In this article, you will learn everything you need to know about the DNS Security - Endpoint module. DNS Security - Endpoint is based on the DarkLayer Guard engine, the world’s most advanced endpoint DNS threat hunting tool, and boasts our Threat to Process Correlation technology allowing you to spot processes, users, URLs, and attacker origins used to infiltrate your network. DNS Security - Endpoint makes the DarkLayer Guard - Endpoint work in tandem with our VectorN Detection AI-based traffic pattern recognition engine to also give you HIPS/HIDS and IOA/IOC capabilities and spot hidden malware, complete autonomous of code and signatures.
1. Description
2. How does DarkLayer Guard - Endpoint work?
3. HEIMDAL Agent - DarkLayer Guard
4. DNS Security - Endpoint view
5. DNS Security - Endpoint settings
DESCRIPTION
DNS Security - Endpoint is responsible for filtering all network packages based on DNS request origin and destination. It replaces the manual or DHCP set DNS values with IP Addresses from the Client Host IP Address range, thus, effectively telling the computers to resolve the DNS requests themselves. The original DNS values from the network card settings are not lost but are saved under GUIDs in the Windows Registry and used when DNS requests are made towards internal resources (print servers, local file servers, or anything that has a private IP Address assigned) or external resources. The traffic filtering engine blocks malicious packages from communicating across the network prevents man-in-the-browser attacks, detects zero-hour exploits, protects from data or financial exfiltration, and prevents data loss or network infections.
- Here is an example of how DarkLayer Guard's multi-layered protection works against malware, social engineering scams, and drive-by attacks:
DNS Security - Endpoint blocks malicious websites by making sure that users do not establish untrusted connections. If a connection is made, an attacker is able to open backdoors into a PC by using zero-day exploits or by executing remote shellcodes. The module also makes sure that data is not automatically filled into online forms, belonging to fraudulent websites.
- An example of how DNS Security - Endpoint protects users from financially exploiting malware (banking trojans) can be seen below:
The DarkLayer Guard - Endpoint filter receives more than 800.000 new weekly updates to keep up with cybercriminals’ threats. A filter update is provided every 2 hours. The update is based on a wide range of data, such as newly registered domain names, reverse engineering of advanced malware, monitoring of criminal network sinkholes, and data gathered during e-crime analysis. This insight into cybercrime enables Heimdal to block data from a PC or network from being sent to a hacker-controlled server, therefore protecting corporate or personal data from exfiltration.
Heimdal does not share a full repository of the DNS detections due to the tremendous data volume of the AI Predictive DNS, hence VirusTotal will not necessarily show the Heimdal detection. You will have to rely on the Investigate mode in the Heimdal Dashboard.
HOW DOES DARKLAYER GUARD WORK?
On macOS, when DNS Security - Endpoint is enabled, the Heimdal Agent creates DNS Proxy a that will filter the traffic just like the DarkLayer Guard engine.
In order for the DNS Proxy to be installed, the HEIMDAL Agent will require permission to install a DNS Profile.
IMPORTANT
All this filtering process takes place in milliseconds and will not affect your internet connection speed.
HEIMDAL Agent - DarkLayer Guard
The HEIMDAL Agent displays information about the Prevented Attacks, the Targeted Processes, and the VectorN Detections.
When enabled, whenever a malicious domain is queried, a pop-up window will be shown to the user. Engaging the Click for the full details will redirect the user to the HEIMDAL Agent in the DNS Security -> DarkLayer Guard view.
The information displayed on the HEIMDAL Agent - DNS Security section is reported to the HEIMDAL Dashboard -> DNS Security - Endpoint view.
DNS Security - ENDPOINT view
The DNS Security - Endpoint view displays all the information collected by HEIMDAL Agent that is running on the endpoints in your organization. The collected information refers to the DNS queries that are filtered by the HEIMDAL Agent's DarkLayer Guard engine. On the top, you see a statistic regarding the number of Analyzed Traffic Requests, the number of Prevented Attacks, the percentage of Prevented Attacks, and the number of Category Blocks. You can navigate between multiple pre-filtered views to quickly and easily access the information that you need to process to analyze and remediate potential vulnerabilities.
The collected information is placed in the following views: Standard, Threat Type, Hostname/Latest Threats, TTPC, Category Blocks, and Full Logging.
-
Standard
The details displayed in the Standard view table are the following: Hostname, Username, IP Address, Analyzed Requests, Prevented Attacks, and Risk Level. The Standard view is a complete overview of the total analyzed requests and prevented attacks, as well as a pre-calculated risk level for your device. All entries are identified by hostname username and IP address. The calculated risk score is based on the time frame selected in the HEIMDAL Dashboard and offers a great way to visualize and measure the impact of your awareness training and security procedures that you facilitate in your organization, as you can track the changes in your high-risk users' behavior over time.
The Analyzed Requests represent the total DNS requests intercepted by the HEIMDAL Agent (whether they are blocked or allowed). The Prevent Attacks represent the DNS requests that are blocked by the HEIMDAL Agent, while the Allowed requests represent the DNS requests that are allowed (whitelisted). -
Threat Type
This view displays a table with the following details: Threat Type, Number of matches, Most Targeted Hostname, and Username. The Threat Type view has all entries sorted into types of threats and the number of times the specific threat type is seen in your environment. You also get quick visibility over the host and user that has been targeted the most by the mentioned threat type. This can be used to gain a quick overview of the severity of threats currently encountered and will greatly help a security team prioritize their high-level remediation efforts.
-
Hostname/Threats
This view displays a table with the following details: Hostname, Username, Domain Blocked, Threat Type, and Number of matches. The Hostname/Threats view is broken down into individual threats on specific hosts, including the associated Domain Name and the number of times that DarkLayer Guard has blocked the threat on that Host and User. This can be used to gain a detailed visualization of which devices are currently the most targeted and offer a security team direct insights into what devices they need to focus on protecting first.
-
Latest Threats
This view displays a table with the following details: Hostname, Username, Threat Type, Threat Type, Threat Source, TTPC, and Date. The Latest Threats view, offers detailed information about each individual block that has been performed by DarkLayer guard, including Threat Type, associated Domain name, and Process correlation captured on the affected host. This information is prefiltered on time and date and is the place to get a real-time view of what is currently happening in the environment as the latest attacks are inserted at the top of the page.
- TTPC
This view displays a table with the following details: TTPC Detections, the Number of matches, Most Targeted Hostname, Username, Most Frequently Detected Infected Domain, and Last Match. The TTPC or Threat To Process Correlation view brings forth the specific potentially infected process used in the blocked attack, complete with the affected user and host, the implicated Domain Name, the timestamp for the attack, and the total file path to quickly locate the potentially infected file responsible for the process. If you are using Heimdal’s Next-Gen antivirus, you are able to quarantine the process file remotely with just a few clicks, straight from the TTPC view. You are also able to upload the process file to the cloud for malware analysis or to exclude a file that has been deemed to be legitimate. To assist a security team with further threat hunting, they will also find easy access to additional intelligence about the implicated domains, through quick toggle shortcuts. Additional information like IP addresses, full URLs, and additional resolved domains connected, can be viewed straight on the page. It is also possible to navigate directly to Heimdal’s investigation view or utilize Virus Total's third-party threat intelligence. - Category Blocks
This view displays a table with the following details: Hostname, Username, IP Address, and Category Blocked Domains. The Category Blocks view presents a consolidated overview of all hits to the preset Category Filters. This view makes it easy to manage chosen Categories, get a visualization of their impact, and identify users with online behavior that does not match the organization. - Full Logging
The Hostname view displays a table with the following details: Hostname, Allowed Requests, Prevented Attacks, and Risk Level.
The Domain view displays a table with the following details: Domain and the Total Hits. - Investigate
This view allows you to get DNS-related statistics on any domain you input in the search field. The view is split into 3 subsections:
a. Global Threat Intelligence - displays a top 3 of most accessing processes, the DNS-E matches (the number of times, in the selected timeframe, the domain has been intercepted via DNS-E), the Global DNS-E matches (the number of times, in the selected timeframe, the domain has been intercepted by DNS-E in the Global Heimdal Security database), the domains/URLs related to the same IP Address, the DNS-E + DNS-N matches (the number of times, in the selected timeframe, the domain has been intercepted by DNS-E and DNS-N), the Global DNS-E + DNS-N matches (the number of times, in the selected timeframe, the domain has been intercepted by DNS-E and DNS-N in the Global Heimdal Security database);
b. Predictive DNS Score - displays a maliciousness score based on an Artificial Intelligence algorithm (ranging from 0 to 100) that is corroborated with the presence of the domain (in question) on the DNS Security Endpoint blocklist (blocklist match). The higher the score, the higher the probability that the domain in question is infected. The Predictive DNS Score will showcase a Risk Level (None, Low, Medium, High, Critical) based on the above-mentioned score;
c. DNS Statistics - displays a graphical representation of the daily number of hits for the chosen domain (the blue
the line shows that the queried domain was found clean at the time of the query, while the red line shows that the queried domain was found infected at the time of the query);
d. Requester distribution - displays a map and statistics of top public IP Addresses that called the domain in question (the origin of the DNS query to the domain in question). - App Discovery
This view displays a list of the applications discovered by the DarkLayer Guard engine in your environment and the following details: Application Name, Vendor, Risk Level, and Installed Endpoints. App Discovery can be used as a cloud access security broker (CASB) that provides a comprehensive set of capabilities to help you manage and control the use of cloud apps across your organization - including visibility into inappropriate cloud app usage.
The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard or Verbose mode corresponding to each view.
The Filters functionality allows you to filter entries by Operating System.
DNS Security - ENDPOINT settings
By enabling the DarkLayer Guard engine, the HEIMDAL Agent will enable the network filter that will protect the computer from accessing malicious domains or URLs.
DarkLayer Guard - turn ON/OFF the DarkLayer Guard DNS Filtering;
General Settings
Force DHCP DNS usage - this feature sets the DNS on the Network Interface Card(s) to Automatic (DHCP) behind the DarkLayer Guard engine. If the DarkLayer Guard engine fails to add 127.7.7.x or fe80::yyyy:yyyy:xxxx:xxxx on the NIC(s) it will revert to automatic DNS (served by the DHCP). By default, this option is disabled and DarkLayer Guard should work just fine on any type of computer. It is recommended only if you use a VPN product/service that resets the DNS IP Address (after disconnecting) and sets the DNS on Obtain DNS server address automatically on the NIC.
This option is NOT recommended if:
- You use a static DNS IP Address(es) on your NIC;
- You are applying it to a Domain Controller/DNS Server.
Use default loopback address - this feature tells the DarkLayer Guard to set the DNS on the Network Interface Card(s) to 127.0.0.1 instead of 127.7.7.x (for IPv4) and ::1 instead of fe80::yyyy:yyyy:xxxx:xxxx (for IPv6). This will enforce the DarkLayer Guard engine to intercept traffic from a single adapter. This setting helps ensure compatibility between DNS Security Endpoint and certain VPN products, as well as other software you may use, such as virtualization products;
Compatibility Settings
Pause DarkLayer Guard when Cisco Secure Endpoint connector is detected - this feature will pause the DarkLayer Guard engine while the endpoint is connected to Cisco Secure network. The DNS filtering with automatically re-enable after disconnecting from Cisco;
Check Interval - allows you to set the time interval of the DarkLayer Guard engine to check for new updates to the filtering database;
Domains allowlist – this feature allows the HEIMDAL Dashboard Administrator to allowlist a domain that is blocked by the Heimdal™ DNS Security. You can allowlist domains, subdomains, top-level domains (.com, .co.uk, etc.), or even multiple domains at once by uploading a CSV file (when saving an Excel workbook/sheet as a CSV file, the domains/subdomains are automatically delimited by a comma [,] and they need to be listed on the same row:
Domains blocklist - this feature allows the HEIMDAL Dashboard Administrator to blocklist a domain that Heimdal™ DNS Security - Endpoint does not consider a threat or block access to a specific domain. You can blocklist domains, subdomains, top-level domains (.com, .co.uk, etc.), or even multiple domains at once by uploading a CSV file (when saving an Excel workbook/sheet as a CSV file, the domains/subdomains are automatically delimited by a comma [,] and they need to be listed on the same row:
IMPORTANT
Do not use the DarkLayer Guard - Endpoint engine in combination with another DNS traffic scanning application because they might conflict with each other and none of them will work correctly. We recommend you disable other traffic scanning applications installed locally before you enable Heimdal's DarkLayer Guard engine.