Catching Threats at “Inception”

  • General
  • 8 minute read

DomainGuard believes the cyber security industry needs to embrace a proactive approach to cyber security controls. Proactive, continuous monitoring solutions can prevent a breach, just as a healthy diet, daily exercise, and appropriate amounts of sunlight can help reduce disease. Read more to learn about the importance of having proactive monitoring controls.

The “Set It and Forget It” Mentality

We all like to believe that technology alone will solve our security problems. So, what do we do? We buy the “latest and greatest, Gartner recommended, Top MITRE ATT&CK evaluated” security products with the illusion that these products will alleviate our security woes. While these solutions can help mitigate and stop threats, the reality is most can be bypassed, coverage can lack due to blind spots, and the human element can still be manipulated by a convincing cyber-criminal.

Security engineers and analysts are constantly fighting this endless battle and must understand the ever-changing threat actor and not rely entirely on historical indicators of compromise (IoCs) generated by these tools.

A false sense of security can quickly manifest in the organization because everyone thinks they are covered with the alphabet soup of security products (XDR, EDR, AV, DLP, IDS/IPS, WAF, MFA, BAS). I have seen incidents where the attacker figured out a creative way to breach the perimeter, and senior leadership questioned how that was possible as “we have every product and spend X millions of dollars every year.” There were many engagements where my team and I bypassed defensive controls due to lack of coverage, human mistakes (tricking the SOC), or some other process and procedural deficiency. Do not assume that once you have these products installed, they will continue to operate as they once did, especially due to the constant changes in your technological landscape. These products and solutions need continuous tuning and upkeep which equates to more time and more money spent.

Reactive Thinking

We’ve seen the industry take a largely reactive approach to security for far too long.

  • We react after a phishing campaign has successfully reached our employees or customers.

  • We react after a forgotten asset was compromised on the internet because we lacked continuous visibility of our external exposure.

  • We react after personal customer data has been leaked to the public.

  • We engage response teams only after an incident has occurred so that we can eradicate the threat.

Why do we continue to be firefighters in cyber security? Well, it’s because our reactive mindset gets in the way of forward-thinking and being proactive. Why fix something if it is not broken? Instead of performing preventative maintenance to extend the life of something. As threats continue to grow against organizations, their people, and customers, reactive thinking is no longer the path forward.

Threat Inception

Every threat has a starting point, and we call this “Threat Inception.” Threat inception is the exact moment an entity or circumstance changes its form from benign to malicious with the intent to cause harm or abuse against your organization. One practical example of threat inception would be the moment a registered domain begins to host a website that is a clone of your organization’s website. Another example is the moment a threat actor creates a DNS MX record for a lookalike domain of your organization to target your company. By identifying the threat at inception, your organization can act immediately and reduce the overall risk to you and your customers.


Below we’ve outlined several scenarios of the traditional reactive security approach compared to a more proactive security approach. An approach that enables your organization to catch and eradicate threats at inception.

Scenario: We’ve been Phished

  • Threat actors register a lookalike domain and use the domain in a phishing attack against your organization or your customers.

  • The only chance to respond is after they’ve already phished your employees or customers.

  • In the case of online retail, or banking, fraud may have been going on for months before you find out.

  • Actively monitor all registered lookalike domains for similarities to your brand.

  • Alert when malicious intent is identified from those lookalike domains using various suspicious indicators such as a newly registered domain, MX record, cloned content, logo abuse, etc.

  • Ingest these lookalike domains into your email and web gateways to ensure the domains cannot be used against your employees.

  • Initiate a take-down request with the registrar or hosting provider by demonstrating evidence of abuse for prompt removal. This step helps with the protection needed for your customers. Remember, without customers; you have no business.

Scenario: Forgotten Asset on External Perimeter

  • A threat actor discovers a vulnerability impacting Outlook Web Access (OWA).

  • Command and Control is established on the IIS server hosting OWA and is only noticed when an administrator read a security blog about a recent OWA vulnerability being exploited and checked.

  • Management assumed OWA was not being used since they migrated to Microsoft 365 6 months ago. Everyone! Stop what you are doing and identify other servers that are impacted.

  • Continuously monitor your perimeter network (including cloud systems) with an Attack Surface Management solution.

  • Identify what should and should not be exposed based on business justification and start removing assets and services that no longer have a purpose.

  • Don’t solely rely on periodic vulnerability scans and your annual penetration test or red team engagement.

  • Continuously test your perimeter for exploitable vulnerabilities and fix them. Retest and test again.

Scenario: No SOC Alerts this Week

  • A threat actor has discovered a way into your network.

  • A unique backdoor has been implanted and no alerts are being triggered by the threat actor.

  • The threat actor has been in the network for three weeks and is slowly getting the data they want but not before they finally trigger an alert.

  • An incident response team member investigates and notices that large data packets have left the organization.

  • Establish a threat hunting team that does not rely on chasing down alerts.

  • The hunting team proactively queries the Top 10 longest network connections and Top 10 cumulative communication times between private and public IP addresses (Internal to External).

  • The hunting team narrows down the Top 2 talkers and starts tracking additional activities.

  • The hunting team confirms an active threat from 1 of the 2 IP addresses and kicks that attacker off the network before data was exfiltrated.

Wrap It Up

We all have fallen victim to reactive thinking. But it’s time to change, and it’s definitely time to start thinking differently when it comes to cyber security. By knowing about the threat as soon as it arises, we can take proactive measures instead of reactive measures when the damage has already been done. This approach will not be perfect and will not prevent bad things from ever happening, but at least we can all feel better knowing that we are doing the right thing for our company, our people, and our customers.

Now for our plug: DomainGuard is a proactive managed security provider whose threat detection capabilities focus on identifying threats at “Threat Inception.” If you would like to know more about how we are helping our customers, please reach out by filling out the form below.

Need more assistance?

If you found the information above difficult to consume or need additional assistance, please reach us by email at [email protected] or by filling out the contact form below.

DomainGuard logo large to display upon entry