and someone else uses Knowlton. Oh, no them a copy of saving these days.

Brian J. Weiss 29:01
Yeah, I mean, I would, I would just go straight to Microsoft and be like, Hey, we’re gonna work with Microsoft firewall first. Right? I mean, I don’t really need it at my gateway.

Peter Lowe DNSFilter 29:11
It’s it’s questionable how you would interact with the Bible is tricky.

Shiva Maharaj Kontinuum 29:18
Yeah, then Brian means the Windows Firewall. Right?

Peter Lowe DNSFilter 29:21
But then how would the Windows Firewall know which domains bad if we go to Microsoft, we can. Do we sell it to them a license to them they

Shiva Maharaj Kontinuum 29:28
use? They’re doing it which signup I think, are really good. One of those. It’s a company that does DNS lookups starts with the C, I think it’s sign up, I’m not sure. And they give you they give you I think two months free and then you have to pay for it after as a Microsoft e five customer or Business Premium customer. And at that point, they’re tying it into Endpoint Manager or the ATP Endpoint Protection subsequent guys can look at the link offline.

Brian J. Weiss 30:03
And, you know, yeah, you could go the route licensing through Microsoft or just build an integration, and then make your money to the direct end customer, right? Hey, I use Microsoft Windows, I want this extra feature from DNS filter that I’m not already getting. So a paid DNS filter for it, right? Is there

Shiva Maharaj Kontinuum 30:23
a way to encapsulate all the data going in and out through your agent on a Windows computer? Because that was easier to do then go creating an integration that

Brian J. Weiss 30:32
went in the place? That would be more of a proxy approach, right?

Peter Lowe DNSFilter 30:36
Well, we have a relay client, which can be is a kind of proxy. But that normally sits on a server somewhere. So I, it’s getting into an area where I’m not so comfortable, to be honest, I’m not. I can focus on the actual threat intelligence and what we’re looking at and where we get it from and how we use it. But it’s the product integrations that rocky grabbed for me, I’m sorry,

Brian J. Weiss 31:01
do you provide intelligence to your partners on best practices, right, for DNS filter, you protect a certain layer, but I’m sure you could have other layers unprotected, that could potentially render DNS filter, you know, someone could bypass it, right? I mean, there’s certain things you might want to have set up in place, alongside DNS filter, right to help it work prop better, right? I mean, is there anything? I mean, there’s one thing I can think of, especially around this DNS over HTTP, HTTPS is you’re limiting browsers, you’re only letting the end client use one browser, right? That then DNS filter can keep a better eye on versus Oh, they’re using all these other browsers? And how are these other browsers configured that we don’t know about? Right?

Peter Lowe DNSFilter 31:56
Interesting question. I know that that we have, as a company, we’re trying to provide a zero trust infrastructure for for people. And we think that is basically the best way to go where you don’t trust anything by default. But for other practices, I think, I think we do have some documentation in the support docs, but I don’t really know where it is. Interesting question. I think I might fall off, you’ve got insanely

Brian J. Weiss 32:27
well, you brought up a good point, right? Like, Google Chrome can literally be programmed if the end user had the right, you know, role access to bypass your product, right? And then, so, you know, it seems like that type of thing should be made aware so that we’re not using your products, thinking that we’re protected, when really we aren’t, right?

Peter Lowe DNSFilter 32:52
Yeah, well, we, the one thing you can do, and we recommend people to do is to block it, whatever policies, you have set up this block the proxy and filter avoidance category, that does a lot of the heavy lifting in avoiding the preventing people from from circumventing DNS filter in the first place, and other filtering stuff that you might have in place.

Shiva Maharaj Kontinuum 33:15
How does app aware work? Because I’m thinking, depending on the answer to that, that can help with a lot of those getting to a zero trust ish, temporary, yeah, Oscar?

Peter Lowe DNSFilter 33:25
Yeah, that’s one of the types of it is, is to try and block things that you don’t want us. So when you say how does it work?

Shiva Maharaj Kontinuum 33:35
What is it? What is the product?

Peter Lowe DNSFilter 33:37
So basically, your application? Well, beforehand, you could come in and say, I want to block job websites, or different categories of domains, we have about 40, an app or where is you’re able to block specific applications? In a nutshell.

Shiva Maharaj Kontinuum 33:53
Okay, so like a Dropbox not to pick on them. But it’s just the first thing that came to mind.

Peter Lowe DNSFilter 33:57
Yes. Okay. Well, when you mentioned it earlier, I said all that that’s a pain in the ass. Because it seems kind of simple as a concept, you’re able to block individual apps. But on the when you get into the details, it’s a lot. Like it’s a lot more complicated than you might think. For example, when we started off, we had a lot of things like I want to block x, x turns out to be a lot like a lot of different products, and then other sub products, and then those products conflict with other things. And then one of them will change be sold off to someone and yeah, so management, all of this is it’s tricky. We have something what we call an ecosystem app. So this kind of lobbying basically. So when you say you want to block me and what do you mean exactly. Do you be

Shiva Maharaj Kontinuum 34:49
lucky the Indian call centers into your computer? Right? I can say that.

Peter Lowe DNSFilter 34:54
Yeah, I’m not good. Yeah, so let me get you up. They have a Some of the products and services and think that originally we had we had on the list, Amazon, which, you know, what does that mean?

Shiva Maharaj Kontinuum 35:07
How Gary? Yeah. Have you ever shopped at the middle of my workday that I’m paying being paid to do something else?

Peter Lowe DNSFilter 35:13
Yeah. And actually, refining the the associated domains is tricky as well, because one of the common things that we have was that people want to block fortnight like, parents want to stop their game, they their kid playing fortnight all the time. But that actually turns out to block a whole bunch of other things. So yeah, that was tricky. Because the set is used by fortnight. Oh, sorry, all

Shiva Maharaj Kontinuum 35:41
AWS. So it’s all shared infrastructure to some degree. Yeah.

Peter Lowe DNSFilter 35:44
But the debates are actually quite a lot of it is AWS, but the domains are what we blocking, not there. Okay. They don’t point to actual Amazon aws.com.

Shiva Maharaj Kontinuum 35:55
The, there was a product that you see, I used to use ConnectWise automate, and there was a plug in called third wall. Fair enough. You’re familiar with it? I’m not sorry. There was an option where we, you know, they gave us a check box, I’m sure there’s a lot smarter people in the background doing that coding. But you can block various type of storage accounts, websites, email provider. So if you wanted to block someone from resolving to say, Gmail, he checked that box, and it makes the register changes. And that’s it. You couldn’t get nothing you did you can get to Gmail from that computer unless you effectively changed that registry entry. Or check. Uncheck the box. It Whoa, you got it. Third wall? Yeah. Yeah.

Peter Lowe DNSFilter 36:37
Okay. I’ll take a look. It’s interesting. I think there’s, there’s a whole group of companies under the under the application intelligence area, which much more detailed than just the domain. So this, you know, registry keys that some of them did.

Shiva Maharaj Kontinuum 36:58
Third World did everything, for the most part via registered registry keys. So you can, you know, they back then they made it really easy to prevent people from using USB devices and locking down the security of a cover endpoint. A lot of different products have come a long way since then. But I was just curious if you were doing it, blocking the applications the way they do. So how are you guys blocking the app? Or? What is what exactly is apple? Well, because I think I might have missed that is,

Peter Lowe DNSFilter 37:28
you come in to your your policy configuration in DNS filter, and you say, I want to block Skype, or Facebook Messenger or or fortnight? And then the domain associated with that service or application or platform or whatever app we call it should then stop functioning.

Shiva Maharaj Kontinuum 37:52
Okay. And this, do you need the agents on for this?

Peter Lowe DNSFilter 37:56
No. Okay, use a deploy method. So the agent is just a handy way of getting your DNS requests to our servers, but you can access it by director, IP address, and sorry,

Brian J. Weiss 38:08
so I was gonna say it blocks it using DNS, right? Yeah, there’s no, there’s no. Shiva was wondering if you actually go into the iOS and cheese there, you know, right. Yeah. So yeah. And the idea is, it’s really the the IP, there’s really the intelligence, right? If you think about, like, we’ve got this desktop app frontier that we’ve had, right, where everyone is running all these desktop apps, and we got to be worried about which ones we want to allow not allow pretty easy to do with some tools that are out there. Now you remove local admin, use a third party tool, you can easily lock that down, create your whitelist blacklist, it you know, it does checks for you, if you’re unaware of the desktop app, whether or not it might be safe, right. So on the fly, you can kind of identify that. But we’re moving away from desktop apps, right? Like the new frontier is all cloud apps. I can’t I personally can’t wait till I don’t have to support desktop apps anymore. Right? But then But then you look at that, that security layer that you had in place to meet that control. And it’s not working anymore, because we’re dealing with cloud apps instead of desktop apps. So now what what what new control are we going to put in place to manage a cloud app policy?

Shiva Maharaj Kontinuum 39:26
Right see zero trust block everything and allow one at a time when people yell scream and complain?

Brian J. Weiss 39:34
That’s the boil the ocean approach? I guess right?

Peter Lowe DNSFilter 39:37
It’s fun though.

Brian J. Weiss 39:41
So so I you know, I was really happy to see your your product come out. I feel like it still has. It’s got a lot of potential. I could see it going into even maybe role based blocking, right? Like, hey, this user can go to Facebook, but they can only do these items on Facebook, right? Because you are going to have six you where companies can’t just straight up block a full app, but they might want to block certain aspects of it, or people allow certain people to do. Yeah, obviously down to the user level,

Shiva Maharaj Kontinuum 40:11
the owner should be able to see whatever they want. But everybody else should not be able to go on amazon.com. At work.

Brian J. Weiss 40:19
So so what I’m, I’m really curious to know, too. Are you part of that team at all? Are you just kind of domain intelligence that works with that team?

Peter Lowe DNSFilter 40:28
Well, the, the Yeah, yes, I am part of that team. I have the product side of it that about, you know, the feature side, but but that falls under what we know about domains, we know that a domain is associated with a particular application.

Brian J. Weiss 40:44
Yeah. So in a way with APA, where you’re kind of keeping updated definitions of what are all the domains that are associated with this app, right? Yeah.

Shiva Maharaj Kontinuum 40:53
Are you publishing? Publishing is a very loose term here. Within the portal? Are you publishing? What that client? Are you publishing a list of domains or products that client is going to? And then yeah, choose to block that? Or is it just one big master list that you choose from? Or both? Let’s see, let’s say user, let’s say for the sake of argument, your list only has Microsoft, Google, or Apple, right? And then an endpoint report to say, Hey, we are going to yahoo.com. Does that does yahoo.com Now get added to the list as a site or domain that has been visited by someone in that company? Yeah, well, we have full reporting for all DNS requests, and then at the bottom of our block. Yeah, well,

Peter Lowe DNSFilter 41:41
I don’t know whether you could do it directly from the query log, but you can we have, so we have reporting, which is a kind of aggregate overview of what your network has been doing. And then we have the query log, which is like what the each individual DNS request that’s been sent from the network.

Shiva Maharaj Kontinuum 41:59
Okay, no, so sorry, what I was put on that was, is there a list that’s generated for that client, dynamically based on the traffic? And then from that list? Can you add or can you block or whitelist? I guess, is the question. And so to go through a full list of all the applications that you guys may already have, or know,

Peter Lowe DNSFilter 42:19
Oh, I see. So you see a domain being accessed. And then we could say that’s associated with X, app x, and then you can block app X, and that’ll block everything else relative,

Shiva Maharaj Kontinuum 42:29
or Whitelist, whatever you want to do.

Peter Lowe DNSFilter 42:32
I don’t think that’s actually been built as the first version. But that’s a really interesting idea. Shiva sold

Brian J. Weiss 42:37
some of my fire, because I was gonna actually jump right into some things I’d like to see with, with the app aware that I think are definitely needed, and it really comes down. It’s around those discussions with the client, right? Now you go in there, you have a list of currently supported cloud apps. And it’s like, Hey, do we want to allow these or not allow these, I use another product called Augment, which takes a different direction. And it actually does exactly what Shiva just mentioned. First, it collects data on all of the cloud apps being used by the organization, then you sit down with the client have the discussion of which ones do you want to allow or not allow. And then typically, you know, if it’s a larger client, where maybe they’ve even got an in house sock, they’re having weekly meetings, where they’re reviewing new sites that were, or new apps that were accessed, right, and whether or not those should be allowed moving forward. So it’s this idea of kind of security and compliance, you know, taking the next step and understanding that, hey, because we’re using this tool to appease a control and our security framework, we also need a way to easily report, update, understand what people are using, so we can classify on the go. And it’s more of a organic way to create your policy versus starting off with some predefined lists that you don’t really have intelligence on what your users are even using in the first place. Right.

Peter Lowe DNSFilter 44:08
Yeah. So I mean, that that really comes back to what I mentioned before about application intelligence. That’s what those kinds of companies provide, much, you know, on a much finer grained level than we did. We were kind of we saw a need for for this for this feature. And that’s what we’ve implemented so far. But there are, you know, there’s a plan, this is v1,

Shiva Maharaj Kontinuum 44:31
you know, there’s, you know, there’s one thing based on what you both have been talking about that I would like to use something like this for, and that’s to identify shadow IT.

Peter Lowe DNSFilter 44:40
That’s hopefully coming, but I cannot give you a timeline. Okay, because

Shiva Maharaj Kontinuum 44:45
that’s the bane of my existence, right. No matter how tight you think you can keep a client’s network for installations. There’s always something that can slip by and I’ll use Zoom as an example because you don’t need to elevate privileges to install. You can just go ahead and balance zooms, installers sneaking kind of the point of it, right? Yeah, right. It’s

Peter Lowe DNSFilter 45:06
doing its job I suppose. But

Shiva Maharaj Kontinuum 45:09
something to help me identify shadow, it would do wonders for me. But on top of that is giving me that option to say, Okay, we just found out that our users are using this. Let’s just check a box and block it. Now. One takeaway, and Brian, maybe this is something you would enjoy, because your Brian’s going more into the enterprise. I don’t want to say he’s leading the SMB, but he likes the enterprise. What type of art? And I don’t know if this is a question for you. Or maybe I’ll ask the demo tomorrow. Can end clients log into your portal? So if they had an internal compliance department, they can run their reports and choose who to who gets blocked from what?

Peter Lowe DNSFilter 45:50
Well, if you’re using the agent, I think you can assign policies to enable your users. I think, and then you could have a custom policy, which would block different things for different people. I know. Yeah. We pass on that information. Yeah, so I think it’s technically possible. Again, I’m sorry, guys. This is so blurry. It’s fine.

Shiva Maharaj Kontinuum 46:14
I mean, I could get it tomorrow. But it’s yeah, we are back question just because, Oh, here’s another question for you. Are you channel only? Or do you sell to anyone that comes to you,

Peter Lowe DNSFilter 46:24
I think pretty much anybody can get a 25 Chroma count for home use. And I’m

Shiva Maharaj Kontinuum 46:30
pro that like, I’m not a fan of channel only. So now, consider this, when you have an enterprise that comes directly to you guys, they have a chance, or they have a compliance department. And they’re gonna want to run reports, and they’re gonna want to restrict certain people. Maybe they have an Azure Active Directory group that’s allowed to go to Facebook, but no one else is, that will be something interesting for you guys. And I can raise that. But tomorrow’s call,

Peter Lowe DNSFilter 46:56
I think your biggest surprise, I know we have Active Directory Sync. So you can synchronize to your ad groups with with and then configure policies based on that. Data sources. So that was a big project that was done last year. I think

Shiva Maharaj Kontinuum 47:14
it all, it’s all the same time, the last two years have just been one big ball of nothing.

Peter Lowe DNSFilter 47:20
Carrying thinking that are what we need. Now. It’s an alien invasion. And the robots to rise up against this, and I think we have all the apocalypse is covered.

Shiva Maharaj Kontinuum 47:30
I think the you know, with all the drones being flown around these days, the robots are carrying

Peter Lowe DNSFilter 47:34
it this way, you know, then it’s just one off bingo. Right?

Shiva Maharaj Kontinuum 47:38
Let let Amazon have their way we’ll get autonomy. I guess my last question for unless Brian has anything else. Just because I think this is what you guys were created for when a C two server is identified. What happens? So my computer sends out a request to the C two server that you guys have obviously identified or seen before? What’s the process there?

Peter Lowe DNSFilter 48:01
Well, we’ll send a DNS request to find out the IP address of the C two server. And we will return the IP address of our block server rather than the real one. Okay, so your machine well, your your network won’t be able to communicate with that it won’t know what the real IP address, and it would be seamless

Shiva Maharaj Kontinuum 48:18
to us. Blog page saying, hey, DNS filter has saved you from catastrophe. Yeah,

Peter Lowe DNSFilter 48:25
I mean, you probably won’t even see it happen. To be honest, it will happen in the background, there’ll be a piece of malware on your machine that will try and find out what it needs to do and fail.

Brian J. Weiss 48:35
I do have another question. Shiva. I don’t know if you’re done with Lord. So back to the kind of the intelligence discussion, right. And I’m just thinking, kind of security compliance. Obviously, you’re going to have certain IPs that you’re blocking that are a lot more dangerous than others. Right? Wouldn’t that be good intelligence for me to know, if a client one of my clients users was trying to get to a critical, a new C two server that just got stood up? And that is causing a bunch of ransomware attacks, right? Because otherwise, if that if that gets blocked, and then nothing else happens, or nothing else alerts me? We’re not made aware that that was that we came close to the edge, right. And so that’s an opportunity to maybe train the end user at the very least, right? If not look into it further to make sure there’s nothing else that might be of concern, you know what I mean? So what about some sort of alerting or feed into a sim of certain log events, right, that are happening that are above a certain critical level that we might want to have more eyes on? Any thoughts around that?

Peter Lowe DNSFilter 49:46
So I think there’s three things that I can identify this kind of feature requests, the Latin sim integration, and like a risk school, so separately. Separately there will use it, I think the risk is probably the least interesting thing, to be honest, it for some people, it is super interesting. But for a researcher, it’s definitely interesting. But for the end users generally not that important for they just care that the threats or blogs, I definitely see the value in alerting on specific types of threats. Like for super bad ones, the timeliness usually can’t be reacted to. For it to be useful. Like it would have, because the lifetime of a seating server is in like, six hours average is not long. Okay, yeah, they they go down. I mean, there’s obviously longer ones that last a lot longer. But the average lifespan is very short

Shiva Maharaj Kontinuum 50:54
of a question sidetrack you for a second here. I have no, there’s another product that I use. And I can talk to you about it offline after we end here. They have identified a lot of CTE servers on line owed infrastructure. I don’t know if you guys are seeing that as well. Some, I mean, not not, and DigitalOcean. Sorry,

Peter Lowe DNSFilter 51:15
you DigitalOcean. It’s just Well, the thing is that they’re massive hosting companies. So they’re natural targets for this kind of stuff. We’ve definitely seen a lot there. But we don’t see any more than other hosting providers really, you know, percentage wise. But a lot of it comes down to their own moderation policies or their their own monitoring policies. So how well their their month, their policing their own networks. So Amazon, it’s a little bit harder to get stuff on there. Because I think a bit better. But I know DigitalOcean is particularly there. But it’s the same thing, it will go in waves, usually, they’ll probably it’ll get to a critical level where they’ll have too many people complaining about them or leaving their their network, and then they’ll hire a bunch of people to monitor it and sysadmin to make it better. You know, you’ll see the same thing. Go through

Shiva Maharaj Kontinuum 52:09
with, as you said, with a six hour life cycle. It’s really hard to pinpoint any of these no matter where they go anyway.

Peter Lowe DNSFilter 52:15
It’s hard to pinpoint them, but it’s hard to prevent them. Yeah, yeah, it’s um, you need a monitoring team or a reaction team to kind of, yeah, I’m not I don’t want fries and company. So I’d say, let’s see,

Brian J. Weiss 52:29
I look at your intelligence and I go, I’m paying DNS filter for this, right? That’s most of you know, the value, I would say other than the efficiency and how you deliver that. And then I’m wondering, like, Hey, you see a brand new C two server or some new IP, maybe it’s an IP, you’re gonna see a bunch of traffic trying to get to that, right. Yeah. Wouldn’t that be awesome for me to know that, hey, that IP is bad, and be able to implement that other places? You know, with my security layers?

Peter Lowe DNSFilter 53:00
Yeah. I’m the wrong person to be talking about out sorry.

Shiva Maharaj Kontinuum 53:04
I think you’re paying for their application of their intelligence, I don’t think you’re actually paying for their intelligence.

Brian J. Weiss 53:10
I know, I know. And that’s why Symantec said, I’m not saying I wouldn’t be willing to pay more to port it into products Trey has. But see, I’m in this consolidation of vendors move, right. And I think Shiva kind of touched on it earlier, where he’s like, I don’t want to have to put one more agent, right on on a on a device. And so when I’m looking long term at my vendors, I’m trying to understand like, are they kind of in their own space? Or is something else that I use eventually gonna swallow them up? Well, thing, what is their IP? is Microsoft ultimately going to take over what they’re doing for me, you know what I mean? Those are the questions going around in my head. Go ahead, Shiva. What will

Shiva Maharaj Kontinuum 53:51
be interesting is if you are any vendor that’s not Microsoft builds something that is as well documented as the graph API. And so if you guys want to play with us, here’s our stack of encyclopedias for our API, go to town, build whatever you want, and put it on that. Yep. Give them give them the x and the doorway, or the gate hub API,

Peter Lowe DNSFilter 54:11
Doug’s Partner Integration, it’s a bit more complicated than that. That’s the problem is that when you start interacting with any other partner, they have requests, which are not supported, and it requires development time to do what they want. They need wishes, you know, there’s a six month evaluation of that six months lead up to feature implementation, and then that’s a year on minimum. It can be done quicker than that, but it’s tough. And then it might not even work out, you know, maybe the one of the they’ll find someone else who’s cheaper or better or faster or they’ll get sold. I don’t know. It’s, it’s a challenging thing to do. It feels like it shouldn’t be but,

Brian J. Weiss 54:51
you know, that’s why you start with Microsoft because you know, they’re not gonna,

Shiva Maharaj Kontinuum 54:56
they’re not going anywhere. But that’s it for me on my end. Do want to be mindful of Peters time?

Peter Lowe DNSFilter 55:02
Thanks. I just want to come on down quickly about the electric thing. This is something that we’re working on alerting of support. And I was talking about a while ago, but it’s, it is actively being in my team in particular is working on that. Sorry. I again, I can’t give you telling like, it’s gonna be wild, but we’ll get it.

Brian J. Weiss 55:25
Well, once you get a cloud radial integration, I can, I can move away from augment. That’s the one thing I’m cloud augment integrates with Cloud radials shows all my clients, what cloud apps, their end users are accessing, shows them the policy we built around what’s allowed what’s not allowed, but doesn’t do any policy enforcing. So then, in order to enforce policy, guess what I’m going over to, you know, the DNS filter or a firewall or something along those lines, right. It which is a clunky process, so, but I do, like the idea of the transparency with the clients and them understanding like, hey, they own this, like, this is your decision that this is happening. This is what’s being blocked, what’s not being blocked, if something is malicious, that happens down the road. And it wasn’t an app that we were blocking on this, but you can’t get mad at me. Like this is what we said, right? I mean, that’s kind of where I’m at with with with our fully managed clients that we are keeping moving forward. We’re kind of refining that base. It’s full transparency, I’m making them take ownership and they’re it This isn’t like, ITEX got this for us. It’s no, you made the decision to agree with our recommendation. So you got this, thanks to our consulting. Right. But anyway, I do appreciate your time. It was a lot of great insight.

Peter Lowe DNSFilter 56:54
Cool, I will say that the feature requests thing, the dashboards app. I know in some places, it seems like that just disappears into the void but it’s actively looked at and does make a difference. If you see anything particularly you’re looking for that isn’t supported, sent for your message and people to vote on it and it gets discussed. Okay, great. Sounds good. Thanks for coming on, Peter. Thanks, guys. I slept

Transcribed by https://otter.ai

DNS
Cybersecurity
Peter Loewy

--

--

Shiva Maharaj Kontinuum
Cybersecurity: Amplified and Intensified

Written by Shiva Maharaj Kontinuum

0 Followers
Editor for

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams