I’m thrilled to sit down with Malik Haidar, a renowned cybersecurity expert whose extensive experience in combating digital threats within multinational corporations has made him a trusted voice in the industry. With a sharp focus on DNS security, analytics, and integrating business perspectives into cybersecurity strategies, Malik has a unique ability to break down complex threats and offer actionable insights. In this interview, we dive into the evolving landscape of DNS-based attacks, exploring why this decades-old technology remains a prime target for cybercriminals, the rise of deceptive tactics like phishing and malware, and the dual role of AI in both enabling and defending against these threats. Join us as we unpack the latest trends and strategies for staying ahead of bad actors in the digital realm.
Can you start by explaining what the Domain Name System, or DNS, is and why it remains such a critical piece of our digital world even after more than four decades?
Absolutely, Matteo. DNS, at its core, is like the internet’s phonebook. It translates human-friendly domain names, like www.example.com, into machine-readable IP addresses that computers use to communicate. It was created over 40 years ago to make the internet accessible and navigable, and it’s still fundamental because every online interaction—whether you’re browsing a website, sending an email, or streaming a video—relies on DNS to connect you to the right destination. But beyond its basic function, DNS is also a goldmine for cybercriminals. It’s a critical choke point in the internet’s infrastructure, making it a prime target for attacks like phishing or malware distribution. Its enduring importance comes from this dual role: it’s both a foundational utility and a battlefield for security.
Why do cybercriminals often gravitate toward new domains when launching attacks like phishing or malware campaigns?
New domains are incredibly appealing to bad actors because they’re essentially a blank slate. When a domain is newly registered, it hasn’t had time to be flagged or added to traditional block lists that security systems rely on. This gives attackers a window of opportunity to set up malicious sites for phishing or malware before anyone catches on. Often, these domains are tied to trending topics or mimic legitimate brands to lure users into clicking. It’s a low-risk, high-reward tactic since they can exploit that initial anonymity to target unsuspecting victims before disappearing or moving on to the next domain.
How do these new domains manage to evade traditional security measures like block lists?
The main issue with traditional block lists is that they’re reactive rather than proactive. They’re built on historical data—domains that have already been identified as malicious. New domains, by their very nature, don’t have that history yet. It can take hours or even days for security teams to detect and blacklist them, and by then, the damage might already be done. Attackers exploit this lag time, knowing they’ve got a short but effective window to operate under the radar. That’s why relying solely on block lists isn’t enough anymore; we need predictive tools that can flag suspicious behavior from the get-go.
What’s the typical lifespan of these malicious new domains, and why does that matter for defenders?
Many of these malicious domains are incredibly short-lived—sometimes active for just 24 hours or even less. Attackers use them for quick-hit campaigns, like sending out a phishing email blast, and then abandon them before they’re detected. This matters because it creates a whack-a-mole problem for defenders. By the time you’ve identified and blocked one domain, the attacker has already moved on to another. It underscores the need for real-time monitoring and faster response mechanisms to catch these threats during their brief window of activity, rather than after the fact.
You’ve mentioned “fast flux” techniques as another tactic used by cybercriminals. Can you explain what fast flux is and how it helps attackers avoid detection?
Fast flux is a sneaky evasion technique where attackers rapidly change the IP addresses associated with a malicious domain. Think of it like a shell game—by constantly shuffling the underlying infrastructure, they make it hard for security systems to pin down and block the threat. This can be used to host phishing sites, malware distribution points, or even command-and-control servers for botnets. It helps cybercriminals stay one step ahead because even if one IP is blocked, others are still active, keeping the attack alive. It’s a cat-and-mouse game that requires advanced detection methods to track and disrupt.
Your analysis noted a rise in blocked traffic in the second quarter, reaching 4%. What does this tell us about how organizations are approaching network security today?
The increase to 4% blocked traffic in Q2 is a clear sign that organizations are becoming more vigilant about what’s happening on their networks. It doesn’t necessarily mean all of that traffic is malicious—some could be overly cautious filtering—but it shows a shift toward tighter control and a growing awareness of potential risks. Companies are increasingly deploying tools to monitor and restrict access to suspicious or non-essential content, which reflects a broader trend of prioritizing proactive security over simply reacting to incidents. It’s a step in the right direction, but it also highlights the mounting pressure to stay ahead of evolving threats.
Does this uptick in blocked traffic suggest there’s more malicious activity out there, or are companies just becoming more cautious in their approach?
It’s likely a mix of both. On one hand, the threat landscape is definitely growing—phishing, malware, and other DNS-based attacks are on the rise, as our data shows. On the other hand, companies are also getting savvier. They’re implementing stricter policies and better tools to filter out risky traffic before it becomes a problem. So, while there’s undoubtedly more malicious activity to contend with, the increase in blocked traffic also reflects a cultural shift toward caution and prevention in corporate environments. It’s a balancing act between managing real threats and avoiding overblocking legitimate activity.
Why are island nation domains, like those from the Faroe Islands or Wallis and Futuna, becoming go-to choices for malicious activities?
Island nation domains, or country code top-level domains from smaller territories, are attractive to attackers for a few reasons. Often, these domains are cheaper or even free to register, and the registries managing them may have less stringent oversight or verification processes compared to more regulated domains like .com or .org. This lax environment makes it easier for bad actors to set up shop without much scrutiny. For example, domains like .fo or .wf have been flagged in our analysis as hotspots for malicious activity, simply because they offer a low barrier to entry for attackers looking to exploit unsuspecting users.
What can organizations do to shield themselves from threats originating from these less-regulated domains?
Protecting against threats from less-regulated domains starts with visibility and proactive measures. Organizations should deploy protective DNS solutions that can analyze traffic in real time and flag suspicious domains based on behavior, not just reputation. It’s also crucial to educate employees about the risks of clicking on unfamiliar links, especially those from obscure top-level domains. Layering security with tools that can predict and block potential threats before they reach the network—using AI or machine learning, for instance—can make a huge difference. Finally, maintaining an updated threat intelligence feed that includes emerging risks from these domains helps keep defenses sharp.
Phishing and deception accounted for over 31% of threats in your recent analysis. What’s fueling this significant surge in phishing attacks?
The surge in phishing, which made up over 31% of threats, is driven by a combination of sophistication and accessibility. Attackers are getting better at crafting convincing emails and fake websites that trick even cautious users. But what’s really fueling this is the rise of tools like phishing-as-a-service platforms. These services lower the technical barrier, allowing even non-skilled attackers to launch campaigns with pre-built templates and infrastructure. Add to that the sheer volume of potential targets—everyone uses email or browses the web—and you’ve got a perfect storm for phishing to remain a dominant threat.
How do tools like phishing-as-a-service make it easier for attackers to pull off these scams?
Phishing-as-a-service platforms are essentially turnkey solutions for cybercriminals. They provide everything an attacker needs—customizable phishing templates, hosting services, and even ways to bypass security measures like two-factor authentication, as seen with tools like Tycoon 2FA. This means someone with minimal technical know-how can rent these services on the dark web and launch a campaign in hours. It’s like a criminal franchise model: low cost, low effort, and high scalability. This democratization of attack tools is a big reason why we’re seeing such a spike in phishing attempts across the board.
Malware was another major threat in your Q2 findings. How does the use of new domains play into the growth of malware distribution?
Malware distribution and new domains go hand in hand. Attackers often use new domains to host malicious payloads or act as command-and-control servers for infected devices. Since these domains aren’t yet on block lists, they provide a safe haven to deliver malware before security systems catch up. The growth in malware we observed in Q2 is closely tied to this tactic—attackers register a cheap, new domain, use it to spread ransomware or spyware, and then ditch it for another. It’s a revolving door strategy that keeps defenders scrambling to keep pace.
Let’s shift to the role of AI in cybersecurity. How are attackers leveraging AI to enhance their DNS-based attacks?
AI is a game-changer for attackers, especially in DNS-based threats. It allows them to automate and scale their operations with incredible precision. For instance, AI can generate thousands of deceptive domain names in seconds, using patterns that mimic legitimate ones to fool users. It’s also used to analyze user behavior and craft highly targeted phishing campaigns that are harder to spot. Homoglyph attacks, where characters are swapped to look almost identical—like using a lowercase “L” instead of an uppercase “I”—are a prime example. AI can churn out these deceptive domains en masse, making it a nightmare for manual detection to keep up.
On the defensive side, how can AI help organizations counter these AI-driven DNS attacks?
AI is just as powerful a tool for defenders as it is for attackers. On the defensive side, AI can analyze massive volumes of DNS traffic in real time to identify patterns of malicious behavior, even from new or unknown domains. It can predict typosquatting attempts or detect homoglyph domains before they’re used in an attack. Protective DNS solutions powered by AI can also adapt to evolving threats by learning from new data, offering a dynamic shield that traditional static defenses can’t match. Essentially, it levels the playing field by fighting machine-scale attacks with machine-scale defenses.
Looking ahead, what’s your forecast for the future of DNS security and the role of AI in this space?
I believe DNS security will become even more central to cybersecurity strategies in the coming years. As threats continue to evolve, DNS will remain a primary attack surface because it’s so integral to how the internet functions. AI will play a dual role—attackers will keep using it to innovate new ways to exploit DNS, but defenders will increasingly rely on AI-powered tools to anticipate and block those threats before they materialize. We’ll see protective DNS solutions become smarter, with greater integration into broader security stacks. My forecast is that organizations who invest in AI-driven DNS defenses now will be far better equipped to handle the next wave of threats, while those who lag behind will struggle to keep up in this machine-scale battlefield.
