TS Tech Talk — OpenDNS as part of an holistic defense against Ransomware/Malware
At Think|Stack, we have a group in our internal message system where non-technical people like me, can ask questions about different services that we provide and tools we use to provide them or about anything IT related. We will be posting those conversations here monthly. This month, we helped a company who fell victim to a Ransomware attack. One of the tools we use to help companies defend against Malware in general, and Ransomware more specifically, is called OpenDNS. I didn’t know what this tool did or how it worked, so I asked. As you will see below, the conversation turned into a larger discussion about creating a holistic plan to protect a company from Ransomware/Malware. Our Security Director also provides a link to a great Ted Talk on Cyber Security from Caleb Barlow at IBM, who uses a similar analogy to what I used in our conversation. Items in italics were added by me to define acronyms.
Travis Sachse (CFO)·2 likes
Mon 12:12 PM
Can someone explain to me what the OpenDNS/Cisco Umbrella product is, what it does and how it might help protect a company against Ransomware?
Alex Welkner (Security Analyst)
Mon 3:59 PM
OpenDNS is a product that takes DNS requests and does lookups before replying with the address. These lookups include recently compromised sites and hosts and can stop a user from attempting to access a potentially infected site. The strength of this is, while antivirus is reactive to getting malware and defending against it, this is a proactive approach to protect the user from going anywhere harmful. OpenDNS’s service can be expanded with Roaming Agents so that even if mobile devices leave the LAN and connect to another network (at home for example), the agent will still control their DNS to protect them from accessing dangerous sites, no matter where they use this device.
Alex Welkner·1 like
Mon 4:00 PM
In the case of Ransomware, OpenDNS will try to prevent the user from connecting to an infected website which could force a download of the malware. This is beneficial because the workstation itself never connected to the infected machine and was stopped in the middle of the connection.
Andrea DiGiacomo (Director of Project Management)
Mon 5:33 PM
So would you say that you would want to have both this product and anti-virus as two different layers of defense? Is there a benefit to having one or the other?
Mark Berman (Co-founder, CIO)
Mon 5:34 PM
You should have both, the defenses are different. The AV(antivirus) that matters is next generation AV. It has a pretty good chance of stopping the initial infection. The Cisco Umbrella targets the spread of the problem and the keeps it localized.
Mon 8:32 PM
If an email has a link to an infected or malicious site in it and an employee clicks on it, would OpenDNS provide protection by preventing them from accessing that site? Or would you need to rely on the email security/spam filter to prevent that email from getting through?
Jacob Jones·1 like (Help Desk Director)
Mon 8:36 PM
Travis, from my understanding that is, in fact, the primary purpose of OpenDNS. You still want to have a spam or email filter BUT if something happened to get through that pointed to a malicious website the purpose of OpenDNS would be to block it. However, it does not exist for only that purpose, but to also prevent browsing to malicious sites at any time. To go a step further, Mike Burns correct me if I am wrong, but it should also stop any communication to a domain that has been black listed beyond simply browsing to the site.
Mike Burns (Director of Security)
Mon 8:47 PM
OpenDNS started as a public DNS resolver service. They resolve approximately 3% of the worlds internet traffic. Which is ALOT.
Mon 8:48 PM
They eventually realized that they were starting to recognize spikes in DNS activity which correlated to malware campaigns
This is how OpenDNS matured into a security company
They are often one of the first threat intelligence sources to become aware of new zero days.
Alot of other technologies follow their lead
Travis Sachse·2 likes
Mon 9:57 PM
So I am going to try to make what is probably a poor analogy here. When there is a virus outbreak like Ebola in 2015 or Zika more recently, the WHO, the CDC, homeland security and other organizations put measures in place to prevent the outbreak in the US and the world. In 2015, there was an Ebola outbreak in West Africa. The CDC issued travel warnings to those countries. Homeland security put restrictions on flights from those countries. In my analogy, Homeland security is the email security, preventing flights coming from those countries. The CDC and customs is Open dns, helping prevent people from going to those countries where they have documented cases of the virus. Also, if a flight comes in from another country without cases of the virus but a person on the flight visited or originated from a country with cases of it, customs will discover this and quarantine them. Taking the analogy further, if an infected person makes it into the country and infects someone else, that is when the doctors (Anti virus/anti malware) would kick in, limiting the damage by putting the infected people in quarantine to limit the spread and working to cure them. Does that make any sense?
Mon 10:02 PM
That seems like quite the good analogy
Except the quarantine the infected person part
If you get infected, a sysadmin removes you from the network
Even with all these systems in place, is it possible some someone to get infected? Do these systems still work if I have a laptop and I take it and use the WiFi at a coffee shop instead of my company network?
Khaled Antar (SWAT Ops)
Unfortunately yes in my mind you can still get infected. Especially if you click on an email link that installs something and you agree to let it install
That’s why you have to have layers of protection
AV, AM, Open DNS with content filtering, no local admins
Encrypted hard drives, 2fa (two factor authentication) on your systems
VPN (virtual private network), Use a secure password protector. Use different passwords for systems etc. Sometimes it’s not an infection but someone scavenging data and aggregating it
Mike Burns, so the Doctors are more like your IT professional and the AV/AM are tools they use to detect and remove the “infection”. Once a device is infected,does the AV/AM software do anything to remove the infection or is it more for detection purposes?
Khaled Antar·1 like
I think overall with security your are limiting the chances of something happening. Each system and layer you put in place reduces your chances of being compromised
Yea Travis that makes sense
Travis, ransomware is so pervasive and effective because it is most often delivered as a “zero-day” threat. How does that work? A malicious party takes an effect payload and alters it slightly, so that it does the same thing, but looks slightly different, i.e. its signature, than prior infections.
Then they try to spread it but make it sort of a time bomb that is set to go off simultaneously all over the world.
About 8 months ago, it happened and it went off in the UK and Europe first. By the time it got here because of time zone changes, it was recognized by most AV and blocked.
So the answer is in the first few hours, AV/AM (except for programs like X-Intercept and Cylance) are helpless. Once the world becomes aware, they start blocking effectively and even quarantining and deleting.
The bad news is that once your files are encrypted and held for ransom, none of these programs can help. You have 2 choices. Pay the ransom and get your stuff decrypted and hope they didn’t put in a back door to more payloads, or erase the computer and start over from backup.
So this conversation moved from one about Open DNS to one about a holistic approach to protection from Ransomware and more generally, Malware. As Khaled mentioned, to reduce the likelihood of an incident and minimize the impact when they occur, you need a multi layered approach that includes preventative tools, reactive tools, policies, procedures and knowledgeable IT people. Even with all these things, there is still a possibility of an attack getting through these defenses and as Mark mentioned, your best choice might be to restore from backups. With that said, is it fair to say that if you do nothing else, you should make sure you have secure and reliable backups and that you should strive for a setup where your backups are unlikely to be affected by the same attack that affects your live applications and data?
offsite backups on a different network if possible and encrypted
Mike Burns shared a link
This is an awesome video