5 Questions with Alexa Raad, Chief Operating Officer, Farsight Security

1) You have built a distinguished career in the DNS field, including serving as founder and CEO of Architelos, Inc. and CEO of the Public Interest Registry. How did you first get interested in DNS?

I have been involved with the Internet one way or another since the mid 90's. At that time, I worked at AT&T, which was a telecommunications behemoth known for its domination of long distance and toll-free services. In 1994, I was promoted to AT&T headquarters in NJ to work on a project which was to become AT&T's first foray into Internet access: WorldNet. Since then, I worked on directory services, as well as some of the earlier e-commerce enablement systems such as an electronic wallet. By 2001, I was at Verisign working on an Internationalized Domain Names (IDN) testbed. At that time, the standards to enable the use of non-Latin scripts as domain names had not been finalized, and one method in use was the Row-based ASCII compatible Encoding (RACE). To understand RACE and other approaches to enabling IDNs, I had to understand DNS. So, in a way, you can say my first intro into DNS was a crash course. Since then, I have been interested and active in various uses of DNS (ranging from IoT to security) as well as issues related to its use and governance.

2) Organizations increasingly are using passive DNS to help reduce risk to their brands and improve detection-response time against cyberattacks. What factors are driving this rapid adoption?

Today there is a greater understanding of passive DNS and its use for combatting cyberattacks. This evolution is due to several factors:

Greater understanding of DNS amongst public and private enterprises as well as consumers. For example, take the debate over the FCC's rules on allowing ISPs to monetize the browsing data of their customers. The debate about Internet privacy has led some consumers to become more educated about DNS and their browsing data and what it means for their privacy. As a result, compared to a few years ago, there are now a lot more providers of recursive DNS services, and more consumers who adopt them. Although we still have a lot more to go on consumer awareness and understanding of DNS, we are still well ahead of where we were even five years ago. Today enterprises also see the value of passive DNS to reduce risk to their organizations. In the past, there was a lack of communication between the SOC folks or those who were responsible for security and those who handled the enterprises DNS needs. With greater awareness and maturity, this approach is thankfully becoming a more outdated model.
Bad actors are no longer lone actors with something to prove, but well-resourced criminal organizations, with well-defined targets, a particular profile or fingerprint and special motivations. Although these motivations are very often commercial, they can also be political. For example, take the Internet Research Agency and the recent controversy over counterfeit social media profiles to promote a phony or alternative narrative. The way one social media profile was put together was often a blueprint for how other counterfeit profiles were constructed. Or take the recent WannaCry ransomware attack. Although there is some debate as to exactly who the source is, hardly anyone attributes it to the work of a lone hacker.
These bad actors also tend to exhibit certain preferences: cheap domain names generated via Domain Generation Algorithms (DAG), IP proxy services, and/or registrars and hosting providers with lax security policies and enforcement. These are heuristic rules, and as a result only as good as their approximation of current reality, but because of this clustering or "guilt by association" behavior, you can draw inferences and look for certain markers, behaviors or clustering in passive DNS.
No matter how ingenious a cyberattack, it will inevitably leave footprints in the DNS...and although you can fake a website or even Whois info, you cannot fake DNS.
Dearth of security professionals means despite the rise in incidents, there is simply no way to throw more bodies at the problem. The best approach is to make the resources you have be more and more effective than before. This means investing in innovative tools to reduce detection time and help prevent new attacks.

3) Why is it so easy to abuse DNS? Is more Internet governance needed to protect this critical asset?

DNS was designed for scalability not security. On the one hand, this design enabled the mass adoption of the Internet, but, on the other hand, it created some unintended consequences. Some were design flaws that posed security risks such as the Kaminsky bug (a design flaw that allowed DNS cache poisoning) while others were well-intentioned decisions that had unintended consequences such as first-come, first-serve registrations (cybersquatting). Internet and DNS use is no longer a luxury but a utility. Billions of people depend on the Internet and its infrastructure, the DNS, to communicate, get informed, and even make a livelihood. Internet governance has evolved greatly since the early 2000's. In order for it to be effective, it must be in lockstep with however the DNS is used, which means, by necessity, it is always behind. Furthermore, since Internet governance is and should stay within a multi-stakeholder model, it means the process by which new policies are proposed and adopted takes time. As a result, Internet governance cannot be our only shield against DNS abuse. We need inventive tools to anticipate the next security threat and take actions to guard against it.

4) Most recently the domain name industry experienced a major change in that hundreds of new Generic Top Level Domains (gTLDs) were applied for and launched. How do you think this impacts DNS security and the use of Passive DNS?

There had been relentless debate reaching back to the early 2000's on whether new generic Top Level Domains were needed, and what their impact would be on DNS abuse. In some ways, many of the early predictions turned out to be unfounded. For example, despite the fear (or hope!) of many, brands did not spend billions securing their trademarks in every new gTLD. On the other hand, the plethora of choice in gTLDs and the increased supply of potential new domain names, has meant lower prices and disruption of some industries built on the idea of scarcity (domaining). It has also meant that the way some registries choose to compete is by giving away free domain names or providing incentives to registrars to price them so low as to be almost free. This approach has lowered the economic barrier to entry for bad actors, which means we now see DNS abuse not just in the traditional TLD choices but also many of the new ones. I believe the trend is for domain names to be more readily available (plentiful) and cheaper, but to recede into the background as Internet usage continues to evolve from the direct type or even type-in search to voice-and-motion directed search/navigation. All these trends point to an even more complex threat landscape while Passive DNS becomes an even greater tool for threat hunting.

5) You joined Farsight a few months ago. What do you enjoy most about working at the company?

To me, this is a question of "why" and not "what." Although one of the reasons I joined Farsight is the massive brain trust the company has built, the most important reason why I joined Farsight has to do more with "Why". In other words, why is Farsight in business? What does it believe in, and do I believe the same? Fundamental to everything Farsight does is the belief that current and future generations should have a reasonable expectation of safety when using the Internet. And that expectation need not come at a cost of loss of privacy. I hold the same beliefs, and I find when there is a fundamental belief that underpins whatever it is that you do, you are more likely to be fulfilled and feel a sense of purpose. At the end of the day, that is what binds us, a sense that we are contributing to a greater good.