Paris 2024 Cybersecurity Webinar: How DNS Security Helps

Standing by

00:05 – 01:18

Hello everybody. We will let other people join the webinar, so we will start in a couple of minutes. Thank you for joining.

Hello to everyone who joined us. We will wait one more minute for other people to join.

Introduction

01:18 – 02:45

Okay, we will start now.

Thank you everyone for joining us for today’s webinar. We will discuss our insights from the Paris 2024 Olympic Games and the cyber threats surrounding them.

I am Yaelle Harel, EfficientIP’s Product Marketing Manager responsible for security products, including DNS security. I have over 15 years of background in cybersecurity, and I am honored to co-host this webinar with EfficientIP’s Co-Founder and CTO, Jean-Yves Bisiaux, who will introduce himself.

Hello, my name is Jean-Yves Bisiaux. I am one of the founders of EfficientIP and CTO at EfficientIP. I work with our R&D teams to produce all EfficientIP products.

Today, during the webinar, we will talk about the evolving cyber threat landscape around the Olympic Games. We will also discuss the role of DNS security in large events such as the Olympics, and how DNS can help protect these events.

We will close with key takeaways that you can later apply.

The Evolving Cyber Threat Landscape Around the Olympics

02:45 – 07:38

Cyber threats are always evolving, as we can see across different domains. Attackers are always looking to generate large disruptions, and therefore large events, especially events like the Olympics, which are watched globally, become major targets.

Successful attacks can create significant impact and be discussed around the world.

If we look at the history of the Olympic Games, we can see how cyber threats have evolved over the last few decades.

During the London 2012 Olympic Games, there were several DDoS attacks and denial-of-service attacks that created slowdowns in different Olympic systems.

During the Rio 2016 Olympic Games, there was the famous Fancy Bear attack, which resulted in the theft of medical data from athletes. This attack targeted the organization responsible for controlling drug usage during the Olympics. Once attackers managed to steal the data, it included data from many athletes who participated in the Games, including famous athletes and medical records.

During the Tokyo 2021 Olympic Games, there was another famous attack. In this case, attackers took advantage of the popularity of digital collections at that time. They published fake Olympic digital souvenirs and fake digital tokens, and managed to steal money from people who were looking to buy Olympic digital collectibles.

When we look at the predictions for Paris 2024, they were not very optimistic.

The predictions showed that there would be eight times more attacks than during the previous Games in Tokyo, which had already experienced a very high number of attacks, around 550 million.

The top potential attackers identified were, first, financially motivated cybercriminals. Nation-state attackers were also considered a major risk. For example, Russia, which was banned from the Games, had a strong motivation to attack different infrastructures.

Hacktivism was also on the rise during the year, with many geopolitical situations around the world increasing the motivation of activists to create visible damage.

Regarding the types of attacks, predictions included phishing attacks, website hijacking, denial-of-service attacks, and malware.

The target industries were all industries related to making the Olympic Games successful: transportation, hospitality, media, and all infrastructure needed to run such a large-scale event.

When we look back at the Paris 2024 Games, the predictions were met in some ways, and not in others, at least based on what we know now.

The Olympic Games experienced around 140 cyberattacks, including 22 incidents targeting government systems and critical infrastructure.

There was one ransomware attack that did not manage to create damage to the Olympic infrastructure. It was reported around the world and impacted the Grand Palais venue.

There were denial-of-service attacks as well. Again, they did not disrupt the Games because the cybersecurity teams were well prepared, but the attempts were there.

And of course, there were many phishing attempts. We will see some examples of those today.

The Critical Role of DNS Security

07:47 – 12:01

We will now move on to the critical role of DNS security in events like this.

DNS plays a critical role in every cybersecurity infrastructure. Before we dive into that, let’s look at a few statistics around DNS.

According to the IDC 2023 report, 90% of organizations have encountered a DNS attack, with an average damage of $1.1 million per attack.

In addition, 85% of malware uses DNS to develop attacks, and 54% of organizations were victims of phishing, which of course often involves DNS.

If we look at the top DNS-related attacks, we see a strong correlation with the top attacks observed during the Olympics.

In 2023, phishing was leading, followed by malware and denial-of-service attacks. These are the same types of attacks observed during the Olympic Games.

This is not surprising because DNS is vulnerable by design. DNS was not created as a secure protocol. At the same time, DNS is the entry point for any network. Attackers take advantage of this and leverage DNS to attack organizations or events like the Olympics.

The first thing that probably comes to mind is that many organizations already have protection for DNS. For example, they may have a firewall with DNS protection, or advanced security solutions with DNS features.

The problem is that these solutions are often not enough for DNS attacks.

They are limited because they do not have full visibility into DNS traffic. They do not provide DNS-centric behavioral analysis. They generate many false positives, which is something organizations cannot afford when it comes to DNS.

Very often, organizations turn off the DNS feature or put it in monitoring-only mode, which also limits blocking capabilities.

Finally, many solutions are not powerful enough to manage and handle high-volume DNS attacks.

This is why a new layer of defense is needed, focused specifically on DNS, which is the first point of entry into the organization.

This is where organizations can turn DNS into their first line of defense.

Since DNS is the entry point to any organization, it can be leveraged to secure the organization. It can become the first checkpoint against attacks.

Organizations can use DNS to collect data globally from different networks and infrastructures, and generate DNS-centric threat intelligence. This is what EfficientIP does.

This data can then be used to improve detection levels and prevent attacks before they enter the organization.

Later, organizations can also analyze local traffic and identify threats that pass through the network. DNS can therefore be leveraged across the whole attack-handling lifecycle.

DNS security can help defend every stage of the attack.

It can help protect the organization before an attack succeeds, reducing risk and reducing the time spent mitigating attacks.

It can help detect attacks while they are happening by analyzing traffic and applying advanced technologies, including AI.

It can also help in the response phase by providing intelligence and insights that help analyze the threat, with some response automation that we will cover later.

Protect: DNS-Centric Threat Intelligence

12:01 – 14:12

Let’s start with the protection phase.

The first thing every organization wants, or every large event such as the Olympic Games wants, is to prevent attacks before they create damage and to reduce risk.

One example of how DNS can help protect organizations is DNS-centric threat intelligence.

DNS threat intelligence generates, in real time, a feed based on data collected globally from different environments. This feed can later help detect attacks.

The generation of the feed is powered by AI, and it is continuously updated. This allows real-time detection based on DNS-centric intelligence.

In events such as the Olympics, IT managers can leverage this threat intelligence to gain better protection and better insights.

Jean-Yves adds that EfficientIP is a technology leader for telecom providers, offering very high-performance DNS server solutions.

EfficientIP’s technology enables the collection of real-time statistics on active DNS traffic, analyzing around 300,000 new unknown domains per day.

Every newly observed domain is analyzed through EfficientIP’s big data system, allowing the company to quickly detect malicious domains and associated websites.

This rapid detection enhances security by ensuring that threats are identified and mitigated in the shortest possible time.

Protect: Innovative Domain Filtering

14:12 – 16:39

The next protection technology is innovative domain filtering.

Unlike traditional domain filtering solutions, which usually filter based only on domain names and lists of domains, EfficientIP’s technology combines client classification and client groups with domain categorization.

Domain categorization is done automatically through threat intelligence.

The combination of client tagging and domain tagging allows very granular rule-based filtering. For each rule, organizations can also define a desired action or countermeasure, such as quarantining the traffic.

This allows micro-segmentation down to individual users or groups, and provides much more advanced application control than traditional security solutions.

Jean-Yves explains that filtering should be differentiated based on the type of device.

For example, a printer, a server in a data center, a connected object, an IoT device, or a user device should not all behave in the same way.

It is abnormal for an IoT device to request a Facebook domain name. Similarly, a data center server should not connect to a service like Dropbox.

This solution provides additional security by controlling DNS resolution and filtering based on the device typology.

It allows organizations to build filtering rules based on the type of device. This is another way to segment security at the DNS layer.

Detect: Visibility and DNS Traffic Analysis

16:39 – 18:53

The next step is detection.

Unfortunately, as we know from cybersecurity history, organizations cannot prevent every attack. They cannot block everything before it enters the organization.

That is why it is important not to neglect the detection phase for attacks that are already happening inside the network.

EfficientIP uses different technologies to support detection.

The core technology is visibility and analysis of DNS transactions. DNS traffic inspection makes it possible to perform user behavioral analysis, define patterns of DNS attacks, and block them.

Jean-Yves explains that because DNS Guardian is at the heart of the DNS server, it can detect small signals that help identify forged DNS queries or spoofed IP addresses.

The technology can see differences between common traffic behavior and suspicious traffic behavior.

EfficientIP’s technology is not based only on pattern matching in domain names, but on the way users perform DNS queries.

This makes it possible to flag a user as suspicious, run a set of rules to gather evidence of an infected device, and then place the device in quarantine or block it directly.

Detect: AI-Powered Phishing Detection

18:53 – 26:12

Let’s now look more deeply at how AI can help detect attacks, using phishing attacks as an example.

AI-powered phishing detection is based on technologies such as natural language processing, also called NLP, and image recognition.

Attackers often use small changes in URL names. For example, they may use “Olymipcs” instead of “Olympics,” or create visual similarities with legitimate websites to deceive users into clicking a URL or believing that a fake site is real.

AI technologies can leverage the fact that attackers need to make these changes in order to succeed.

They can detect suspicious changes in text, known as typosquatting, using advanced technologies.

Image recognition can also be used to detect logo similarities or other similarities between fake websites and targeted brands or organizations.

In this case, the target was the Olympic Games. During the summer, EfficientIP monitored different logos and websites to see what hackers were trying to mimic.

The same approach can also apply to banking websites, which are often targeted by phishing attacks.

In the Paris 2024 Olympics case study, the word cloud shown in the presentation contains the top keywords used by attackers in domains to deceive users into thinking they were browsing legitimate Olympic websites.

It is difficult, or even impossible, for a person to immediately understand that a site is not a real Olympics website. This is why additional information is needed, and AI can help detect these threats.

The presentation then shows a specific example: screenshots from a phishing website.

The website looked so similar to a real Olympic store that, when EfficientIP first identified it and started browsing it, the team was not immediately sure whether it was legitimate or phishing.

They needed to check additional indicators to confirm that it was phishing.

The website used official-looking logos and T-shirts that looked real. Users could even add items to the cart, proceed to payment, and enter credit card information, which of course is not recommended.

By applying AI, even though it was very difficult for a human to detect that the website was phishing, EfficientIP identified it as a phishing website.

Attackers publish these websites to steal personal data, credit card data, and deceive users by using trusted logos and lookalike branding.

A VirusTotal screenshot from September 11 showed that, one month after the site was first seen by EfficientIP, it was still not identified as malicious by VirusTotal.

VirusTotal aggregates data from many traditional security vendors, and at that time no vendor had identified the site as phishing, malicious, or even suspicious.

Later, by the time of the webinar, only one vendor out of many had detected it, more than a month and a half after the website had been active during the Games.

By contrast, DNS Intelligence Center detected the domain on August 17, approximately one day after the website became active.

This was possible thanks to the combination of AI detection technologies and rich threat intelligence.

During the Olympic Games, EfficientIP collected a lot of information about legitimate websites and related data in order to detect these attacks in real time.

If someone tries to browse to the website now, which is strongly not recommended, the domain is suspended. However, it was not suspended because it was malicious. It was suspended because the attacker did not update their contact information and violated registration rules.

Another interesting point discovered during the research is that, thanks to threat intelligence collected from various data sources and across different customers, EfficientIP could identify relationships between the original phishing website and other websites on the same IP address.

This showed that the attacker had additional fake Olympic shops.

Some of these shops looked very similar to the Olympics website, while others were less convincing. When analyzed, some were detected as malicious and others were not.

Another example was found later. After the Games ended, the attacker no longer had Olympic-related websites because they were no longer relevant.

Instead, the attacker had a new target: Halloween shops.

The attacker had many websites running, and the new ones created in the previous days were Halloween-related shops because Halloween was approaching.

This is an example of how attackers adapt their targets depending on current events and seasonal opportunities.

Detect: Domain Generation Algorithms

26:21 – 34:58

The next type of attack is based on Domain Generation Algorithms, or DGAs.

Jean-Yves explains that DGA stands for Domain Generation Algorithm.

Cybercriminals want to avoid detection. That is why they do not use a fixed IP address to communicate between malware installed on a device and a server on the internet.

Instead, they rely on domain names.

However, repeatedly using the same domain name can also raise suspicion. Therefore, attackers use temporary domain names.

A DGA is a technique used by cybercriminals to automatically generate a large number of domain names.

Each malware using the same algorithm will generate the same domain at the same time. This means that the generated domains are predictable.

For example, a cybercriminal knows that on September 24 at 9:00 in the morning, a specific domain will be generated and requested by the malware.

It could be thousands of malware instances requesting that domain and connecting to one server.

Just before the generation date, the cybercriminal activates the domain by registering it and linking it to a server.

The malware will send many generated domain names. Most of these domains are unknown on the internet, so they will not resolve. But at one point, one domain will be registered, and the malware will be able to connect to the command-and-control server.

This command-and-control server can help the cybercriminal change the malware code, turn it into ransomware, or use it as a Trojan, depending on the cybercriminal’s choice.

EfficientIP has a specific detection mechanism.

Most DGA detection methods are based on the pattern of the domain name. As shown earlier, generated domains often follow the same pattern because they are created automatically.

Some algorithms generate thousands of new domains per day, and many security mechanisms try to detect the pattern generated by the attacker.

EfficientIP does not only look at the pattern of generated domains.

Instead, it associates domains and clients to create tuples, and then groups these tuples based on users having the same DNS usage.

In other words, the system aggregates users who perform the same DNS queries, especially queries that nobody else knows or commonly uses.

This is difficult to implement using standard algorithms.

Once these tuples are created, EfficientIP uses discrete mathematics based on unsupervised machine learning and graph theory.

The system analyzes the tuples and clusters them. Some are attracted into the same clusters because they share similar behavior, while others are rejected into different clusters because they are not requesting the same domains.

The graph shown in the presentation displays clusters of clients and domains. Each cluster represents a group of related behavior.

Each color corresponds to a different malware family detected. For example, one cluster corresponds to Necurs.

To identify this, EfficientIP selected a few domains from the cluster and checked whether they were known on the internet. This allowed them to identify that infected devices in the cluster were infected by the Necurs malware.

All clusters were identified with malware except one green cluster at the bottom.

When EfficientIP discovered this green cluster, it had not yet been identified as malware.

Six months later, EfficientIP selected a domain from this cluster and detected that it was based on the Conficker malware.

When they checked the other requested domains, they saw that Conficker used this specific DGA.

This means that EfficientIP had detected low signals of suspicious DNS activity six months before the malware code was changed or fully activated.

At that stage, they did not yet know the exact malware, but they knew there were infected or suspicious devices.

DGA Detection in Real Life

35:08 – 36:34

The presentation then shows a real product example.

This is a screenshot from DNS Intelligence Center showing a DGA detected by EfficientIP.

The screenshot shows different hits for a domain, meaning the times when someone tried to access this domain.

VirusTotal did not detect this domain through any vendor.

EfficientIP has many examples like this.

The slide also shows a 30-day history of different DGAs detected by the engines.

The red part of the graph indicates matches in actual traffic for those DGAs. This represents devices that are already infected.

In the list, many domains were first seen or first detected by EfficientIP’s advanced technology.

This allows very early detection and prevention of such attacks, sometimes even before the exact malware using the DGA is known.

Respond: Adaptive Countermeasures

36:34 – 39:04

To complete the three phases of attack handling, we now move to the response phase.

Response is very important in cybersecurity in general, and especially during large events where quick response is crucial to mitigate incidents and act quickly once an attack occurs.

EfficientIP provides real-time adaptive countermeasures, which can be understood as automated response.

It is simple to say, but the technology behind it enables real-time response at the DNS level.

This means the attack can be blocked automatically if the administrator decides to block it. Traffic can also be placed in quarantine.

Advanced modes can also be activated, such as rescue mode for volumetric attacks.

The idea is that once the technologies shown earlier have been applied, the system can react based on what it sees in the traffic.

It does not only monitor traffic, send logs, and wait for someone to analyze and respond to the threat.

The system is fully controlled by the administrator, who can configure what action should be taken for each type of event. This also helps avoid false positives.

Another important aspect of response is having good insights and information to analyze events.

This is critical for incident response teams and SOC teams that need to understand what is happening.

The dashboards shown throughout the presentation provide insights into DNS traffic, from high-level trends showing what happened over the past day, week, or month, to granular details about specific domains.

For example, teams can see related domains, indicators of compromise, and other information.

All of this supports automated response to attacks in real time, as well as quick analysis and containment, which is very important during live attacks.

Key Takeaways

39:14 – 40:40

The first key takeaway is that DNS security is the first line of defense.

Since DNS is the entry point of the network, it can also serve as the first line of defense against cyberattacks.

This was important during large events such as the Paris 2024 Olympic Games.

DNS helps organizations proactively protect, quickly detect, and effectively respond to threats in real time.

The final key point is that leveraging AI technologies in the right way, using the right DNS data, can elevate threat detection to a completely different level.

Technologies such as NLP, image recognition, and tuple clustering can provide better protection, better detection, and ultimately better response.

We will now leave some time for your questions. You can put them in the chat, and we will take a look and answer them.

Q&A

41:32 – 50:06

Question 1: How is the EfficientIP DNS solution different from other major DDI players in the market?

Like most vendors, EfficientIP performs DNS domain pattern detection based on malicious domain names.

However, EfficientIP’s specificity is that it also performs behavioral analysis.

Inside EfficientIP’s DNS engine, which is not simply a pure open-source DNS engine, there is DNS Guardian, a technology fully developed by EfficientIP.

DNS Guardian inspects DNS queries and DNS answers. It does not only detect patterns in domain names; it detects user behavior through transaction inspection.

For example, for DNS exfiltration or DNS tunneling, the algorithms are not based on the DNS pattern itself.

Instead, the system sees that a client is performing queries toward an external DNS server on the internet. It can observe all packets going from this client to the external server.

This is only possible with full traffic inspection and intelligence inside the DNS server.

It is not only a DNS server. It is a DNS server with rules and counters that can calculate statistics on the fly.

The threshold that triggers detection is not constant. It is adaptive and based on normal traffic. DNS Guardian compares standard traffic with anomalies in DNS traffic.

That is what makes it different.

For a more detailed presentation, EfficientIP recommends discussing with one of its pre-sales team members, who can provide more comprehensive insights and technical information.

Question 2: What about mobile devices like notebooks and smartphones? Are they protected when they are outside the corporate network?

When devices are connected to the corporate network, they can be protected. However, when they are connected directly to the internet, the situation is different.

EfficientIP’s strategy is not to install additional software on endpoint devices such as laptops or phones.

EfficientIP does not want to install another agent or plugin. The strategy is to work with existing services inside the enterprise IT environment.

For example, EfficientIP can manage DNS services such as Azure DNS, Google DNS, or Microsoft DNS servers as an overlay.

The same strategy applies to endpoints.

EfficientIP does not want to install a new agent because organizations already have many agents on their devices.

Instead, the strategy is to use built-in operating system features and solutions.

One solution EfficientIP proposes to customers is to use DNS over HTTPS, also known as DoH.

DNS over HTTPS is an extension of the DNS protocol that tunnels DNS traffic inside an HTTPS/TLS connection.

This mechanism is available on many devices, including Windows, macOS, iOS, and Google devices.

Organizations can configure the connection so that DNS over HTTPS traffic is redirected to their own DNS server, which can be an EfficientIP DNS server supporting DNS over HTTPS.

Question 3: Does DNS protection replace EDR or XDR solutions?

No.

EDR and XDR solutions are still needed.

DNS protection only covers DNS. DNS is not exempt from cybercriminal activity, but it does not cover all other protocols.

Everything around HTTPS traffic, malware infection on endpoints, and broader endpoint protection still needs to be handled by EDR or XDR solutions where necessary.

Question 4: Where did the summary statistics from the Paris Olympics come from?

The general statistics around incidents came from ANSSI, the French cybersecurity agency.

The phishing-specific statistics came from what EfficientIP observed.

Some statistics that were not specific to the Paris Olympics, but related to DNS more broadly, came from the IDC DNS Threat Landscape Report 2023.

Closing

49:59 – 50:06

Thank you everyone for joining.

Thank you, Jean-Yves, for co-hosting this webinar with me.

Thank you everybody for attending.