Canadian security firm HYAS Infosec has released a new DNS protection tool dubbed HYAS Confront that was designed to provide clear visibility into DNS transactions into production networks. While there are existing corporate network DNS products available, Confront is claimed to be the first solution to continuously cover the entire production network regardless of its cloud location.
HYAS Confront provides continuous and complete passive DNS monitoring. It does not attempt to examine the content of communications, but merely determines the source and destination of the communication. If internal communication is deemed suspicious, or if external communication is deemed dangerous, Confront reports this to the customer’s SIEM, SOAR or SOC.
It takes no automatic action against the communication beyond reporting. The concern over false positives weighs heavy on production networks. “All systems are vulnerable to an occasional false positive,” comments HYAS CEO David Ratner; “and a false positive in the production environment could be disastrous from a revenue perspective. So, Confront is passive. It uniquely sees every single communication, and we can uniquely understand whether that communication is good, bad or ugly.”
On implementation, Confront generates a baseline of normal healthy activity. This usually takes just a few days. Internally, it could subsequently detect suspicious lateral movement indicative of adversarial presence. External communication toward a known bad or simply suspect destination could be indicative of malware beaconing to its C&C.
Confront does not directly detect the malware – it detects the activity of resident malware or adversaries. HYAS CEO David Ratner gives the SolarWinds attacks as an example. “Sunburst malware could get into your network,” he said. “It would lay low for 15 days and it would then wake up and issue a DNS request to its command and control: do I have any instructions? It is this DNS request that Confront immediately detects. And well over 93% of all malware today uses DNS to talk to its command and control.”
The presence of Sunburst was not the problem – it was the activity of Sunburst that was the danger. The same principle applies to the majority of malware. It is contact with the C&C server that spells danger. If Confront can detect that initial beaconing, the security team can be alerted to take immediate remedial action.
The strength of such a system is directly related to its knowledge of dangerous destinations. HYAS started life as a threat intelligence company. It continues this work and has an extensive and continuously maintained adversarial infrastructure database available to support its DNA analysis.
But it’s not just known C&C destinations that can be monitored – non-malign but potentially dangerous activity can also be highlighted. Confront is delivered with a range of policies built-in, and these can be increased and enhanced by the customer. “We find employees Bitcoin mining on VMs, we find intermixing of PCI and non-PCI traffic, we find going to public repositories in Russia and Eastern Europe rather than using a local mirror… All of these are examples that aren’t necessarily nefarious.” But they are certainly indicative of risk.
The firm also claims that Confront can reveal issues like misconfigurations, and incomplete removal of malware after an attack. The ability to detect misconfigurations comes from the deep level of visibility afforded by monitoring all DNS connections. Confront will detect a newly spun up box or database that may be behaving abnormally. It can ask the security team, says Ratner, “Do you realize that this new machine was spun up and put in your lab environment when it should have been put in your staging environment; do you realize that you spun up a new database, but you put it in the wrong configuration file; do you realize that you put this in zone 1 and it should have been in zone 2?”
Incomplete removal of malware will be detected when the remaining malware again beacons to its C&C. Ratner gave the example of a customer that had been breached, paid a vast amount for system cleansing, and then installed Confront. “Confront very quickly found 11 different backdoors to China that had been completely missed by the formal cleanup,” said Ratner.
“Production environments are critical to a company’s ability to function,” he said. “Unfortunately, no matter how strong your perimeter is, bad actors will eventually find a way in. HYAS Confront’s distinctive ability to detect anomalies within your production environment ensures that even in these cases, you can uncover the problem before it does damage.”
Hyas, headquartered in British Colombia, Canada, was founded by Christopher Davis, Sasha Angus, and Steve Heyns in 2015. It raised $16 million in a Series B funding round in 2021, bringing the total raised to almost $25 million.
Related: NSA, DHS Issue Guidance on Protective DNS