Experts from Whalebone and ESET revealed the results of a DNS filtering test in their joint presentation at the IS2 Conference, an information security event held in Prague, Czech Republic. The test was run on a sample of 100,000 internet connections, representing around half a million connected devices in two countries, the Czech Republic and Slovakia.
Before, Whalebone had utilized Indicators of Compromise (IoC) generated via methods such as sandbox simulations, analysis of network traffic or utilizing known malware patterns. “We wanted to include detection data from endpoints as a new source of IoC, hoping for improved detection capability,“ said Robert Šefr, Whalebone’s Chief Technology Officer.
The test was aimed at confirming the expectation that including IoC from ESET Threat Intelligence would lead to new, previously unavailable detections – while keeping false positives at a minimum.
The test was run in the first quarter of 2018 and involved around 55,000 unique malicious domains in the tested IoC feed. Out of those, around 1100 domains were detected. 18.5% of the devices in the test made at least one attempt to contact a malicious domain from the feed; the overall number of incidents in the test was around 1.75 million. Out of those, around half (866,000 incidents, precisely 49.51%) were detected based solely on the IoC provided by ESET – i.e., without data from ESET, these incidents would have gone undetected. Only 0.47% of incidents were detected based on both ESET’s and original Whalebone data; the remaining 50.02% of incidents were detected independently from ESET.
Out of the 866,000 incidents detected based on the IoC by ESET, only one single domain blocking was found to be a false positive.
“The Whalebone test clearly showed that rigorous categorization of data, which is paramount for ESET, allows for both a high detection rate and keeping false positives close to zero,“ comments Peter Dekýš, ESET’s IT Security Director.
“The testing has shown that by including IoC from ESET Threat Intelligence, detections significantly increased, with false positives amounting virtually to zero. Overall, the test has proven that it is appropriate to use endpoint-sourced IoC for DNS-level protection”, concludes Whalebone’s Robert Šefr.