Every month, the ThreatSTOP Security, Intelligence, and Research team works to expand our proactive protections against emerging threats. This month marks a significant leap forward in safeguarding customer environments, with new detection feeds, improved domain intelligence, and enhanced IP-based monitoring to stop attacks before they impact your business. We ask you to please read this blog in its entirety, as it may require action on your part.
1. Crypto Mining IP Detection
We have closed a four-year gap in actionable cryptomining coverage. Our new intelligence now conquers not just domains, but also IPs of Crypto Miners.
2. New Ad Detection Feed
Online advertising is a core part of today’s web, but it is also a major channel for hidden threats such as malware delivery, phishing redirects, tracking based data exfiltration, and command and control activity. ThreatSTOP now gives customers the ability to block these risks outright. Our Security, Intelligence, and Research team maintains continuously updated intelligence on malicious advertising servers, powering both DNS Defense and IP Defense to stop dangerous ad domains, prevent redirects, and block connections to known bad infrastructure before harm occurs. With flexible enforcement bundles for both domains and IPs, organizations can proactively reduce exposure to malvertising and other ad based threats. Read our blog post here for more information.
3. BadTLDv2 – Expanded Malicious Domain Detection
This tool is a DNS hunting sensor that looks for potential DNS tunnels by combining two independent views of the internet. The script focuses on three behaviors that are common in DNS abuse. First, it looks for CNAME records under custom top level domains that an operator has tagged as risky, which often show up in command and control or tunneling frameworks. Second, it searches for domain labels that contain malicious looking strings (details intentionally omitted, trade secrets and all), a pattern that frequently signals encoded data rather than human readable names. Third, it flags IPv4 A records that point to unreachable IP addresses which are unusual in normal web browsing but attractive for covert channels.
4. APWG Malicious IPs
In collaboration with our partners at APWG, we've rolled out a significant enhancement to the tracking of malicious IP addresses. This detection has been added to our "Malware - IPs" target in the Command & Control bundle. If you are using the Malware - IPs target, you don't need to do anything. This detection is already in your policy.
5. Dynamic DNS Detection
In our recent development efforts to enhance security monitoring, we've implemented a new detection mechanism specifically designed to identify Dynamic DNS activities across our environments. Complementing this detection, we've also introduced a Dynamic DNS IP target configuration to streamline and centralize the input process. This Target is in our Corporate Policy - IPs, bundle. This is a relatively new Bundle to our detection, and not many customers have looked into this. We recommend following up with this bundle to evaluate if it's a good use for you, or ask our support team about it.
6. Reclassifying Ransomware
An adjustment was made to how we classify Ransomware Domains and IPs within our system. The only effect that this has for the customer is making Targets easier to select and sort by in the interface.
7. Domain Parking Detection
A significant enhancement was made using visual Machine Learning to our parked domain detection. This should help stop instances where multiple parked domains are used to send a malicious page towards your system. You may have seen something like this when you click or tap on something and suddenly your screen is filled with warnings about your system needing antivirus protection, or your system being compromised.
8. Allow listing enhancements
One of the hardest parts about maintaining block lists is maintaining lists of "clean" networks. Perhaps those networks aren't necessarily clean per se, but blocking them would cause significant damage to the normal operations of the Internet. For example, certain CDNs, while handy, may also host malicious traffic, so while blocking the CDNs IP addresses may be the obvious solution, it will break benign traffic as well.
9. Gambling Targets
As part of our ongoing effort to streamline and simplify our detection system, we implemented a series of targeted updates designed to reduce exposure to gambling-related content. For instance, in this particular case, we had multiple targets that safeguarded customers from this content. These targets were consolidated into a single target for enhanced usability.
10. BlueSky Detection
BlueSky was added to our "Social Media" Bundle. Allowing customer to block or control the usage of BlueSky on their networks.
11. Bundles
Have you made the switch from using individual targets to Bundles? Bundles are a not only a collection of Targets to make things easier to manage, bundles allow us (the Security, Intelligence, and Research team) to dynamically update your detection by moving and adding things to Bundles. This way, your detection is constantly updated without your having to reconfigure your policy.
We especially ask you to look into the Command and Control Bundle, which should be on by default, in every customer environment.
All these new enhancements directly power our Protective DNS solutions (DNS Defense and DNS Defense Cloud) as well as IP Defense, ensuring you can:
By continuously refining our detections, ThreatSTOP ensures your security posture evolves faster than the threats targeting your organization.
For those interested in joining the ThreatSTOP family, or to learn more about our proactive protections for all environments, we invite you to visit our product page. Discover how our solutions can make a significant difference in your digital security landscape. We have pricing for all sizes of customers! Get started with a Demo today!
Connect with Customers, Disconnect from Risks.