Going through proxy and DNS logs, I noticed that (as a whole) the company has not been blocking sites categorized as "Dynamic DNS." I discovered this while reviewing a "security" report that lists the various site activity that would fall into the generic "security" report. Interestingly enough, no Dynamic DNS sites were blocked.
Dynamic DNS is hosting for sites that do not have static IP address. Mostly, it is used by three types of users: hobbyists who do not want to pay for a static IP address for their site; spammers and scammers; and sites that are out rightly malicious. Bot herders prefer to use Dynamic DNS sites as they can rotate servers in and out of rotation in order to make it more difficult to track down and mitigate. Further, many times the registrar information for suspicious sites is obfuscated in order to make it harder to find the owners. There is rarely a business case to allow Dynamic DNS sites.
With those points in mind, I presented the case to block all Dynamic DNS-hosted sites. If there are truly legitimate sites that users need to access, we can re-evaluate on a case-by-case basis and adjust the filters. So far, it looks like the decision has been favorable.
Sunday, November 10, 2013
Tuesday, November 5, 2013
Learning Python post updated
Just a quick post: I've updated my post on Learning Python thanks to the great suggestions from the SANS DFIR list.
The updated post can be found here.
The updated post can be found here.
Monday, November 4, 2013
First Day
Today was a great first day, I'm glad I made the move to the new company. So far, I've learned that most of the security controls are outsourced, managed by many of the big providers. I think one of our tasks will be to aggregate data from those outsourced providers.
And, it looks like I'll get to go to my first conference, as we will be going to RSA in February. I'm psyched as I've never really gone to a security conference before.
And, it looks like I'll get to go to my first conference, as we will be going to RSA in February. I'm psyched as I've never really gone to a security conference before.
Subscribe to:
Posts (Atom)