The Weekly Hotwash: April 24, 2020


Estimated Reading Time: 4 minutes

The Weekly Hotwash – A New CoaC Feature

Welcome to the first CoaC Weekly Hotwash; a recap of the past week’s news and the implications the stories may have on us.

For those unfamiliar with what a ‘hotwash’ is, its a term used to describe the immediate review and identification of actions following an event, whether an incident, a training exercise, or some type of situation that requires a ‘what worked, what didn’t’ type of review. Typically, a hotwash is an informal list of activities that are the foundation of a formal ‘After Action Report.’

The concept of the Weekly Hotwash is to recap and review the important stories that have occurred in the past week and hopefully share some insight and perspective around how they are impactful.

Props to the other John Masserini for developing the concept and pushing me to start it.

It’s All In A Name – What the pandemic has taught us about DNS:

Over the few weeks, there have been a number of stories (#1, #2, #3, #4) around the massive uptick in COVID-19/Coronavirus related domain registrations. By some counts, there were a couple of weeks in March that had in excess of 100k new domains registered with the term ‘COVID’ or ‘Corona’ in the name. These numbers align fairly well with other reports of the seismic shift in Phishing emails associated with the pandemic. ICANN has begun to get some heat from regulators and those on Capitol Hill around the ‘hands-off’ position they have taken so far. While ICANN has published a letter instructing domain registration firms to ‘do their best’ in identifying and canceling such domains, Pandora’s Box has already been opened. One of the major issues in today’s domain registration world is the automated registration process that some Registrars offer, enabling malicious actors in the creation of thousands of domains an hour.

Over the last few weeks, with the help of some publically available research, I have spent a lot of time looking over these domain registrations, and what I am seeing disturbs me. There are thousands of examples where dozens of very similar-sounding domains were created in less than a single second. It isn’t hard to imagine how malicious actors will use such a catalog of domains, but it is indeed hard to figure out how to leverage information like this in our threat intelligence feeds. Buried in and amongst this massive amount of domain information resides very legitimate domains that are being created for research and public communication. Such domains should be identified and whitelisted, but when we dealing with thousands of domains per week, the possibility of finding the good ones is an arduous task. On the flip side, blindly blocking every one of these domains is just as unrealistic of a proposal.

Hotwash - COVID Hostnames By Day

@ C.Masserini – Used with permission

It’s also not difficult to envision the flood of phishing emails that we will be seeing any day now. Again, with a catalog of tens of thousands of domains to choose from, fast-fluxing (or, I suppose, it’s technically reverse fast-fluxing) a BEC phishing campaign is going to test the limits of many legacy anti-phishing tools, especially those which rely on an email gateway architecture, where links are only evaluated once at the time of delivery.

All of that being said, believe it or not, it’s not the fact that malicious actors are generating these domains that is the most troubling, as that’s a simple fact of the world we live in. No, what is the most troublesome is the fact that the Registrars are allowing them to create these domains in bulk in a fully automated fashion. I truly struggle with why anyone needs to create dozens of domains per second. I understand the need for automation, but automation without limits is just begging to be abused. ICANN must step and address this, otherwise, we will again be buried in this mess then next time a crisis occurs.

Is It Time For Linux AV?

For as long as I can remember, the concept of running anti-virus on Linux (or it’s predecessors) has been met with a quiet, polite ‘Yeah – we’ll do that’ snicker. No one – not admins, security folks, or developers – felt that the threat against Linux even remotely forced us to consider the possibility of turning to such an abominable solution.

But yet, based on information uncovered in the last couple of weeks, it seems the time has come for that position to meet its demise.

In just the past three weeks, several stories (#1, #2, #3, #4) have come out detailing how malicious actors leveraged Linux vulnerabilities, misconfigurations and malware to quietly own the open-source platform for years. Yes – you read the right – one report has evidence that a certain nation-state has had complete access to a series of Linux hosts for at least a decade, stealing intellectual property and leveraging the systems for DDOS attacks.

Look – if we’re being honest, AV isn’t going to solve the misconfiguration problem in the least. Sure, it may identify malicious code if it finds it, but these days, all of the real adversaries have ways to avoid being found by most commercial AV products, but is that a valid reason to avoid using it? We are all painfully aware of the success rate of AV on our endpoints, but yet, we still write those checks every year.

Another possibility, and one that me be more suited to the Linux ecosystem, would be a modern File Integrity Monitoring (FIM) solution. While not an AV solution by definition, conceptually, by identifying changes in apps/scripts/config files, one may be able to quickly identify the existence of malicious actors and code before they end up owning the device for a decade. I have personally had decent sucess with leveraging FIM as a part of a layerd Linux defense, but attmittingly, it was more around insider abuse or honest admin mistakes, rather than external malicious actors.

Perhaps it’s time we take a hard look in the sysctl mirror and acknowledge that our precious, open-source operating system is not as perfect as we once thought. Conceivably, the time has come to admit it is as vulnerable as anything else and the necessary precautions must be taken.

The Chronicles of a CISO Weekly Hotwash is a recap of critical stories and news that occurred over the past week. The goal is to hopefully share some insight and perspective on how these stories may impact our industry, our careers, or our companies.

Copyright © 2002-2022 John Masserini. All rights reserved.

Leave a Reply

Your email address will not be published. Required fields are marked *