The HTTP protocol has long been used by bad guys as an infection vector, command and control channel, and of course data exfiltration. The countermeasure most organizations use to mitigate this attack path is a proxy server that monitors outgoing HTTP requests and blocks calls to undesirable websites. Apparently we didn’t learn anything from the firewall debacle years ago though since many organizations usually take the blacklist approach and block categories of websites. The categories blocked of course include those known to be used by the bad guys but also others based on corporate policies.
But what about sites that are not categorized? Continuing on with their blacklist approach, many organizations permit these sites as well. Unfortunately, our adversaries have adapted and continue to take advantage of the HTTP “firewall” hole by creating temporary domain names for their nefarious purposes. The solution of course is to block uncategorized websites.
Users will most likely complain about not getting to the new hot sites but the proxy could provide a form that allows them to submit the site to for approval. The initial load will undoubtedly bog down the proxy administrator but eventually the amount of requests should level off. And of course hybrid solutions exist that could ease the burden for both users and administrators. For example, instead of filling out a request form, the proxy could ask users to complete a CAPTCHA or enter a SecureID value to help ensure the request is from a real person and not malicious software trying to call out.
Today’s post pic is from medithIT. See ya!