Threat intelligence feeds are great for blocking the IPs and domains of attackers that have been active long enough and widely enough to end up on the threat feed. But what about targeted attacks where attackers are using resources dedicated to one victim? That won’t show up on any threat feed unless the infrastructure’s been used in prior more widely used campaigns, and that’s not something you can count on.
Don’t dismiss targeted attacks out of hand. You don’t need to be a huge or high-profile organization to be singled out. You can simply be a medium size business negotiating a contract with a new business partner in several notorious countries. I know one such company that was targeted simply so that their prospective customer could learn what their actual cost of goods was so as to then deduce their rock bottom price for negotiating purposes.
When you detect a domain or IP address involved in an attack whether targeted or not, there are always more systems involved in the attack, and you can do more than block that one domain or IP address.
In this real training for free webinar I’ll show you how to start with that one artifact and search Internet records and other information to expose the rest of the attacker’s infrastructure involved in the campaign. We’ll look at information like:
- Whois records (including history)
- Reverse lookups on registration data such as email addresses
- Reverse lookups on IP
- Cross domain searches of correlating identifiers such as SSL hashes or ad-tracking codes
- Passive DNS
- Hosting data
Then we’ll discuss how you can make that data actionable. For instance, instead of just blocking the domain or IP that got your attention, you can block the entire infrastructure. You can also use the discovered data to go back in your logs and find out if there are previous attacks on your network and if they were successful. You may identify an active intrusion you were unaware of.
DomainTools is my sponsor and they are perfect for this topic because for years they have been constantly archiving information about every IP address, domain name and registrant on the Internet and adding enriching information like passive DNS data. I’ll show you how their extremely powerful investigation console allows you to take a domain or IP address from one of your logs and then connect the dots from there. The visualization tool in particular really helps you recognize critical connections between seemly unrelated entities.
You can turn this data into your own customized, high quality threat feed of what is specifically relevant to your organization, and you can even learn how to be alerted when attackers bring on additional assets to their infrastructure.