icon-carat-right menu search cmu-wordmark

I Just Met You, and This Is Crazy!

Presentation
Darin Johnson of Infoblox presented this session at FloCon 2024.
Publisher

Software Engineering Institute

Topic or Tag

Abstract

Using DevOps tools and Large Language Models (LLM), attackers can now register domains, set up infrastructure, and generate convincing email messages for phishing campaigns in less than 30 minutes. This happens faster than traditional curated newly observed domain feeds (NOD) and other risk scores can observe, assess risk of, and publish domains to be put into Response Policy Zones (RPZ). Using only explicitly permitted domain lists for a network is difficult for administrators to maintain and typically degrades user experience.

We therefore present a data-driven argument for blocking domains first seen on a network for a short given period of time. We look at the lifecycle of a typical domain from the first time to the last time it is seen on a network. We will first show there is near zero risk of enterprise outage, and only minimal risk of individual degraded user experience. We will then show the increased security posture obtained, mitigating a number of lookalike and DGA domains. Another side benefit of this approach is disrupting the use of “Strategically Aged Domains” which have been removed from NOD feeds.