Cisco Blogs


Cisco Blog > Security

Are Third Parties Your Greatest Weakness?

There are many advantages in outsourcing functions to specialist providers that can supply services at lower cost and with more functionality than could be supplied in-house. However, companies should be aware TRAC-tank-vertical_logothat when buying services, you may also be buying risk. Organisations that have successfully implemented strategies to reduce the probability of experiencing a breach, and to decrease the time required to discover and remediate breaches, may still encounter embarrassing public breaches via third parties. Within the past two weeks, we have seen two examples of companies having their websites defaced apparently due to security lapses in service providers.
Read More »

Tags: ,

NCSAM 2013 Wrap-Up: Cisco Thought Leadership Regarding a Different Ghost in the Machine

Is it the end of October already? As has been true for centuries, there is a tradition for children to wear costumes and disguise themselves while going door to door with a simple question: “Trick or treat?” While I am not sure there is a coincidence, but having National Cyber Security Awareness Month (NCSAM) end on a day characterized by pranks, false identifications and the like seems appropriate. And what scary stories we had to tell!

Read More »

Tags: , , , , , ,

A Smorgasbord of Denial of Service

On October 22, 2013, Cisco TRAC Threat Researcher Martin Lee wrote about Distributed Denial of Service (DDoS) attacks that leverage the Domain Name System (DNS) application protocol. As Martin stated, the wide availability of DNS open resolvers combined with attackers’ ability to falsify the source of User Datagram Protocol (UDP) packets creates a persistent threat to network operators everywhere.

eleven

Read More »

Tags: , , ,

DNS Knows. So Why Not Ask?

DNS is like the town gossip of the network infrastructure. Computers and apps ask DNS questions and you can ask DNS who has been asking to resolve malware domains. When internal trusted systems are using DNS to resolve the names of known malware sites, this can be an Indicator of Compromise and a warning to clean the potentially infected systems and block traffic to the domain.

Blacklisting the known malware domains using local RPZs, firewalls, Cisco IronPort Web Security Appliance (WSA), or Cloud Web Security (CWS) is a great way to add an extra level of security in organizations. But what if you are just getting started in the process of cleaning systems and just need some situational awareness? Or, how can you manually check to see if these devices are working as expected? How can you determine independently of security devices, and at any point in time, that client systems are not reaching out to malicious domains? You can use dig but this post focuses on a Python example. Let’s first take a look at some DNS mechanics.

Read More »

Tags: , , , ,

Using DNS RPZ to Block Malicious DNS Requests

After delivering several presentations at Cisco Live and Cisco Connect this year, I received a few questions regarding DNS Response Policy Zones (RPZ) and how can they be used to block DNS resolution to known malicious hosts and sites. I decided to write this short post to explain what it is and provide several pointers.

DNS RPZ is a technology developed by ISC available since Bind version 9.8. Network administrators can use DNS RPZ to essentially stop malware-infected hosts from reaching their command and control (C&C) servers by blocking DNS resolution to known malicious hosts and sites. This effectively turns a recursive DNS server into a DNS firewall. In fact, many people refer to DNS RPZ as the “DNS Firewall.” Various ISPs are testing and implementing this to provide additional protection to their customers.

Note: DNS RPZ will block DNS resolution, machines connecting to the C&C via IP address will not be blocked.

The following figure provides an overview of how DNS RPZ works.

RPZ-overview1

Read More »

Tags: , , , , , , , , ,