2025-06-18 Clientless multi-monitor VDI, like Thinfinity Workspace, empowers MSPs to boost revenue by offering high-productivity solutions. It simplifies access, enhances security, and meets demands for advanced multi-display setups in professional environments.
Continue reading
Imagine tapping your phone once at a rental car counter to instantly prove driving eligibility without revealing your address or full birth date. This is the reality of decentralized identity. Current identity systems force users to juggle passwords and encourage reuse, contributing to a 71% jump in credential-based attacks. Meanwhile, every corporate breach spills millions of sensitive records.
The alternative—Self-Sovereign Identity (SSI)—is emerging, driven by governments and industry. CISOs must prepare for Decentralized Identifiers (DIDs) and Verifiable Credentials (VCs) to future-proof their security architecture.
Today, third parties control your digital identity (HR issues your badge, banks issue account numbers). Decentralized Identifiers (DIDs) flip this model. A DID is a persistent, globally unique identifier that you own and control via cryptographic keys. Nobody can create or take away your DID.
Security Impact: Attackers favor centralized databases because one breach yields massive payouts. With DIDs, the sensitive identity information is distributed across individual digital wallets, forcing attackers to target individual endpoints—a much less scalable endeavor.
Like a physical driver’s license or diploma, a Verifiable Credential (VC) proves something about you. VCs are digital and highly secure because they carry a digital signature from the issuer (e.g., your university or the DMV). Anyone can check this signature instantly.
Crucially, VCs improve privacy. Unlike a physical license which reveals everything, a digital VC can use zero-knowledge cryptography to prove, for example, “This person is over 21” without exposing the address, full name, or exact birth date.
VCs simplify slow customer and employee onboarding. Instead of manual document checks and phone calls, enterprises accept credentials that come pre-verified. This translates to faster customer onboarding (fewer abandoned processes), quicker employee verification (faster productivity), and higher accuracy (digital credentials are harder to fake than paper).
Decentralized identity tackles the “honeypot” problem. Instead of hoarding sensitive data (passports, SSNs) to authenticate users, VCs allow you to verify information without storing it permanently. This dramatically reduces your attack surface and shrinks your compliance burden under privacy regulations.
Users gain control and trust when they manage their own credentials. Replacing account creation and passwords with presentation of a trusted credential from a digital wallet is faster and more secure. This also facilitates passwordless authentication.
Action: Educate security, IT, and compliance teams on DIDs and VCs. Identify areas where decentralized identity could solve key bottlenecks, such as customer onboarding or employee credential verification. Engage with industry standards groups like the W3C.
Action: Select one high-value, manageable use case (e.g., digital degree verification for a specific department). Define clear success metrics (faster verification, happier users). Partner with a vendor or use open source tools to build prototype systems for issuance or verification. Document integration challenges.
Action: Plan broader integration with existing IAM infrastructure. Build trust registries (determining which issuers to trust). Update user-facing flows to handle “Sign in with Digital ID.” Focus on handling both new and legacy authentication methods smoothly. This aligns perfectly with a Zero Trust approach by continuously verifying credentials for every access request.
Digital identity is moving from centralized control toward decentralized trust. CISOs and enterprise security leaders have an opportunity to lead this transition. Organizations that prepare now will be better positioned to capitalize on security, privacy, and efficiency benefits.
Segura® delivers an identity security platform built to support verifiable credentials, DIDs, and distributed trust. By offering fast deployment and unified identity controls, Segura® provides the adaptability security teams need to make this transition safely and efficiently.
About Segura®
Segura® strive to ensure the sovereignty of companies over actions and privileged information. To this end, we work against data theft through traceability of administrator actions on networks, servers, databases and a multitude of devices. In addition, we pursue compliance with auditing requirements and the most demanding standards, including PCI DSS, Sarbanes-Oxley, ISO 27001 and HIPAA.
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
Following our previous series on DNS security, this guide steps deeper into one of the quieter but more consequential axes attackers use: the DNS layer as a persistent communications and data channel. For SOC analysts, CISOs, and threat intelligence teams, DNS is rarely just “name resolution.” When adversaries use DNS for Domain Generation Algorithms (DGAs), tunneling, or command-and-control (C2), they exploit the protocol’s ubiquity and gaps in visibility stacks.
MITRE released major updates with ATT&CK v17 (April 2025) and v18 (October 2025), introducing refined detection strategies, enhanced analytics, and expanded coverage of stealthy persistence tactics. This article spotlights these emerging concepts, particularly where we can deliver actionable mitigations and visibility gains.
MITRE ATT&CK is the lens SOCs use to translate telemetry into a common story: what adversaries tried to do. This framing converts “we saw DNS noise” into “we saw T1071.004-style behavior likely supporting C2.” The taxonomy has matured from “what adversaries do” into “how to reliably detect what they do.”
The evolution is directly visible in the new DET0400 detection strategy: Behavioral Detection of DNS Tunneling and Application Layer Abuse (Technique: DNS | T1071.004). DET0400 packages the detection problem behaviorally: look for DNS-specific patterns (high entropy labels, anomalous query frequency/timing, encoding) and map those behaviors to concrete analytics across Windows, Linux, macOS, and network devices.
DGAs produce pseudo-random domains that look statistically abnormal. They map to Reconnaissance tradecraft and are often an earlier link in a C2 chain. Detection requires temporal aggregation and enrichment with passive DNS and threat-intel feeds.
Here, the payload rides in the query or response (e.g., TXT records, Base32/Base64-encoded blobs). Behavior includes small, frequent queries with unusual label lengths, or low-volume but high-entropy replies. DET0400 targets this by flagging anomalous query shapes and timing beacons.
This involves slicing data into small, encoded parts and ferrying it out via irregular TXT/NULL responses or steadily increasing query rates. These actions intersect with both C2 and Exfiltration tactics. Detection emphasizes chaining DNS anomalies to host process context to reduce false positives.
Proper DNS-layer telemetry and DET0400-style analytics let you disrupt adversaries across three critical phases:
Reconnaissance involves an operator learning your network edges (which hostnames exist, resolver behavior, etc.). Detection relies on passive DNS history to spot “first-seen” timestamps, clusters of never-before-seen subdomains, and statistical anomalies (DGAs) that test the edges of your allowlist. SafeDNS aids by exposing “newly observed” signals and pDNS history for early DGA detection.
This is the home base for DNS tunneling. The wire takes on a metronome quality: machine patience, coded labels, and answers that carry just enough data to keep the conversation going. Detection requires behavioral modeling of inter-arrival timing, label-length distributions, and entropy fingerprints—not just static domain blacklists. SafeDNS applies behavioral analytics to identify C2 traffic by shape and correlates it with host process context.
Exfiltration over DNS is patient, slicing data into encoded labels. Volume alerts miss it. Detection must track label length and variance over time, focusing on irregular TXT/NULL records used as a return path. Tying these streams back to host process context (e.g., a suspicious child process reading an archive) turns a “maybe” into a high-fidelity alert. SafeDNS monitors record types, label lengths, and query cadence per host to distinguish smuggling from legitimate traffic.
Evasion is pressure applied to your visibility model: moving DNS into DoH/DoT to starve inspection, using timing jitter to defeat cadence rules, or simply using a custom resolver to bypass policy. The architectural counter is to be explicit about encrypted resolvers and treat traffic shape as a first-class signal. SafeDNS enforces strict resolver policies and applies behavioral analytics that look for non-human DNS patterns, even when content is opaque.
These often leave early fingerprints: fast-rotating domains, newly observed zones that bloom and die within a week, brand-spoof models (combosquats). Watching these patterns allows preemption before the payload lands. SafeDNS brings pDNS history and infrastructure context into filtering policies, exposing “newly observed” and “suspicious lifecycle” signals to the intelligence pipeline.
MITRE’s evolution with DET0400 validates a crucial lesson: the fight is won where telemetry is rich and close to the adversary’s lifeline. DNS is no longer a hygiene checkbox—it’s a primary detection surface.
The mandate is operational: a modern SOC that claims ATT&CK coverage without first-class DNS telemetry is arguing with the framework’s direction. Conversely, a SOC that aligns detections to T1071.004 via DET0400 is moving with the current.
By correlating DNS telemetry to MITRE ATT&CK, SafeDNS helps SOCs make protection coverage visible across Reconnaissance → C2 → Exfiltration. This includes pDNS-backed history for early DGA signals, behavioral analytics that flag C2 conversations by shape, and alerts enriched with process context for decisive, auditable response.
About SafeDNS
SafeDNS breathes to make the internet safer for people all over the world with solutions ranging from AI & ML-powered web filtering, cybersecurity to threat intelligence. Moreover, we strive to create the next generation of safer and more affordable web filtering products. Endlessly working to improve our users’ online protection, SafeDNS has also launched an innovative system powered by continuous machine learning and user behavior analytics to detect botnets and malicious websites.
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
Click one of our contacts below to chat on WhatsApp
