When the Syrian Electronic Army (SEA) hijacked the website of The New York Times (NYT) earlier this week, causing its domain name system (DNS) records to be redirected, the nature of the attack was a direct example
David Ulevitch, founder and CEO of the San Francisco-based OpenDNS, said his company was involved in helping the newspaper recover from the attack, but what he came away wanting to emphasize (perhaps not unexpectedly) was that OpenDNS users never got redirected in the way that other would-be readers of NYTimes.com were. "As soon as the site got redirected to a new IP, we detected that a super-popular, super-stable, infrequently changing domain on the Internet was all of a sudden redirected to a suspicious IP address in another country, and we automatically flagged it to be blocked. None of our customers ever went to the redirected site."
In other words, rather than watch for suspicious looking elements in HTML pages, scanning them as they arrive to be delivered to the browser, OpenDNS is looking at its population of fifty million daily users and "trying to build a picture of what's good and what's bad on the Internet," Ulevitch said. "We've built this massive Hadoop cluster -- I think we're approaching a petabyte of storage, we're putting in three-and-a-half terabytes per day -- and what we do is create 'classifiers' that tell us where people who aren't infected are spending their time on the Internet, along with where people who are infected are spending their time on the Internet."
The big data component of the arrangement, OpenDNS's Umbrella Security Graph, was released back in February of this year. However, the connection between this analytic capability and the ability to automatically incorporate that data into the OpenDNS Umbrella service (which enforces access policies that prevent its users from arriving at malicious destinations) has only rolled out in the past couple of weeks.
The Times was presumably reasonably locked down as far as its internal network defenses were concerned, given that it was, in the last quarter of 2012, the target of attacks later attributed to China. In that instance, the hackers installed malware enabling access to any computer using the NYT network, providing access to 53 personal computers used by employees at the newspaper. SEA's attack, alas, simply ensured that the The Times' network was altogether bypassed.