We all want to keep our users safe from harm and our organizations free from attack.
Blocking malicious IP addresses and websites has been a tried and true method to cut down on attacks for a long time.
Unfortunately, attackers developed new methods to turn cloud innovations into attack vectors that may be difficult to block because they have become part of our infrastructure.
While our old tactics remain critical to blocking less sophisticated attackers, attack monitoring becomes more important when attackers become more innovative.
Site Blocking 101
When we know the source of an external attack, we can block the IP address by making changes to our firewall or our DNS Servers.
Adding a site to a list of denied IP addresses is called traditionally called blacklisting, but can also be called blocklist, or denylist.
However, playing whack-a-mole with nimble attackers who switch IP addresses easily can become overwhelming quickly, so many organizations switch from trying to deny bad sites to creating a list of allowed sites instead.
This method is traditionally called “whitelisting,” but is also referred to as “allowlist,” or “safelist.”
Blocking all unnecessary sites can seem easier to manage for IT and NIST recommends its use in high-risk security environments. Allowing in only the chosen few websites helps comply with strict compliance and regulations by limiting exposure.
However, websites, cloud services, and even software makes queries to multiple IP addresses and domains which can make whitelisting quite challenging to execute in practice. IT teams may also find themselves constantly besieged by requests to add IP addresses to the approved site list and the burden to monitor older websites to ensure those domains remain valid.
While both methods remain valid and important ways to protect our systems, some attackers have found ways to use regularly white-listed domains as attack platforms.
In October, researchers recognized the Gitpaste-12 botnet attack operating from GitHub and Pastebin repositories since July. The malware used scripts to attack 12 known vulnerabilities and install cryptomining upon a victim’s computer.
However, the notable element of the attack was to use a publicly accessible repository on websites (GitHub, Pastebin) used by many programmers and embedded within some software. Requests from these sites will not generate alerts within most organizations because companies developing or using applications often reference key resources stored in these locations – especially open source software.
This attack has been so subtle that 93% of antivirus programs do not recognize the hide.so payload and not one antivirus engine on VirusTotal recognized the cryptominer configuration file by the end of October! When antivirus can’t detect bad files and the server uses a relatively benign source, how can we catch the attack?
We must monitor the behavior of our systems! Using a monitoring service such as Blue Bastion’s will look for activity with unusual internet traffic patterns and computer resource usage that will tip off security teams about the presence of bad actors or malware in the system.
Public Repository Attacks
Attacks using public repositories present a new field of whack-a-mole for the security industry. While GitHub shut down the malware repository distributing Gitpaste-12, it will not be very difficult for the attacker to resume operations somewhere similar.
Some of us are thinking, “we don’t do software development or use open source software, so let’s just blacklist those sites…” While that will work for these particular attacks, this type of attack is spreading to other sites that may be used much more frequently such as OneDrive, Google Drive, and DropBox.
Chinese hackers targeted Joe Biden’s campaign staffers with emails that tried to impersonate the McAfee anti-virus software and deliver malware hosted on Dropbox for command and control. It is only a matter of time before more attackers incorporate this method into their arsenal and force cloud hosting repositories to be more active in tracking them down.
If the organization might only benefit incrementally, user habits may prevent any consideration of change.
Layered Defenses & Monitoring
Blocking bad IP addresses, implementing solid firewall defenses, and using endpoint antivirus will remain key components of an organization’s defense for the foreseeable future. These are bare minimum steps to prevent easy access to our critical resources.
However, as attackers move to novel methods of attack, the layers of defense become exposed as tools that look backwards. They stop the known attacks, but can be a bit slow to catch up to the new methods.
Monitoring provides a critical safety net to catch bad behavior from innovative attackers. If your organization is ready to add that safety net to your defense posture, call 412-349-6680 today or fill out the form below to inquire about our network and cybersecurity monitoring services.