What happens if a site that made it onto the Allowlist gets compromised?

This is a very good question that really needs to be answered on two levels:

  1. Theoretical Threat
  2. Practical Threat

Theoretical Threat
In theory it is quite possible that a site that was deemed safe by the Inspector could over time become infected, and thus the current entry in the dynamic allowlist rule would become a possible ingress vector. It is for this reason that adam:ONE® applies a layered approach that still falls back to the best possible second protection scenario: DNSharmony®. Before any final resolution is made of the DNS, it is checked against the aggregate of the best threat intelligence in the world (by combining the best threat intelligence sources of your choice). Alternatively, you can choose to fall back to a third best option by using a single other resolver of last resort that will prevent access to that domain should the infection become known.

Another key aspect is to perform a “List Purification” (currently available under the Managed Service) where the list is processed through a purification tool to remove all detected domains that have become unsafe over time. The period of trust of the dynamic allow rule may vary depending on the security needs of your organization.

In extreme scenarios, like applying adam:ONE® for IR, where the security:operations disruption for the organization swings hard to the security side, you could choose to do a manual flush of your dynamic allowlist to start from scratch as often as you like, thus having the AI inspector re-visit all the domains requested.

Practical Threat
It is important to understand that, in reality, the cases where domains that are allowed by the AI inspector have become untrusted over time are extremely low. Only highly trusted domains with services that are generally well maintained are allowed by the inspector. These generally are applying multiple security layers within their own sites and are well maintained.

Conclusion
The strategy of the layered approach of threat intelligence aggregation in combination with the temporal re-evaluation by List Purification is proving to mitigate this threat at a satisfactory level.

3 Likes