CISA Issues New Guidance on Bulletproof Hosting Threat
Summary:
CISA, in collaboration with the U.S. National Security Agency, U.S. Department of Defense Cyber Crime Center, U.S. Federal Bureau of Investigation, and international partners, have released the guide Bulletproof Defense: Mitigating Risks from Bulletproof Hosting Providers to help internet service providers (ISPs) and network defenders mitigate cybercriminal activity enabled by bulletproof hosting (BPH) providers.
Organizations with unprotected or misconfigured systems remain at high risk of compromise, as malicious actors leverage BPH infrastructure for activities such as ransomware, phishing, malware delivery, and denial-of-service (DoS) attacks. BPH providers pose a significant threat to the resilience and security of critical systems and services.
CISA and its partners urge ISPs and network defenders to implement these recommendations to mitigate risks posed by BPH providers. By reducing the effectiveness of BPH infrastructure, defenders can force cybercriminals to rely on legitimate providers that comply with legal processes.
Security Officer Comments:
BPH providers lease their own infrastructure to cybercriminals. Increasingly, they resell stolen or leased infrastructure from legitimate hosting providers, data centers, ISPs, or cloud service providers who may unknowingly enable BPH providers to provide infrastructure to cybercriminals. BPH providers are able to market their infrastructure as “bulletproof” to cybercriminals because they do not engage in good faith with legal processes (such as subpoenas or court orders) and third-party or victim complaints of malicious activity enabled from such infrastructure. For example, some BPH providers impose onerous documentation requirements before accommodating a third-party (i.e., law enforcement) takedown request.
BPH infrastructure is integrated into legitimate internet infrastructure systems, making it difficult fordefenders to mitigate the cybercriminal activity. BPH infrastructure is part of a network or group ofnetworks known as an Autonomous System (AS), where each AS has a unique identifier known as anAutonomous System Number (ASN). Blocking activity from the entire AS by leveraging the ASN may beineffective in preventing malicious activity as:
BPH infrastructure is designed to dynamically avoid defenses. BPH providers can request a new ASN froman internet registry and receive it within two to five business days. The BPH provider then migrates theunderlying malicious IP ranges to the new ASN, enabling BPH providers to evade ASN-based defensivefiltering. Additionally, BPH-enabled activity often involves using temporary emails for responding to abuserequests and cycling through IP addresses, ASNs, nameservers, or Canonical Name (CNAME) DomainName System (DNS) records.
An ongoing issue for many organizations is typo-squatted domains, which are used to masquerade as legitimate business for various forms of financially motivated attacks. BPH services can help enable this activity and make it difficult, if not impossible, for organizations to takedown malicious domains.
Suggested Corrections:
ISPs and network defenders should implement a proactive, intelligence-driven filtering process and collaborate with the community.
1. Build and Maintain Malicious Resource Lists
https://www.cisa.gov/resources-tool...roof-hosting-providers&utm_medium=GovDelivery
CISA, in collaboration with the U.S. National Security Agency, U.S. Department of Defense Cyber Crime Center, U.S. Federal Bureau of Investigation, and international partners, have released the guide Bulletproof Defense: Mitigating Risks from Bulletproof Hosting Providers to help internet service providers (ISPs) and network defenders mitigate cybercriminal activity enabled by bulletproof hosting (BPH) providers.
Organizations with unprotected or misconfigured systems remain at high risk of compromise, as malicious actors leverage BPH infrastructure for activities such as ransomware, phishing, malware delivery, and denial-of-service (DoS) attacks. BPH providers pose a significant threat to the resilience and security of critical systems and services.
CISA and its partners urge ISPs and network defenders to implement these recommendations to mitigate risks posed by BPH providers. By reducing the effectiveness of BPH infrastructure, defenders can force cybercriminals to rely on legitimate providers that comply with legal processes.
Security Officer Comments:
BPH providers lease their own infrastructure to cybercriminals. Increasingly, they resell stolen or leased infrastructure from legitimate hosting providers, data centers, ISPs, or cloud service providers who may unknowingly enable BPH providers to provide infrastructure to cybercriminals. BPH providers are able to market their infrastructure as “bulletproof” to cybercriminals because they do not engage in good faith with legal processes (such as subpoenas or court orders) and third-party or victim complaints of malicious activity enabled from such infrastructure. For example, some BPH providers impose onerous documentation requirements before accommodating a third-party (i.e., law enforcement) takedown request.
BPH infrastructure is integrated into legitimate internet infrastructure systems, making it difficult fordefenders to mitigate the cybercriminal activity. BPH infrastructure is part of a network or group ofnetworks known as an Autonomous System (AS), where each AS has a unique identifier known as anAutonomous System Number (ASN). Blocking activity from the entire AS by leveraging the ASN may beineffective in preventing malicious activity as:
BPH infrastructure is designed to dynamically avoid defenses. BPH providers can request a new ASN froman internet registry and receive it within two to five business days. The BPH provider then migrates theunderlying malicious IP ranges to the new ASN, enabling BPH providers to evade ASN-based defensivefiltering. Additionally, BPH-enabled activity often involves using temporary emails for responding to abuserequests and cycling through IP addresses, ASNs, nameservers, or Canonical Name (CNAME) DomainName System (DNS) records.
An ongoing issue for many organizations is typo-squatted domains, which are used to masquerade as legitimate business for various forms of financially motivated attacks. BPH services can help enable this activity and make it difficult, if not impossible, for organizations to takedown malicious domains.
Suggested Corrections:
ISPs and network defenders should implement a proactive, intelligence-driven filtering process and collaborate with the community.
1. Build and Maintain Malicious Resource Lists
- Curate & Update: Develop a "high confidence" list of malicious IP addresses and resources using commercial, open-source, and private threat intelligence feeds (e.g., COMM-ISAC).
- Analyze Traffic: Continuously baseline normal network traffic and analyze outliers to supplement the curated list. Regularly review and update the list to add new threats and remove resources reallocated to legitimate use.
- Configure Logging: Leverage the malicious resource list in your centralized logging system to record ASN/IP data and issue alerts when traffic associated with a malicious resource enters the network.
- Apply Filters: Implement filters at the network border or key enforcement points. Carefully determine the granularity of filtering (e.g., per ASN, IP range, or single IP) based on a risk analysis of blocking legitimate traffic.
- Maintain Accountability: Establish a robust audit log for every filter decision and a change control process to prevent unauthorized modifications.
- Upstream Providers: Use providers that adhere to Secure by Design principles. Ask them about their processes for handling customer block requests and whether unblocking a resource applies to just the requester or all customers.
- Customer Notification (ISPs Only): Notify customers about the malicious resource lists and filters that may impact availability, and consider offering opt-out options.
- Customer Empowerment (ISPs Only): Create optional, pre-made filters that customers can apply within their own networks for increased security tailored to their risk tolerance.
- Sector Accountability: Engage with other ISPs to form sector-wide standards and a code of conduct for preventing BPH abuse.
https://www.cisa.gov/resources-tool...roof-hosting-providers&utm_medium=GovDelivery