IT Security News

12-May-2011

This week we were discussing the recent attacks on RSA, and what many industry voices are referring to as an APT, or 'Advanced Persistent Threat'.

However some would argue that following analysis of the attack and the methods used, they were neither advanced nor persistent. In fact it has been reported that the initial intrusion relied upon a 0-day vulnerability in Adobe Flash Player, and had used an email document attachment titled 'Recruitment Plan' as the initial attack vector. The moral there; don't open attachments when you don't know or trust the source. If I had £1 for the number of times I said that, I'd be a wealthy man.

The US-CERT reported that the attack had 'phoned home' to several known URLs and IP addresses, which was characteristic to attacks previously seen by the CERT. The best security relies on multiple layers, so that got the technical team at 24 Security onto discussing some basic methods to create a first line of defence.

We obtained a list of suspicious or malicious IP Netblocks from Wizcrafts, who have been maintaining an IPTables and htaccess blacklist for some time.

Our engineers converted this into Cisco PIX / Cisco ASA config, so that we could apply it as an ACL to the outbound traffic. The converted ACL is available here: ip-blocklist-pix-asa-config.txt.

The ACL is also set to log if it matches, we use syslog to capture our firewall logs and can therefore parse the logfiles for ACL matches and the source IPs within any of the networks we manage for our customers.

To catch any URL specific traffic, we need another solution. It's very difficult to build and maintain a URL blacklist without lots of resources or specialist appliances, but more of that in future. In the interim, we've applied Comodo's free Secure DNS service to several configurations, although we'll check out OpenDNS too as it has some additional configuration options. We've had no issues so far with the configuration, and the statistics are showing that other ACLs with the same list of Netblocks are already matching lots of port scan traffic.

24 Security Padlock24 Security are a registered Cisco Partner and specialise in Security solutions for Small and Medium Business clients.

Our consultancy team are trained and qualified in Cisco Self-Defending Network solutions, helping your organisation to manage access, control threats, and ensure secure communications within your network infrastructure.