Hello and welcome to the Monday, January 20th, 2025 edition of the Sands Internet Storm Center's Stormcast.

My name is Johannes Ulrich and I'm recording from Jacksonville, Florida.

Well, keeping things a little bit shorter today because of the federal holiday here in the U.S.

Starting with one of the diaries from this weekend. I think it was actually Fridays. And that's an other diary from one of our

undergraduate interns. This one was written by Alex Sanders. And Alex is writing about how to use honeypots for offensive purposes,

in particular to identify infrastructure that may be used to identify

some of the offensive infrastructure parts that a RETI member may deploy. So you're setting up a fishing site. You

want to prevent that fishing site from being discovered. It may be good to have a list of

researchers and such that are scanning the internet proactively to uncover sites like this.

Well, we do actually offer feed of researchers,

and I have to add the one or two researchers

that Alex here has as part of his diary.

But overall, usually it's actually better

to just do an allow list where only the organization

that you're testing has access to the particular phishing or malicious website.

But that's not always that easy in case they're using various tunneling systems that often

are being used to protect their users.

So their IP address are not

essentially easily identifiable. And then of course, you have a lot of users using mobile devices,

maybe even working from home, so their home IP address may be showing up. And that makes sort of

the allow list approach a lot more difficult, which is then

where you may want to implement some kind of plot list in order to extend the lifetime of

...