AI Cybersecurity’s Blind Spot: Why DNS Data Is the Missing Signal

Generative AI has gained a foothold and leaders have seen firsthand how it can supercharge cybersecurity protection. AI tools can assess device risks, identify suspicious behavior, and neutralize threats with minimal oversight. Like any other AI model, though, an AI-powered cybersecurity system is only as good as the data it ingests. The good news: businesses already have an excellent source of data. The bad news: they’re probably ignoring it.

It’s just like online subscriptions: the average American spends more than $1,000 per year on subscriptions, and about $200 of that money is for services they don’t actually use. Tracking down and canceling every service eats up valuable time, and many are likely to miss something anyway. The smart move is to use a subscription manager: a tool that gathers all the data needed in one place, so users can make informed decisions about what to do next.

If a cybersecurity framework is a collection of outdated subscriptions, the subscription manager is an audit using domain name system (DNS) intelligence. DNS data not only helps weed out potential attack vectors but also provides AI systems with high-quality data to preemptively take down threat actors.

Just like a subscription manager helps make sound financial decisions, DNS auditing helps make sound decisions about IT resources.

Fighting Threats with DNS

IT teams likely already have a good handle on the devices and services that their business uses every day. Traditional cybersecurity strategies tend to focus on predictable endpoints: work computers, personal smartphones or shared cloud drives. Securing devices, updating software and avoiding social engineering scams should keep businesses safe from most cyberthreats. 

Every device we use, from laptops to smartphones to servers, registers its presence via DNS. Because of this, DNS offers critical insight into endpoints across the business: both in terms of the scope of what’s operating on your network and what addresses connected endpoints might be visiting. DNS acts as our gateway to the Internet, but it can also shed light on our own private networks, making it a critical source of truth in a cybersecurity framework.

It’s easy to think that if you secure employee laptops, you can rest assured that your organization’s devices are protected – but you would be wrong. Even if they’re not as vital to everyday workflows, printers, smart TVs and even connected light bulbs are also endpoints. They might not be the first that comes to mind when you think about cybersecurity, but they’re proven vectors for cyberattacks. DNS-layer insights provide a near-complete list of all connected devices on a network, revealing the full scope of your attack surface.

By digging into your DNS logs, you can find every active connection on a network, not just the ones that immediately come to mind. Some of these devices and services are probably outdated, if not completely deprecated. That leads to exploitable vulnerabilities, especially in an age where malicious AI tools can build custom “just-in-time” malware. With a full record of what’s on their network, teams can make smarter cybersecurity decisions.

DNS data can disrupt threat actors at every step: device visibility limits their attack surface, and proper caching prevents browser hijacking. Most importantly, when teams have up-to-date data, their defensive AI tools can stay a step ahead of attackers’ malicious ones.

Nearly every network connection begins with DNS. Rather than taking that data for granted, businesses should make it integral to their AI strategy.

Asset Insights for Better AI

Now, consider AI’s role in all of this. Whether you’re building a custom large language model (LLM) or incorporating machine learning (ML) into your security software, an AI tool is only as good as the data it ingests. When AI analyzes incomplete or outdated information, it will deliver incomplete or outdated results. In terms of cybersecurity, that means greater risk to businesses and more opportunities for attackers.

Let’s go back to our “focusing on known devices” scenario. Suppose an organization has a sophisticated AI component in its cybersecurity suite. Its software will continuously monitor each device, evaluate relative risk levels and flag any potential issues. Over time, the program will get better at analyzing patterns, spotting even subtle deceptions and sophisticated workarounds.

None of that will help much if a threat actor targets a device the company didn't know was still connected to their network. Think about that smart TV that gets used once a quarter or the printer that’s collecting dust. If those assets aren't protected, you leave the door open for cybercriminals to gain access to your network.

While AI has enhanced enterprise cybersecurity, it’s also been a huge help to attackers. With the power of AI, bad actors can now mass-produce attacks at scale, making them more convincing and more personalized. Malicious LLMs can steal restricted information from legitimate sources and then craft tailor-made phishing messages or targeted malware. If one of these LLMs identifies an outdated device with unpatched firmware, compromising the network becomes even easier.

Supplying AI tools with DNS data can help preemptively address these issues before they become security risks. DNS provides both device visibility and network traffic information, ensuring that authorized employees are using authorized devices for authorized purposes. Because DNS records are refreshed often, AI outputs will be based on up-to-date, verified information. These asset insights can be cornerstones in a flexible and resilient cybersecurity framework.

A Cybersecurity Arms Race

As cyberthreats accelerate with new AI technology, ensuring that AI tools have the best possible information about the network is a decision that could help businesses avoid costly data breaches.

Right now, cybersecurity AI is in an arms race with malicious AI. Both systems are leveraging massive datasets to fuel novel strategies and advancing at unprecedented rates. While neither one will definitively “win” any time soon, the upper hand will go to whichever side has the most current, complete and relevant data. DNS logs are the best place to start.