Protective DNS, (aka PDNS or Secure DNS) will be the best performing and highest ROI security control you implement this decade. But before investing in a solution, gain an understanding of what PDNS is, its capabilities, critical considerations, and how to best implement it for both security and privacy.Read More
Last week Forescout Research Labs and JSOF Research disclosed NAME:WRECK, a set of Domain Name System (DNS) vulnerabilities that have the potential to cause either Denial of Service (DoS) or allow Remote Code Execution (RCE) for tens of millions of Internet-connected devices.Read More
Check out Dr. Paul Mockapetris, inventor of the Domain Name System and ThreatSTOP's Chief Scientist on this Command Line Heroes episode "Season 7, Episode 1: Connecting the Dot-Com"
Click, sit back, and enjoy. Here is the direct link to the episode: https://www.redhat.com/en/command-line-heroes/season-7/dot-comRead More
So much about good, basic Security comes down to proper access control. Information security, physical security, personal security, (probably even financial security?) – all security, it seems, works better when there’s proper control over who has access to what and when.
ThreatSTOP’s platform has historically allowed two levels of user access: Admin and Reporter. In this simple scheme, Admins could access everything, like creating a custom DNS Firewall policy, or whitelisting an IP across all their firewalls, while lowly Reporters got read-only access to look at reports. Two extremes of access control for what was a simpler time.
In the years since, things have really evolved in Security. It's gotten scarier outside – there are more threats, nastier ones, more sophisticated attackers, and shrewder methods. DDoS for hire, and turn-key ransomware. The myth of companies “too big to take down” or “too small to be targeted” got busted. It has gotten crazy out there.Read More
In the coming days, CrowdStrike will formally end-of-life their DNS service that many customers are using. This service takes Crowdstrike intelligence and puts it into a CrowdStrike-managed DNS resolver to protect against advanced threats that they are tracking. When this service is retired, you will no longer have protection at that layer. As an important note, there are many classes of devices that endpoint protection do not work on (medical devices, IoT, etc) but by using DNS, you can still provide a strong layer of protection.Read More
Photo Cred: Forbes
Many companies have gone completely remote, and had to do it quickly in light of current events, but that doesn’t mean the need to secure company data has diminished. As more workers are accessing secure files and applications from home, there is an increased need for organizations to be thinking about how to secure those devices that are accessing that information. We have already seen evidence that criminals are trying to take advantage of this situation to launch attacks against companies, and employees working from home without the security protections of the company network are targets for opportunistic attacks.Read More
Most malware is often delivered from otherwise legitimate sites. Sometimes this occurs via compromising existing websites, but more often than not, it is by using existing advertising networks as a means to ultimately deliver malware. Quite simply, the attacker buys impressions via existing channels and uses a variety of malvertising tricks to either directly compromise the web browser, or at the least trick the user to installing the malware. This specialized form of malware delivery requires a specialized collection methodology to detect such attacks.Read More
Making connections and finding new indicators is an important part of IOC analysis, and is probably the most enjoyable part as well. Blog posts and reports on new threats will usually mention the indicators seen to be used by the specific malware sample or attack vector analyzed, yet in many cases there is a larger malicious infrastructure behind them just waiting to be uncovered (and blocked!). Sometimes, a whole other malicious infrastructure can be revealed by examining IOCs related to malicious IPs and domains. There are a variety of tools out there that can help analysts investigate indicators of compromise and their infrastructure, and perform enrichment to shed light on related, malicious IOCs.
In this post, we will review some of our Security Research Team’s favorite connection and enrichment platforms.
Riltok is a mobile banking Trojan that uses mobile phishing pages to steal credit card information from its victims. Discovered in 2018, Riltok started out solely attacking Russian targets, yet it quickly began attacking victims in other European countries as well. The Trojan is spread via malicious SMS messages, which contain links that direct the victims to a fake website posing as a popular free ad service.
Once on the website, victims are prompted to click and download the Trojan, disguised as the ad service’s mobile app. If downloaded, Riltok connects to its C&C server to exfiltrate device data, and opens a fake Google Play screen or phishing page in a browser, requesting the victim’s bank card details.Read More