Blog talking about security, privacy, legal, and compliance topics, as well as follow-on content from the 'Brake'ing Down Security Podcast...
Sunday, June 12, 2016
2016-023- DNS_Sinkholing,
Picture yourself in the middle of a security incident... A malware infection, or you have hosts on your network are part of a botnet. You figured out where how the malware is communicating with the command and control servers, but if you just kill the connection, the malware stop functioning. What do you do?
In some cases, you might be able to employ a DNS #sinkhole to route traffic harmlessly to or through a honey network that can be used to further analyze things like #infection vectors, #protocols, commands, and #network movement. You can also use #DNS sinkholing to disable the malware if certain conditions are met.
Like most tools, sinkholing can be used for good, but there are legal issues if it's used incorrectly. We discuss some of the legalities. It won't disable all malware or exploit kits, but for some infections, this is another tool in your toolbox you can employ.
In a continuation from last week's show with Earl Carter about the #Angler #Exploit Kit, we discuss how Angler is able to bypass #EMET and #ASLR protections... https://www.fireeye.com/blog/threat-research/2016/06/angler_exploit_kite.html
Direct Link: http://traffic.libsyn.com/brakeingsecurity/2016-023-DNS_Sinkholes2.mp3
iTunes:
Links we used to discuss sinkholing:
Basic sinkhole app using BIND: https://isc.sans.edu/forums/diary/DNS+Sinkhole+ISO+Available+for+Download/9037/
http://resources.infosecinstitute.com/dns-sinkhole
https://www.paloaltonetworks.com/documentation/60/pan-os/newfeaturesguide/content-inspection-features/dns-sinkholing
https://www.sans.org/reading-room/whitepapers/dns/dns-sinkhole-33523
http://www.darkreading.com/partner-perspectives/general-dynamics-fidelis/principles-of-malware-sinkholing/a/d-id/1319769
Blackhole DNS servers -- http://www.malware-domains.com/ or http://www.malwaredomains.com/
http://handlers.dshield.org/gbruneau/sinkhole.htm
Malware blackhole DNS campaign (2013) - http://www.bleepingcomputer.com/forums/t/511780/dns-sinkhole-campaign-underway-for-cryptolocker/
http://www.darkreading.com/risk/microsoft-hands-off-nitol-botnet-sinkhole-operation-to-chinese-cert/d/d-id/1138455
http://someonewhocares.org/hosts// -massive dns sinkholing list
Comments, Questions, Feedback: bds.podcast@gmail.com
Support Brakeing Down Security Podcast on Patreon: https://www.patreon.com/bds_podcast
#Twitter: @brakesec @boettcherpwned @bryanbrake
#Facebook: https://www.facebook.com/BrakeingDownSec/
#Tumblr: http://brakeingdownsecurity.tumblr.com/
Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582/
Here is a new episode of Brakeing Down Security Podcast!
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment