Select Page

AUTOMATED DNS SINKHOLE BREACH DETECTION

WHAT IS AUTOMATED DNS SINKHOLE BREACH DETECTION?

 

Evolve Security Automation makes it easy for organizations and security teams to orchestrate a wide range of scalable and high-availability security infrastructure, with automated integration of Cyber Threat Intelligence for immediate proactive threat detection and prevention.

The Evolve “Automated DNS Sinkhole Breach Detection” solution enables any organisation to seamlessly enhance their security architecture to quickly and easily detect and prevent threats, attacks and security breaches with the latest intelligence.

Evolve introduces the ability to orchestrate on-demand high-availability DNS Sinkholes that can automatically ingest over 350 Cyber Threat Intelligence feeds from the Evolve Marketplace. This allows your organisation to automatically stay on top of the latest threats to prevent access to malicious websites whilst also proactively blocking malware from locating their Command & Control systems.

The Evolve Automated DNS Sinkhole Breach Detection solution natively integrates with the Evolve Automated Incident Response workflows. When chained together, Evolve delivers automated detection of security breaches, automated collection and analysis of evidence, and automated response to contain security breaches within minutes.

Evolve enables your organisation to automatically stay on top of the latest threats, attacks and security breaches relevant to your business and automatically respond to critical threats to help ensure your business remains safe.

Register your free Evolve account now 

EVOLVE MARKETPLACE

Automated DNS Sinkhole Breach Detection is available in the Evolve Marketplace. Simply import this automation workflow into your Evolve Account with flexible monthly subscriptions to maximize your security budgets MORE

GET STARTED

Our Getting Started Guide will step you through importing and launching your first Automated DNS Sinkhole Breach Detection. Enhance your specialist security capabilities now MORE

FEATURES

Orchestrated DNS Sinkhole Infrastructure

Automated Cyber Threat Intelligence Integration

High-Availability DNS Sinkhole Solution

Globally Distributed DNS Sinkhole Options

Remote DNS Sinkhole Orchestration

High-Performance DNS Sinkhole Solution

Remotely Orchestrated Internal Honeypot

Automated Internal IP Identification

Automated Incident Response Integration

Evolve Agent Integration

Automated DNS Sinkhole Log Collection

Automated Malicious Activity Notification

Regular Cyber Threat Intelligence Updates

Automated Evolve Dashboard Integration

Automated Slack Integration

FLEXIBLE SUBSCRIPTION PRICING

 

Evolve enables you to maximize your security budget by providing flexible monthly subscriptions with no lock in contracts. Simply import the Automated DNS Sinkhole Breach Detection capability from the Evolve Marketplace to begin your subscription.

 

Single DNS Sinkhole: US$750 per month
High-Availability DNS Sinkhole: US$1,500 per month

OPTIMISE YOUR COSTS WITH USAGE-BASED BILLING

IMPORT USAGE

Importing workflows and modules from the Evolve Marketplace has once-off usage charges per import to orchestrate your new capabilities

SECURITY ZONE USAGE

Evolve transparently optimizes usage charges related to the scaling of Security Zone infrastructure and storage in real-time

WORKFLOW USAGE

Evolve Workflow usage occurs when launching new workflows to orchestrate and chain your security automation modules and data

MODULE USAGE

Evolve Modules are stored and executed on-demand and in real-time that incur usage. Optimize usage by reduced module executions

AGENT USAGE

Evolve Agents allow distributed orchestration of modules on premise and in the cloud. Optimize usage by reducing the polling frequency

CONTAINER USAGE

When storing and transferring data within Evolve Containers, usage charges can be optimized by compressing or expiring data

DASHBOARD USAGE

Generating and storing Evolve Dashboards incur usage to enable populating chart data from within Evolve Containers

EVENT USAGE

Evolve Event usage enables you to keep track of all of the security automation actions and events within your accounts

FREQUENTLY ASKED QUESTIONS

WHAT IS AUTOMATED DNS SINKHOLE BREACH DETECTION?

Evolve Automated DNS Sinkhole Breach Detection allows you to orchestrate high-availability DNS Sinkholes with automated Cyber Threat Intelligence integration.

Within minutes, you can automatically detect and prevent access to the latest malicious domains to protect your organization from a security breach.

Simply point your organization’s DNS settings to the Evolve DNS Sinkholes for immediate detection and protection capabilities.

HOW DO I GET STARTED?

The first step is to register for an Evolve Account. You will then have access to the Evolve Marketplace where you can subscribe to the Automated DNS Sinkhole Breach Detection solution. Simply import this automation workflow into your Evolve Account.

You can follow the Getting Started Guide to then schedule your first Automated DNS Sinkhole Breach Detection workflow instance. The results will automatically be displayed in the corresponding Evolve Dashboard. 

DOES THE EVOLVE DNS SINKHOLE MEET MY BUSINESS NEEDS?

Evolve Automated DNS Sinkhole Breach Detection solution caters for all businesses, ranging from small businesses with limited budgets, through to enterprises requiring high-throughput highly-available globally-distributed DNS Sinkholes with a central management console.

The Evolve DNS Sinkhole solution can be configured for high-throughput by simply increasing the size of your Evolve Security Zone. The larger the Security Zone, the larger the throughput, and the greater number of Cyber Threat Intelligence feeds that can be integrated.

On top of this, the Evolve DNS Sinkhole solution can be orchestrated in domestically or globally distributed high-availability architectures.

Globally distributed high-availability architectures are achieved by launching Evolve DNS Sinkholes in different Evolve Regions on multiple Evolve Security Zones.

Domestic high-availability architectures, typically for data sovereignty purposes, simply launch the Evolve DNS Sinkholes on multiple Evolve Security Zones located within your local region.

Evolve Security Infrastructure solutions natively and transparently include high-availability. This means that in the very rare situation where a DNS Sinkhole stopped responding, a new DNS Sinkhole would automatically be launched in its place within seconds to minutes to ensure your business keeps running securely.

Despite the high-availability technologies in place, it is recommended that a primary and secondary DNS Sinkhole are launched for redundancy. However, for smaller businesses with restricted budgets, Evolve offers a single DNS Sinkhole to ensure that security is available to SMBs.

GETTING STARTED WITH
AUTOMATED DNS SINKHOLE BREACH DETECTION

STEP 1: REGISTER AN EVOLVE ACCOUNT

Congratulations for deciding to mature and streamline your security capabilities and maximize your security budgets. Your first step is to simply Register an Evolve Account using the Register button on the Evolve website.

STEP 2: LOGIN TO YOUR EVOLVE ACCOUNT

Now that you have an Evolve Account, login using the Sign-In button on the Evolve website. This will take you to the Evolve welcome screen.
 

STEP 3: SETUP YOUR EVOLVE BILLING

Evolve subscriptions and usage-based bills are charged via credit card.

  • Setup your payment method via the Billing feature located under your Profile Menu towards the top right-hand corner of your Evolve Account.
  • Select the “Add Payment Method” button that will load the Evolve Secure Payment Gateway page where you can add your credit card details.
  • As part of our fraud-prevention controls, your credit card will be charged a nominal amount that you need to enter to verify your credit card before it can be used for payments.

Your Evolve Account is now setup and you are ready to mature your security.
  

STEP 4: SELECT YOUR EVOLVE REGION

Evolve is a specialist security automation cloud, which means that it has globally distributed infrastructure enabling geographic security controls allowing you to keep your data and processing within the geographical regions aligned to your business needs.

  • Select your Evolve Region in the top right-hand corner of your Evolve Account.

Any actions you take will occur within your selected Evolve Region.
  

STEP 5: IMPORT WORKFLOW FROM THE EVOLVE MARKETPLACE

The Evolve Automated DNS Sinkhole Breach Detection workflows are available in the Evolve Marketplace. Simply import the workflow into your Evolve Account with the following steps.

  • To get to the Evolve Marketplace, navigate to the Marketplace side-menu.
  • Whilst in the Evolve Marketplace, locate these services by either selecting the “Security Infrastructure” category and browsing through the available workflows and services, or by searching for the keyword “sinkhole”.
  • Click on the corresponding marketplace item to review the overview of the workflow, workflow usage and subscription pricing information.
  • Click the Import button and step through the import steps.
  • You will then be redirected to the Imports page.
  • You may need to use the Reload button to see your newly imported workflow.

Once the import status changes from “Pending” to “Available” you have successfully imported this security automation workflow and added this specialist security capability to your business.
  

STEP 6: LAUNCH YOUR SECURITY ZONES

Evolve Security Zones are isolated environments that provide scalable compute and storage to execute your Evolve Workflows. Security Zones can be launched in different configurations for different purposes.

Since we are launching a high-availability e are going to launch two of the following type of Security Zone:

  • Scalable Security Zone, which provides us with a generic scalable security zone for processing arbitrary modules, such as Cyber Threat Intelligence collection and transformation, as well as log processing and Dashboard chart generation.
  • Non-Scalable Security Zone, which provides our DNS Sinkhole with a static IP address allowing inbound connections for DNS traffic.

We will start with the Scalable Security Zone:

  • Select the Security Zones side menu item and click the New Security Zone button.
  • Set a useful name for your Security Zone, such as “Automation_Security_Zone”.
  • Click the Next button, which will take you to the Security Zone Size page.
  • Select a “Medium” sized Security Zone for our use-case, which should be sufficient for most use cases. The size of your Security Zone will actually be defined by your DNS throughput and Cyber Threat Intelligence data sizes. For larger organizations, or if multiple different types of automation workflows will be using this Automation Security Zone, then a Large or Extra Large Security Zone may be selected.
  • Click the Next button to go through to the Configuration page where it allows you to specify the settings of your Security Zone.
  • Leave the Volume Size as the default value for our use-case, which should be sufficient for most use cases. The Volume Size is the size of your Security Zone cluster nodes’ disks used to temporarily store your module data during processing. This volume size needs to be sufficient to store your Cyber Threat Intelligence feeds and also your DNS logs. Larger organizations may wish to increase the Volume Size to 50 GB or 100 GB for assurance purposes.
  • Select the Scalable setting. The Scalable setting configures the Security Zone to automatically scale up and down to optimize processing and usage costs. 
  • The NAT Gateway can be left as blank since we don’t need a static public IP address for the modules that are likely to be running on this Security Zone.
  • The VPN Gateway can be left as blank since this workflow does not need to access your organization’s internal systems.
  • Click the Next button.
  • Review your settings
  • Click the Create button. 

This will automatically orchestrate your Security Zone with the configurations specified and will take around five minutes. You should wait for the Security Zone state to change from “Pending” to “Available”.

Once available, we will launch the Non-Scalable Security Zone:

  • Click the New Security Zone button.
  • Set a useful name for your Security Zone, such as “Primary_DNS_Sinkhole_Security_Zone”
  • Click the Next button, which will take you to the Security Zone Size page.

The size of your Security Zone will be defined by:

  • The throughput for the number of DNS requests that you need to be processed per second, and
  • The number of Cyber Threat Intelligence feed entries that you wish to be imported into your DNS Sinkhole

As a general recommendation:

  • Around 50,000 Cyber Threat Intelligence entries can be run on Micro to Small Security Zones
  • Around 400,000 Cyber Threat Intelligence entries can be run on Medium Security Zones
  • A larger number Cyber Threat Intelligence entries should be run on Large or Extra Large Security Zones

You also have the option of launching smaller DNS Sinkholes for individual offices to split the DNS traffic and add redundancy to your security architecture.

  • Select a “Medium” sized Security Zone for our use-case, which should be sufficient for most use cases
  • Click the Next button to go to the Configuration page that allows you to specify the settings of your Security Zone
  • Leave the Volume Size as the default value for our use-case, which should be sufficient for most use cases. The Volume Size is the size of your Security Zone cluster nodes’ disks used to temporarily store your module data during processing. This volume size needs to be sufficient to store your Cyber Threat Intelligence feeds and also your DNS logs. Larger organizations may wish to increase the Volume Size to 50 GB or 100 GB for assurance purposes.
  • Disable the Scalable setting. The Scalable setting configures the Security Zone to automatically scale up. We want our Security Zone to have a single static IP address that has both TCP and UDP DNS ports accessible. Combined with our Security Zone sizing above, we don’t want our DNS Sinkhole instances to scale up automatically.
  • The NAT Gateway can be left as blank since we want the DNS Sinkhole to get its own static IP address.
  • The VPN Gateway can be left as blank since this workflow does not need to access your organization’s internal systems.
  • Click the Next button
  • Review your settings
  • Click the Create button. 

This will automatically orchestrate your Security Zone with the configurations specified and will take around five minutes. You should wait for the Security Zone state to change from “Pending” to “Available”. You should then repeat these Non-Scalable Security Zone steps again to launch your “Secondary DNS Sinkhole Security Zone”.

Once the Security Zones are available, you can find your Primary and Secondary Security Zone public IP addresses:

  • Click on the corresponding Security Zone
  • Clicking on the Configurations Tab
  • You may need to use the “Reload” button to refresh your page data to see the IP addresses

  

STEP 7: LAUNCH A WORKFLOW INSTANCE

You have imported the Automated DNS Sinkhole Breach Detection High-Availability workflow and have setup your Evolve Security Zones. You now need to launch a Workflow Instance to orchestrate your Primary and Secondary DNS Sinkholes with the automated Cyber Threat Intelligence collection and integration.

  • Select the Workflows side menu item to list your available workflows.
  • Locate the “Create Instance” button alongside your Automated DNS Sinkhole Breach Detection Workflow.
  • Set a useful name for your workflow instance.
  • Click the Next button, which will take you to the Parameters page where you provide your DNS Sinkhole settings.

Enter the following information within the parameters that will be used to orchestrate your DNS Sinkhole solution:

  • Set the “DNS Sinkhole IP” to be “127.0.0.1” for this use-case, which is the IP address that you want malicious domain names to return.
  • Set the “Maximum Age” to be “90” (days), which is the time before you mark a previously identified malicious domain as safe.
  • Set the “Maximum Results” to be “400000”. This setting allows you to restrict how many Cyber Threat Intelligence entries are pushed into your DNS Sinkhole solution. This ensures that you maintain stability if large sets of new malicious domains become available.
  • Set the “Source CIDR” to be your organization’s IP address ranges in CIDR format. This settings allow you to restrict access to your DNS Sinkholes from only your corporate IP address ranges. You don’t want to open these to the internet since they will be abused by attackers and will cause usage charges.
  • Leave the “DNS Sinkhole Agent” blank since Evolve will orchestrate this for you and automatically install this Evolve Agent into your DNS Sinkholes.
  • Set the “Primary Security Zone” and “Secondary Security Zone” to your corresponding Security Zones created previously.
  • Set a “Dashboard Name” to a useful name.
  • Click the Next button to go to the Configuration page where you select the default location for modules will be executed.
  • Select the Automation Security Zone that you created for this workflow.
  • Leave the Agent and Agent Device not selected since we do not want this workflow to run via an Evolve Agent.
  • Click the Next button
  • Review your settings
  • Click the Create button. 

This will automatically orchestrate your Automated DNS Sinkhole Breach Detection workflow instance, including all Module Instances and Containers, using the settings that you specified for your solution.

You should wait for the Workflow Instance state to change from “Pending” to “Available”.

 

STEP 8: CONFIGURE YOUR DNS SETTINGS

Your DNS Sinkholes are up and running. The Cyber Threat Intelligence feeds may take up to 90 minutes to begin importing. You can test your DNS Sinkholes by running the following command, which should return the public IP addresses in the response:

dig @your-dns-sinkhole-ip evolve.threatintelligence.com

You now need to configure your organization’s DNS settings. If you have a DNS Relay then you can simply configure this to forward DNS requests to the DNS Sinkholes.

If your Active Directory servers perform the direct public DNS lookups, then you can configure your Active Directory servers to forward DNS requests to the DNS Sinkholes.

If your internal systems get their public DNS servers via DHCP, then you can configure your DHCP server to provide the DNS Sinkholes as the DNS servers.
 

STEP 9: REVIEW YOUR EVOLVE DASHBOARD

Once a malicious domain has been requested that is matched by one of your Cyber Threat Intelligence feeds, then the results will automatically be displayed in the Evolve Dashboard. Detailed automation activities can be viewed via the Events page that can be accessed via the Events side menu item.

A quick access menu for every Evolve Dashboard can be found under the Automation side menu. You may find that you need to refresh your web browser page for your new dashboards to appear in this list.

Select your Evolve DNS Sinkhole Breach Detection Dashboard to view the results. Any spinning charts indicate that no results have been detected at this stage.

Review this dashboard on a regular basis to gain insights into the latest threats and security breaches for your organization.

More advanced users may also want to be notified when your penetration test is complete by importing the Evolve SlackBot from the Evolve Marketplace and chaining it off your Results Output Container for real-time ChatOps notifications.

SECURITY BUDGET
OPTIMISATION WITH EVOLVE

Facebook Twitter LinkedIn Youtube

Facebook Twitter LinkedIn Youtube

© Threat Intelligence Pty Ltd | info@threatintelligence.com | 1300 809 437
Register Account | Terms of Use | Privacy Policy

© Threat Intelligence Pty Ltd | info@threatintelligence.com | 1300 809 437 | Register Account | Terms of Use | Privacy Policy