Securd tracks newly observed domains on a per-company (per tenant) basis. Your greywall ensures that any trusted or untrusted area of the Internet has delayed access for that specific company after a learning period. This method enables administrators to implement zero-trust models just for the company and limit the scope of attackers options targeting your company. Greywalling is replicated across our anycast network in real-time. Whether your endpoints are in the United States or Australia, protection is fully synchronized or released globally in milliseconds. New domain registrations, randomly generated domain names, short lived phishing sites, typosquats, etc. are all captured by the same defense.
The overwhelming majority of the legitimate traffic your endpoints and end-users will produce on a repeated basis will be a small amount of established domains. It's a lot harder to bad actors to exploit “trustworthy” and established sites and infrastructure. If the owners of these sites suffer a security incident, they are remediated substantially faster.
As a security administrator, you will determine the temporary block time of a connection to a grey walled host name or domain. A temporary block can be as short or as long as the security you establish in a security policy. In most cases, the block is established for a range of 1 min to 90 days. This temporary block provides your other security tools, providers, and the information security community to discover, assess, and distribute protection or intelligence to mitigate a phishing threat.
You now have a simple and yet powerful means to create “your Internet” and establish how quickly these assets get to interact with your end-users and endpoints. You are 100% in control of how long you want to train your grey wall, how you set trusted and untrusted scores, and how long you choose to grey wall hosts.
As a complete fail-safe for customers who want absolute decision over order of operations and what is blocked or allowed, global lists are options that can be set at the hostname or domain level.
How the Securd Greywall Process Quarantines a Phishing Attack
End-user Clicks on Phishing Link
A threat actor registers a domain and within 15 mins, launches a phishing campaign. An unwitting target end-user is tricked on clicking on a phishing link. The end-user attempts to visit https://some-evil-phishing-site.example.com/phishing-attack/login.html
Endpoint Initiates A DNS Lookup
The end-user’s system attempts to access the domain some-evil-phishing-site.example.com. For the endpoint to connect to the domain, it needs to get an A record with an IP address.
Securd Controls Order of Operations
Before the grey wall feature allows the DNS server to resolve the DNS query, it runs relevant checks to allow or deny it. For example, it would determine if the DNS query to some-evil-phishing-site.example.com has been observed before. It would decide if some-evil-phishing-site.example.com was dormant for some time, or just registered. If the DNS query matches any block criteria, it will be denied. The user would be redirected to a block page with the reason why it was denied. All the blocked traffic would be logged for review.
Securd Releases The Greywalled Domain
Once the grey wall criteria for phishing-site.example.com expires, the greywall will allow a DNS query to continue. With Securd, this would lead to additional measures to assure that phishing-site.example.com is not an active threat. If the DNS query does not match criteria in the security policy order of operations, Securd global recursive DNS servers will continue to process and resolve the request. The accept will be logged and available for review and analysis in the Securd Portal.
Before You Enable a Company Greywall
Each company is has it's own greywall. Before you enable the Greywall in an active mode, the greywall will be learning all the domains usually visit. Depending on the size and scope of your implementation, the Securd Protection dashboard will show how many repeat vs. new domains your instance is observing. Once your new domain discoveries plateau over a 3-5 day period, its time to enable your greywall.