ISC StormCast for Tuesday, October 3rd 2017
SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)
SANS ISC Handlers
4.9 • 754 Ratings
🗓️ 3 October 2017
⏱️ 6 minutes
🧾️ Download transcript
Summary
Transcript
Click on a timestamp to play from that location
| 0:00.0 | Hello, welcome to the Tuesday, October 3, 2017 edition of the Sansanet Storm Center's Stormcast. |
| 0:08.0 | My name is Johannes Ulrich, and I am recording from Jacksonville, Florida. |
| 0:13.0 | Xavier today is looking at instant response with passive DNS. |
| 0:18.0 | Now, DNS, of course, is critical in order to figure out what IP address is or was associated with a particular host name. But the problem with incident response, of course, is that the incidents happened in the past and DNS information may have changed since then. |
| 0:37.8 | So it's always good to have access to passive DNS data that will tell you what IP address was associated with a particular host name at the time of the incident. |
| 0:49.2 | You can collect some of this yourself and Xavier is talking part about that, but there are also a couple |
| 0:56.7 | of public resources that you can use to investigate. For example, DNS dumpster is kind of an |
| 1:04.0 | interesting website that will tell you more about a particular domain name. Of course, it's also |
| 1:10.7 | interesting to know what other host names may have resolved to a particular domain name. Of course, it's also interesting to know what other host names may have resolved to |
| 1:14.6 | a particular IP address at a time. |
| 1:16.6 | Now, I'm not aware of a great free resource to look at that. |
| 1:21.6 | Passive Total does provide some of that, and then there are some commercial resources that will give you data |
| 1:29.0 | feeds. Problem in part is that this is fairly massive data and of course it's not easy to offer |
| 1:37.1 | that for free. And well, if you ever signed up for a service like Slack, then one of the ways how you can sort of limit who can sign up for a particular team is that these users have to have an account at your domain. |
| 1:56.1 | There's not an interesting blog post at freecodecamp.org that shows how to bypass this type of |
| 2:04.1 | authentication. So the requirement here is that you do have an email address at a particular domain, |
| 2:11.9 | let's say at example.com. The trick here is that you find something like a customer support email system |
| 2:20.2 | that dynamically creates example.com email addresses. Typically, you have something like ticket number |
| 2:28.4 | at example.com and you're being copied on all of these emails. Now, the system, and let's take Slack as an example here, |
| 2:37.3 | in order to prove that you have an account at the particular domain, |
| 2:42.2 | will just send a confirmation code to an email address that you provide. |
| 2:47.8 | So what you do is you open a support ticket at the particular website, then you |
... |
Please login to see the full transcript.
Disclaimer: The podcast and artwork embedded on this page are from SANS ISC Handlers, and are the property of its owner and not affiliated with or endorsed by Tapesearch.
Generated transcripts are the property of SANS ISC Handlers and are distributed freely under the Fair Use doctrine. Transcripts generated by Tapesearch are not guaranteed to be accurate.
Copyright © Tapesearch 2026.