I would argue that you could develop signatures for identifying it, so IPS vendors should be able to do this without too much difficulty.
Still, the real issue is to prevent the original infection, which likely used a more prevalent vector. *ASB **http://XeeMe.com/AndrewBaker* <http://xeeme.com/AndrewBaker> *Providing Virtual CIO Services (IT Operations & Information Security) for the SMB market…* * GPG: *1AF3 EEC3 7C3C E88E B0EF 4319 8F28 A483 A182 EF3A On Sat, Oct 17, 2015 at 10:05 PM, Erik Goldoff <[email protected]> wrote: > seems to me that a good IPS system should detect and block this method, or > am I way off base ? > > On Sat, Oct 17, 2015 at 9:53 PM, Andrew S. Baker <[email protected]> > wrote: > >> Most SMBs? Larger orgs will be equally at a loss. >> >> The key in this case is to prevent or quickly detect the initial >> breach/compromise, because once a machine on the inside is compromised, >> preventing it from spreading will be much, much harder. >> >> >> >> >> >> >> *ASB **http://XeeMe.com/AndrewBaker* <http://xeeme.com/AndrewBaker> >> *Providing Virtual CIO Services (IT Operations & Information Security) >> for the SMB market…* >> >> * GPG: *1AF3 EEC3 7C3C E88E B0EF 4319 8F28 A483 A182 EF3A >> >> >> On Fri, Oct 16, 2015 at 10:59 PM, Richard Stovall <[email protected]> >> wrote: >> >>> I had not heard of this before. >>> >>> https://zeltser.com/c2-dns-tunneling/ >>> >>> How in the world can most SMBs ever begin to beat back this kind of >>> stuff? >>> >> >> >
