The Securd Greywall reduces risk by limiting
unwitting end-users from temporarily interacting with domains,
hostnames, and URLs with zero histories, reputation, or generated by an
algorithm. Here is an example how it prevents a user from unwittingly clicking on a phishing link.
A threat actor registers a domain and, within 15 mins, launches a phishing campaign. An unwitting target end-user is tricked into clicking on a phishing link. The end-user attempts to visit https://some-evil-phishing-site.example.com/phishing-attack/login.html
Endpoint Initiates A DNS Lookup
The end-users system attempts to access the domain some-evil-phishing-site.example.com. For the endpoint to connect to the domain, it must get an A record with an IP address.
Securd Order of Operations
Before the grey wall feature in Securd allows its DNS server to resolve the DNS query, it runs relevant checks to allow or deny it.
For example, the Greywall would determine if the DNS query to some-evil-phishing-site.example.com has been observed before. The Greywall would decide if some-evil-phishing-site.example.com has characteristics that don't allow it to be implicitly trusted.
If the DNS query matches any block criteria, it will be denied. The user would be redirected to a block page for why it was denied. All the blocked traffic would be logged for a security administrator to review.
Based on Policy, Securd Releases the Greywalled Domain
Once the Greywall criteria for phishing-site.example.com expires, Securd Greywall will allow a DNS query to continue. With Securd, this would lead to additional measures to ensure that phishing-site.example.com is not an active threat. The Greywall is just one of many layers of protection.
If the DNS query does not match any additional criteria in the security policy, Securd global recursive DNS servers will continue to process and resolve the request. The acceptance is recorded in passive DNS logs available for review and analysis in the Securd Portal.