ISC StormCast for Friday, February 1st 2019
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 754 Ratings
🗓️ 1 February 2019
⏱️ 6 minutes
🧾️ Download transcript
Summary
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello, welcome to the Friday, February 1st, 2019 edition of the Sancton Storm Center's Stormcast. |
| 0:07.7 | My name is Johannes Ulrich, and I'm quoting from Jacksonville, Florida. |
| 0:13.2 | This month, I already talked a couple of times about how domain admin consoles at registrars, but also locally are again targeted and how, for example, |
| 0:25.2 | fishing is being used to get credentials of administrators to then modify these domains. |
| 0:32.8 | Now one best practice, of course, is to monitor your own domain for changes. |
| 0:39.2 | So you do get an alert if an unauthorized change has been made and you can quickly react to this. |
| 0:45.5 | Today, Xavier posted a diary with a couple of tools that should help you identify these changes early. |
| 0:53.4 | Now, one nice thing he sort of does here is that |
| 0:55.8 | he uses a number of tools that you may already have in your environment. For example, |
| 1:00.5 | Nagios, which is often used to monitor uptime and such on servers. It can be used to monitor |
| 1:06.8 | changes. So you could, for example, add some critical host names and check the IP address. Don't |
| 1:12.2 | forget, for example, name servers here. Don't just monitor your web server. That's probably |
| 1:17.2 | the easiest one to figure out if it gets modified about MX records and name servers. That's |
| 1:23.2 | probably the most critical thing to monitor here. But he also has a little shell script that you can use to, for example, check changes to the start of authority record, |
| 1:34.3 | which would include the serial number, and tie this into OSEC. |
| 1:38.3 | OSEC is often used to monitor, for example, files for changes and collect logs. So a real flexible tool. I've seen |
| 1:46.9 | in a lot of environments and really easy to sort of add a quick check to it in order to get |
| 1:53.2 | an alert whenever something goes wrong with your domain. All of these techniques, of course, |
| 1:59.9 | only work if you tie them in with your |
| 2:03.5 | change control. If you don't do this, then of course, you'll get lots of false positives and |
| 2:09.7 | you'll stop looking at these alerts. Also, if you're using DNS like for failover, if you're using |
| 2:15.2 | it for load balancing, then sometimes these records can change quite quickly. So again, if you're using it for load balancing and sometimes these records can |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2026.