I get a lot of people with a CISSP after their email signature who say “wHy bLock DomAin NamEs or Ip AdDREsses, THey are JusT gonNa PiVOt”.
While true, there is more to just switching network exploitation infracsture and c2 than a snap of the finger.
The main reason for pushback is that maintaining a black list and firewalls becomes tedious and expensive. For the same reason, attacking around good firewalls and web proxies is tediuous/expensive and exactly why we should put in the blocks.
I found the term economical viability of persistance on twitter and I really adore it. One: because its clever. Two: because it puts a label on something that we in the cyber gig undestand but have a hard time getting IT Folk to understand and intergrate into their Risk Management Frameworks. What it means is that
every single time we put up a block, or black list a domain, it forces the enemy to shift. When that happens, we force them to spend time and money going around our defenses. They have to rewrite scripts, exploit new computers, shift botnets, buy new domain names and most importantly, spend time implementing the new changes.
For some actors who are casting a wide net, the juice might not be worth the squeeze and you will have won. For targeted attacks, they will shift but at least you are burning up their time with getting around the blocks preventing them from using that time establishing persistance and moving laterally.
A sophiscated newtwork exploitation team will have a DEVOPS lifecycle built into their TTPs. They will have scripts built out for everything. Regenerating payloads with new C2 domains, moving redirectors and hop points, and clean up for example. But to be honest unless you are looking at a very specific enclave network, your probaly not gonna see their traffic anyway. So we should put low weight on that edge case.\
Once we block something we can now filter that out allowing our network team to focus on the logs that are being generated, rather then things we have already seen. Which brings me to my next rant point, Country code blocks.
Many people say Country Code Blocks are inefficient. The reason? the same as above, actors will just pivot/use comprmisied VPSs or home computers across the world in coutries that arent blocked. But when management says that they forget is the sheer amount of stuff coming out places like china that the soc analyst has to sift through. The result: you have low tier actors and script kiddies filling up your network logs with noise hiding things you should be finding. Everyone in your threat/intel department will run around super happy saying “Look we mitigated this chinese attack!! We are the greatest”
Any APT or intellectual property theft actors arent going to be coming directly from a chinese hop. What you have mitigated is a 8 year old playing with ION cannon.
So unless you have large amount of legiatmate traffic coming in from China (that somehow is getting through the great firewall), why not block it? Also if you do have legitamate traffic consider running an alternate site from a china CDN or out of hong kong and isolating it.
You force the bad guys to spend time and money creating and maintaing infrastructure to attack you until its not worth it anymore and they move on.
Cyber is warfare. Cyber is warfare. Cyber is warfare. I really cant footstomp that enough.
We dont tell Generals, “Dont defend that hill, the enemy will just buy more troops and come from a diffrent direction, its useless”. We let them make educated decisions on what is worth defending and how much it is worth.
If we keep the bad guys on their toes and continually moving, eventually it wont be economically viable for anyone except state sponsored large groups. And now that we have reduced our scope of who is attacking us. We can really scour our logs and endpoints and look for specific TTPs.