Monday, July 2, 2012
End of an Era?
For many years, domain-based intelligence (e.g., lists of known malicious domain names) provided actionable information that could be leveraged to identify infected systems on enterprise networks. In its day, domain-based intelligence represented a considerable step forward over IP-based intelligence, which had proven to be quite prone to false positives. Of late, however, domain-based intelligence has itself fallen victim to a high rate of false positives. There are a number of reasons for this, but chief among them is the fact that attackers have moved from using entirely malicious domains to compromising small corners of legitimate domains. Because of this, URL patterns (e.g., a POST request for /res.php) have proven to be far more effective at identifying infected systems. Now, for sure, there are some entirely malicious domains that are still used. These domains are often randomly generated via algorithms that change daily, hourly, or even more frequently. Quite simply put, the domains change faster than the intelligence lists can share them out. Could it be that we've reached the end of an era vis a vis domain-based intelligence? Has the era of URL pattern based intelligence begun? I know that I am leveraging URL patterns heavily, and I know that I am not alone in that.