Comment by sim7c00

1 day ago

there are tools pretty good at detecting DGAs these days, but not often implemented.

the best thing to do afaik is use services normal user shave access to, and communicate via those. its hard to tell for anyone who's extracting the data from the third party so the server is hidden. (e.g bot posts images to twitter, and server scrapes the images from twitter, this is also already old news but easier and more likely to sail through that next gen firewall -_-)

i'd say having ur 'own' servers and domains is maybe even a bit dated ( though sadly still very effective!)

It's one of many possible strategies. Any one strategy can be blocked if it's used by enough malicious actors (e.g. Twitter can be forced to block base64 tweets); if they all use different strategies, it becomes harder to justify blocking each individual one.

  • you either need whitelisting, which ppl dont want because they need to send tweets and sync gdrive on their corpo laptops ;')...

    so i guess that leaves u with modeling normal user behavior to spot anomalies without the actual packet data being an indicator.

    then the bots could piggyback on regular coms still, but it'd definitely raise the bar...