Hello, welcome to the Wednesday, January 23rd, 2019 edition of the Sands and it's Storms oners

Stormcast. My name is Johannes Ulrich. And today I'm recording from Jacksonville, Florida.

Well, this, I guess, is sort of a DNS kind of weekend. Today, we have a diary by Xavier showing you how to use MISP in order to create

response policy zones. So MISP used to stand for Malware information sharing platform, but they

really see it now as an open source threat intelligent platform. So more than Malware,

you can collect things like IP addresses,

hashes, host names, and associate information about various malicious events.

Now, the script that Xavier posts that will allow you to export data from MISP and turn it into

a response policy zone. So these response policy zones are a feature in DNS servers that allow you to

override how the DNS server would normally respond.

So for all of these malicious host names, you can tell the DNS server now to actually respond

with an IP address that, for example, points to a sensor that will

then alert you whenever a user does connect to it.

For example, one of our other handlers, Guy posted about this a couple times and he wrote

a little sort of DNS sinkhole that takes advantage of just this principle.

But the nice thing with Xavier is that you can take all the information that you have in MISP

and then easily with a simple shell script, turn it into these response policy zones and

actually take action against the NEOs connecting to one of these malicious host names. And yes, this method is also often called

DNS firewalling because essentially you're using your DNS server to block outbound requests.

And if you're using a Debian-based Linux system and you're probably familiar with Apt,

Apt is a tool that allows you to install packages from remote repositories.

Of course, the app itself is a pretty dangerous tool.

...