As the cyber threat landscape continues to evolve at an unprecedented pace, organisations are finding themselves in a ‘two-speed’ security environment. In one lane, threat actors are leveraging emerging technologies such as generative AI to their advantage, increasing the frequency and sophistication of their attacks. On the other, organisations themselves are racing to harness the same technology in order to bolster their resilience. It’s often unwise to fight fire with fire, but in this instance, it’s an absolute necessity.
This ‘arms race’ comes at a time when cyber threats are already on the rise. Infoblox’s 2023 Global State of Cybersecurity report revealed that more than 60% of organisations worldwide suffered at least one data breach in the past year, with the average cumulative loss for each organisation standing at around $2 million. Phishing was the top attack vector, accounting for more than 80% of breaches.
Phishing, which uses social engineering tactics, fraudulent emails, and ‘lookalike’ domains to mimic legitimate websites, has become a major cause for concern. In fact, in a recent paper, Forrester announced that gaining application, user and device context was one of the biggest challenges now facing security teams. By weaponizing generative AI and the large language models (LLMs) that underpin them, threat actors can scale their attacks with greater speed and complexity than ever before. Without the means to understand who or what is connecting to a network – and what data is being accessed – organisations are left blind.
In this article, we will delve into the threats and opportunities presented by generative AI in cybersecurity, drawing particular attention to the role of protective DNS and how AI can enhance DNS security. Every device, every app, every link relies on DNS. This universality makes DNS an ‘easy target’, but also a powerful line of defence.
The threat of AI-powered phishing
Generative AI, particularly models like GPT-4, represents a transformative leap in AI capabilities. GPT-4 can generate human-like text based on the information it’s trained on, enabling businesses to automate content creation, enhance customer service through advanced chatbots, and streamline decision-making processes by providing data-driven insights. By harnessing the power of GPT-4, businesses can achieve greater efficiency, foster innovation, and tailor their offerings more precisely to customer needs, all while reducing operational costs.
However, large language models (LLMs) like GPT-4 can also be exploited by threat actors for malicious purposes. For instance, models can craft sophisticated social engineering narratives consisting of convincing emails, messages, or fake websites that can play the “long game” and manipulate victims over time into taking actions they wouldn’t ordinarily take, such as sharing passwords or transferring funds. This a step up from a basic phishing email which, while potentially convincing, is easily avoided with the proper filters and staff training in place.
Imagine a scenario where a threat actor meticulously gathers information for a spear-phishing attack. They craft a convincing lookalike domain and, using generative AI, forge a set of emails so authentic they appear to be from a trusted vendor or someone within the organisation. The target, unsuspecting, engages with these emails and clicks through to a fake landing page or lookalike domain. This could be disastrous, but if protective DNS measures are implemented by the target’s company, that lookalike domain can be intercepted and neutralised before anybody engages with it.
This goes hand in hand with the rising trend of “lookalike” domains, designed to deceive even the most discerning eye. These domains often mimic internal websites, business partners, or legitimate software-as-a-service (SaaS) applications, making them potent tools for spear phishing and smishing attacks. Generative AI can be used to create thousands of sophisticated lookalike variants, using various methods such as SMS messages, phone calls, direct messages on social media, emails, and QR codes to deploy them.
In a recent report, Infoblox identified and curated more than 300,000 lookalike domains between January 2022 and March 2023 to highlight the scale of the problem and the sophistication of the methods being used. It revealed that more than 10,000 organisations had been targeted, including banks, government services, delivery companies, software providers, and more. Another study revealed the growing use of generative AI, including ChatGPT, by threat actors to create increasingly authentic and convincing phishing attacks.
The democratised nature of generative AI also means that the barrier to entry for cybercrime has been lowered. Not only are existing threat actors and groups enhancing their capabilities but more threats are being added to the mix. What happens when unique malware and toolkits can be mass-produced by average hackers? Or when attackers are able to exploit vulnerabilities in mere minutes rather than days? The industry must brace itself for these eventualities.
The role of protective DNS
A DNS query is the process by which a device translates a human-readable domain name, like “example[.]com”, into an IP address that it can use to locate the website on the internet. In the context of phishing, attackers often create fake or “lookalike” domains to deceive users into providing sensitive information. By monitoring DNS queries, security systems can detect and flag these malicious domains, preventing them from resolving and thereby stopping users from accessing these deceptive sites. When a user unknowingly clicks on a phishing link, the DNS query can act as a safety net, blocking threats earlier by not establishing a connection to the malicious site and safeguarding the user’s data – this is protective DNS in action.
When DNS is compromised, the consequences can be catastrophic. However, the same ubiquity that makes DNS a target for attackers also offers a unique vantage point for defence. By monitoring DNS data, it’s possible to detect and thwart malicious phishing attempts at their inception, regardless of their delivery method.
Bolstering DNS detection and response with AI
Harnessing the power of AI can further enhance DNS detection and response. The same technology that underpins generative AI can be used to amplify monitoring capabilities, identifying patterns and anomalies that might indicate malicious activity. Domains registered well in advance of an attack can then be flagged and monitored. Machine learning algorithms, combined with human expertise, can sift through vast amounts of data to pinpoint these potential threats and proactively shut them down.
The recently identified Decoy Dog malware is a significant threat to enterprise networks, but its detection underscores the critical role of protective DNS cybersecurity. Originating as an advanced version of the “Pupy RAT,” Decoy Dog utilises DNS for its command-and-control operations. This reliance on DNS highlights the system’s dual nature: while it can be exploited for malicious activities, it also serves as a potent line of defence. By monitoring and analysing DNS queries, potential threats like Decoy Dog can be identified and neutralised early.
Trying to get as efficient as possible the lines between networking and cybersecurity continue to blur and the need to unite networking and security under one umbrella has become clear. By contextualising real-time user and end-point activity, using functions such as AI-powered DNS querying, it’s possible to eliminate network and security bottlenecks, streamlining security operations so that they’re fit for a world that never stops.
While the rise of generative AI presents undeniable challenges, it also offers opportunities. By embracing the power of DNS and integrating AI-driven insights, organisations can collectively forge a path to a more secure digital future.
Anthony James is a seasoned technology and marketing executive bringing in 20+ years of marketing and product experience in the cybersecurity industry, Anthony leads as Infoblox’s VP of Product Marketing. He has held multiple executive leadership roles in Marketing and Product Management across a variety of security startups and well-known organizations, including FireEye, Fortinet, Cyphort and TrapX to name a few.