Cisco Blogs


Cisco Blog > Security

Dynamic Detection of Malicious DDNS

 

This post was co-authored by Andrew Tsonchev.TRAC-tank-vertical_logo-300x243

Two weeks ago we briefly discussed the role of dynamic DNS (DDNS) in a Fiesta exploit pack campaign. Today we further analyze and explore the role of DDNS in the context of cyber attack proliferation and present the case for adding an operational play to the incident response and/or threat intelligence playbook to detect attack pre-cursors and attacks in progress. Read More »

Tags: , , ,

Are Third Parties Your Greatest Weakness?

There are many advantages in outsourcing functions to specialist providers that can supply services at lower cost and with more functionality than could be supplied in-house. However, companies should be aware TRAC-tank-vertical_logothat when buying services, you may also be buying risk. Organisations that have successfully implemented strategies to reduce the probability of experiencing a breach, and to decrease the time required to discover and remediate breaches, may still encounter embarrassing public breaches via third parties. Within the past two weeks, we have seen two examples of companies having their websites defaced apparently due to security lapses in service providers.
Read More »

Tags: ,

NCSAM 2013 Wrap-Up: Cisco Thought Leadership Regarding a Different Ghost in the Machine

Is it the end of October already? As has been true for centuries, there is a tradition for children to wear costumes and disguise themselves while going door to door with a simple question: “Trick or treat?” While I am not sure there is a coincidence, but having National Cyber Security Awareness Month (NCSAM) end on a day characterized by pranks, false identifications and the like seems appropriate. And what scary stories we had to tell!

Read More »

Tags: , , , , , ,

A Smorgasbord of Denial of Service

On October 22, 2013, Cisco TRAC Threat Researcher Martin Lee wrote about Distributed Denial of Service (DDoS) attacks that leverage the Domain Name System (DNS) application protocol. As Martin stated, the wide availability of DNS open resolvers combined with attackers’ ability to falsify the source of User Datagram Protocol (UDP) packets creates a persistent threat to network operators everywhere.

eleven

Read More »

Tags: , , ,

DNS Knows. So Why Not Ask?

DNS is like the town gossip of the network infrastructure. Computers and apps ask DNS questions and you can ask DNS who has been asking to resolve malware domains. When internal trusted systems are using DNS to resolve the names of known malware sites, this can be an Indicator of Compromise and a warning to clean the potentially infected systems and block traffic to the domain.

Blacklisting the known malware domains using local RPZs, firewalls, Cisco IronPort Web Security Appliance (WSA), or Cloud Web Security (CWS) is a great way to add an extra level of security in organizations. But what if you are just getting started in the process of cleaning systems and just need some situational awareness? Or, how can you manually check to see if these devices are working as expected? How can you determine independently of security devices, and at any point in time, that client systems are not reaching out to malicious domains? You can use dig but this post focuses on a Python example. Let’s first take a look at some DNS mechanics.

Read More »

Tags: , , , ,