Protection Against Malware, Ransomware, C2s, DGAs, Phishing
Stop Threats at the Root
RPZ (Response Policy Zone) DNS was developed by the ISC as an open and vendor-neutral component of the BIND Domain Name Server. RPZ functions as a DNS firewall in which rules are expressed in specially constructed zone files. This segmented structure provides an effective method of leveraging threat data for the detection and prevention of malware and ransomware activities at the DNS level.
With this tool, administrators can override the global DNS and create rules that initiate specified responses and actions, such as providing alternate replies to queries. When a workstation, server or other network device tries to connect to a malicious location, it is unable to resolve DNS and is redirected to a specially crafted web page that explains why access was blocked. A DNS RPZ firewall not only protects assets, it also provides an opportunity to educate users so they can be made aware of the link, email or resource – in real-time – that was leading them to malware.
Flexibility is Key for DNS-Level Security
Restricting access at the DNS level is not without complications, however. While C2s, DGAs, and phishing sites tend to be “no brainers” as far as blocking access is concerned, many legitimate and very popular sites unknowingly host malware: Dropbox, Google Docs, etc. Preventing users from reaching these sites can, understandably, be met with great resistance. For this reason, granularity is key to helping administrators maximize threat coverage while minimizing the impact to their users’ crucial online sites, tools, and applications.
A Zone For Each Threat Type
To provide flexibility to our customers for managing the needs of their users or clients, we offer five separate Response Policy Zones. Each zone can be implemented – or not – depending on your needs. These zones include domains hosting (1) C2s, (2) DGAs (used by over 40 malware and ransomware families), (3) Malware, (4) Cryptominers, and (5) Phishing sites.
Apart from applying only the zones that relate to the threats faced by your business, Malware Patrol allows for whitelisting domains from all zones via a simple web interface.
Another tool available is the filtering of domains using the Cisco Umbrella domain ranking. Zones can be filtered based on the top 25,000 1000,000 or 1,000,000 domains as per your request. The Cisco Umbrella classification is updated weekly and applied seamlessly with the whitelisting mechanism.
Custom “Walled Garden”
You can use our “walled garden” to send your users when they hit a malicious domain, or configure your own using the instructions available here.
Response Policy Zones:
- Command & Control Servers
– Zones are automatically transferred using AXFR/IXFR mechanisms
– Cisco Umbrella Domain Ranking filtered zones
– Apply whitelists to zones, even on top of Cisco Umbrella filtered ones
About Our Data
Choosing the right data provider is an essential task as your DNS Firewall is as good as the data that powers it.
Malware Patrol’s threat data is aggregated from diverse sources, including web crawlers, botnet monitors, spam traps, honeypots, research teams, partners and historical data about malicious campaigns. All the data is carefully inspected and monitored. As a result, our feeds contain thoroughly vetted indicators sourced from the real world.
Because security budgets are usually limited, it is important to rely on a data source that provides coverage for the current malicious campaigns and threats that directly affect your company and your customers, maintaining a high level of security but using the minimum amount of resources.