Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://infosec.exchange/users/mttaggart/statuses/114274382348050133">Taggart :donor: (mttaggart@infosec.exchange)'s status on Friday, 04-Apr-2025 00:26:22 JST</a><a href="https://infosec.exchange/@mttaggart" title="mttaggart@infosec.exchange"><img src="https://gnusocial.jp/avatar/117593-48-20241114173111.webp" width="48" height="48" alt="Taggart :donor:" style="position: absolute; left: 0; top: 0;">Taggart :donor:</a></section><article><p>Today's CISA release has one big takeaway for me:</p><p>Establish. DNS. Authority.</p><p>If you can see and stop DNS queries in your environment, this "technique" is cut off at the knees. </p><p>In fact, I'd say DNS data is one of the most valuable telemetry sources you can collect as a defender. But DNS authority also means forcing your assets to use DNS servers of your choosing. If hosts can pick Quad 8 or whatever, you can see the query, but you can't stop it. Same goes for DNS-over-HTTPS.</p><p>Between DHCP, host, and firewall configuration, guarantee that all DNS queries in your network lass through a resolver under your control. </p><p><a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-093a" rel="nofollow">https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-093a</a></p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4839278#notice-9477405">In conversation</a><time datetime="2025-04-04T00:26:22+09:00" title="Friday, 04-Apr-2025 00:26:22 JST">about 18 days ago</time> <span>from <span><a href="https://infosec.exchange/@mttaggart/114274382348050133" rel="external" title="Sent from infosec.exchange via ActivityPub">infosec.exchange</a></span></span><a href="https://infosec.exchange/@mttaggart/114274382348050133">permalink</a><h4>Attachments</h4><ol><li><article><header><div>Domain not in remote thumbnail source whitelist: www.cisa.gov</div><h5><a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-093a">Fast Flux: A National Security Threat | CISA</a></h5><div></div></header><div>This advisory encourages service providers to help mitigate the fast flux threat by developing accurate, reliable, and timely detection analytics and blocking capabilities for their customers.</div><footer></footer></article></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
Taggart :donor: (mttaggart@infosec.exchange)'s status on Friday, 04-Apr-2025 00:26:22 JST Taggart :donor:
Today's CISA release has one big takeaway for me:
Establish. DNS. Authority.
If you can see and stop DNS queries in your environment, this "technique" is cut off at the knees.
In fact, I'd say DNS data is one of the most valuable telemetry sources you can collect as a defender. But DNS authority also means forcing your assets to use DNS servers of your choosing. If hosts can pick Quad 8 or whatever, you can see the query, but you can't stop it. Same goes for DNS-over-HTTPS.
Between DHCP, host, and firewall configuration, guarantee that all DNS queries in your network lass through a resolver under your control.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-093a
In conversationabout 18 days ago from infosec.exchangepermalink
Attachments
1. Domain not in remote thumbnail source whitelist: www.cisa.gov
  Fast Flux: A National Security Threat | CISA
  This advisory encourages service providers to help mitigate the fast flux threat by developing accurate, reliable, and timely detection analytics and blocking capabilities for their customers.

Public

Embed Notice

HTML Code

Corresponding Notice