As I'm sure most of you reading this blog know, drive-by web re-directs are a major malicious code infection vector for organizations these days. Many proxy vendors continually make a noble effort to stay on top of domains hosting malicious code and push blocks down to their customers' proxy devices. This is actually highly effective at preventing a large number of malicious code infections in enterprises. What's interesting analytically though is that there is usually a 24-48 hour window between when a domain begins hosting malicious code and when the proxy vendors are able to push the blocks down to their customers. That time period is a window of opportunity for the attackers, and it's often enough time to infect countless systems.
So how can we turn this tidbit into an interesting analytical technique? What about reviewing the list of blocks received from our proxy vendor and searching back a week or two in our proxy log data to see if any systems were infected before the block was pushed down? Pretty neat if you ask me, and a highly effective way to identify infected systems in the enterprise.