teissTalk: Why just-in-time security is leaving you exposed

On 7 November 2024, Teiss Talk host Thom Langford was joined by John Rouffas, Cyber Security Executive, Author & Journalist, CyberEdBoard Community; Francis Annandale, Managing Consultant, CyXcel; and Craig Sanderson, Principal Cybersecurity Strategist, Infoblox.

 

Views on news 

 

Security researchers from the Zscaler ThreatLabz have issued a warning that it had detected 200 dangerous apps in the Google Play Store across a 12-month period, which have been downloaded 8 million times. This analysis found that one Android banking malware family, Anatsa, was using PDF and QR code reader apps to distribute itself while targeting more than 650 financial institutions across the globe. Cyber crime is scaling up thanks to technological advancement, which makes the catch-up game that cyber security professionals are to play even more desperate - and app stores offer low-hanging fruits for criminals. Also, as apps are becoming more user friendly and rely on QR codes, they become more vulnerable too. These examples also show how enterprise and personal security are interconnected. 

 

JIT access

 

JIT access helps organizations provision access so that users only have the privileges to access privileged accounts and resources when they need it. Criminals look for different types of payload – some will get into the system and sit dormant waiting for the right moment. Chinese state actors are typically taking their time. They have a very impressive knowledge of DNS and they use it to orchestrate and control end points over time.

 

About 90% of malware uses DNS as its control plane, as DNS is ubiquitous, always available and security people don’t often look at DNS traffic.  DNS is also seen as the networking guys’ problem, and it’s not monitored to see whether someone is using it for command and control. AI, however, can help SOC people find out what’s going on. You can apply threat intelligence to your server, and it can act as a protective DNS. It’s a standard that has been around since 2010, but the adoption rate is still low. The UK government is a leader in protective DNS deployment, though, while the Einstein project in the US shifted to DNS a couple of years ago.

 

Governments are getting increasingly involved in DNS protection as they can no longer afford to sit on the sidelines. It’s more efficient to monitor the threat actor’s infrastructure than chasing malware. Currently, adoption for protected DNS services is about 25-30%. You can tell your local DNS server to block a web address across your entire DNS estate and it will take less than two minutes to execute. 

 

The panel’s advice

 

• 66% of phishing attacks start from a lookalike domain of a trusted brand. There is a market for fake domains too.
• You can buy AI-driven DNS security tools that translate technical data into information that can be easily consumed.
• THE NCSC’s website shows data on the impact of the DNS protective service.