You are viewing 'network security'
How to use DNS logs
Over the last several months, there has been a lot of interest about Domain Name System (DNS) logging and what can be done with DNS logs. I discussed parts of this topic in my last blog, Finding the Culprit, and will continue to expand on some of those ideas. Many people ask if ActiveGuard® supports DNS logging. While it is not supported at this moment in time, there is a larger discussion to have around the topic.
This larger discussion starts with the number of logs produced by DNS servers. Let’s say an organization of 15,000 employees decides to log all the requests and responses for DNS. This organization would produce approximately 100 logs per second, or 8.6M logs a day. On average, these logs are 750bytes in size, so we will need 6GB per day uncompressed to store these logs. This is not too bad of a number, but you have to remember how your log collection capability... read more >
As an organization’s security posture grows, a number of responsibilities may fall under the umbrella of information security, whether it is under direct control of an information security program or delegated to another supporting IT department. One such responsibility is a vulnerable management program.
Vulnerability management is an important part of a matured information security program. At a high level, the objective of vulnerability management is to find and remediate all issues as they are identified. However, as you start examining the matter in-depth, you’ll find that you:
- Need to have a process in place to determine priorities
- Need to have more information than what a vulnerability scanner can provide
- Won’t always be able to fix vulnerabilities; fix what you can and mitigate the rest
As with any good story, we’ll leave that last item for a bit and focus on the top two for now. After all,... read more >
Buzzword Bingo Can Be More Distracting Than You Think
Have you heard the story about the cyberespionage, nation-state APT adversary that used the dark web to purchase data-driven exploit code to build a zero day to bypass the next-generation firewall of company ABC because they weren’t hunting with a cloud-based, big-data correlation platform to identify and orchestrate threat-intelligence protection against the advanced malware on their BYOD IoT and hadn’t conducted a purple team exercise recently? Oh, you have? Me too. Ten times…today.
From a sales and marketing perspective, these buzzwords are worth their weight in gold. From a security perspective, the threats are very real and the corresponding detection and prevention technologies all have their place. I’m plenty guilty myself of using several of these buzzwords, and I’m sure I’ll catch some flak for picking on a lot of the terms that my colleagues use regularly.
All of that said, there is little that can be more... read more >
Uncovering the source of malicious DNS queries
Anyone who has worked with Security Incident and Event Management (SIEM) or Intrusion Detection/Prevention System (IDS/IPS) alerts knows it can be very, very difficult to track down the actual source of the network traffic. Tracking the source becomes even more difficult when it comes to finding the machine that attempted resolution of a known bad or suspicious domain.The Cause: DNS architecture
The Domain Name System (DNS) architecture is the primary reason why it can be so hard to find the machine attempting to resolve a bad or suspicious domain. Most organizations are Microsoft based and rely on their domain controllers to perform DNS resolution. These domain controllers are configured to act as recursive resolvers, meaning they perform resolution on behalf of the client. Because of this, when you get a SIEM or IDS/IPS alert, the source IP address will generally belong to the... read more >
FireEye acted quickly to close a serious vulnerability in some appliances
On Tuesday, December 15, 2015, FireEye, a worldwide provider of cybersecurity and malware protection to clients in the public and private sectors, issued a Support Notice to its clients regarding a critical vulnerability in a module which analyzes Java Archive (JAR) files.
Google’s Project Zero, a team dedicated to finding new vulnerabilities, discovered this severe security hole in the way the Malware Input Processor (MIP) utilizes an open source Java decompiler called Java Optimize and Decompile Environment (JODE). MIP uses the JODE decompiler in conjunction with JAR helper to statically analyze JAR files and check for signatures which may suggest malicious code. JODE is then used by Java’s SimpleRuntimeEnvironment class to deobfuscate strings by dynamically executing a small sample of the bytecode.
Affected... read more >