Here are some suggestions and considerations:

1. Operators of business enterprise networks should restrict the DNS resolvers that computers in their enterprise can use.  Either provide internal DNS resolver services or configure firewall policies for access to only known good DNS resolvers on the Internet.  This will prevent any DNS Changer malware from successfully manipulating DNS resolution in your enterprise network.
2. If you have received notices from your ISP or the FBI that identify only legitimate DNS resolvers for your enterprise, then the notice is most likely false.  The DNS Changer malware primarily affects end-user devices.  In some circumstances, DNS resolvers will legitimately contact these formerly rogue DNS resolvers.
3. If your current firewall policy allows access to any DNS resolver on the Internet, and if you received an infection notice that identifies your firewall, then you likely will need to check firewall logs to identify affected machines.  Look for internal addresses that are accessing the addresses of the formerly rogue DNS servers primarily on port 53/udp.  The address blocks of these formerly rogue DNS servers are:

• 85.255.112.0 through 85.255.127.255
• 67.210.0.0 through 67.210.15.255
• 93.188.160.0 through 93.188.167.255
• 77.67.83.0 through 77.67.83.255
• 213.109.64.0 through 213.109.79.255
• 64.28.176.0 through 64.28.191.255

4. If you are using one or more Small Office or Home Office routers in your business, it is possible DNS settings have been changed on that device.  This is particularly true if the device was not configured with a good password.  Reset the device to the default configuration settings using manufacturer instructions.  There is usually a little reset button on the device.  Be sure to set a good password after the reset.

5. The US court system has extended the operation of the temporary DNS servers to July 9, 2012.  This provides more time to resolve the issues and institute improved security policies.

6. Be sure to keep anti-virus software current on all computers, and track or check the updates.  The DNS Changer malware, as well as numerous other types of malware, will disable updates on infected machines.  The lack of updates not only leaves the malware undetected but leaves the affected machines unprotected against other malware.

7. Infection avenues for DNS Changer and other malware vary.  If Anti-virus does not have a current detection signature for a specific piece of malware, machines could be infected.  70% of the new malware samples we find are not detected by well known anti-virus tools when first identified.  Network detection and protection is a necessary supplement to host-based protection.  I recommend a comprehensive Secure Internet Gateway service, which includes network-based firewall, IDS, URL filtering, email scanning, and VPN remote access.  This combination will provide a comprehensive prevention.

8. In the eventuality that security events do occur, it is advisable to have a 24×7 detection and mitigation support service such as our Security Event and Threat Analysis (SETA) service. This service can be tailored to your needs and works in conjunction with a Secure Internet Gateway service and/or your own premise-base security protections.  The service provides an automated security analysis platform as well as access to expertise to help detect security events, diagnose the cause, and help with quick remediation.

To find more information and resources, visit the DNS Changer Working Group.

Editor’s Note: This article was originally published on the Networking Exchange Blog on March 28, 2012. Due to demand for information on the DNS Changer transition happening on Monday, July 9^th we are republishing the post.

• They are turned-on all the time
• They are not protected by anti-virus software
• They likely have no automated software update process

And we are wondering, what should we do about this growing problem?  In Jim’s blog on Embedded Systems and Security, he suggested the following:

“It is time to educate consumers about the dangers that lurk within embedded devices. Companies marketing these embedded systems need to take security into consideration when developing and selling them.”

Jim is right, but this is not enough.  There should be some basic requirements for any reputable network-connected device, and we should not buy devices that do not satisfy these basic requirements.  While the suggestions below will not inherently make devices any more resistant to hacking or unauthorized manipulation, they can provide some means to correct problems when they arise. (Notice – I said “when they arise” and not “if they arise.”)

Software Update Capability – Every network-connected device should have a means for owners to update the software.  In this age of complex software, there will be flaws in the software for even the most basic products.  Consequently, there must be a way to update the software on any product that provides network connectivity.  And this capability must be something the owner and/or user of the device can control.  Ideally, this process should be automated to a large extent — perhaps entirely.  For example, the device can periodically poll the manufacturer to determine if software updates are available.  And the user should be prompted when updates are available — asking permission to perform the update.  The update process should use a cryptographic check to assure any update is from the authorized source prior to committing the installation.

Support Should Be Readily Available — Support for any network-connected device should include online access to an up-to-date owner’s manual, access to software updates, and software update instructions.  There should also be a clear definition from the manufacturer on the supported product lifecycle – including software.  Generally, product support for appliances is about 7 years.  I think this the software support lifecycle for products should extend the full life expectancy of the product.

Contact Information and Support Forum – There should be a contact to report any problems with the product or software.  The most transparent and preferable is a support forum, where users’ reports of questions or problems can be reported in a publically accessible and searchable location, and responses from the manufacturer are provided.  This not only can help streamline the search for assistance, it also helps consumers understand what they can expect from the product they are buying and determine if fixes are available.

Basic Support Label – Information should be readily marked on the device that helps the owner find support information.  This support information should include at least a URL that points to a website where a user or owner can seek support for the product.  The label should also clearly and unambiguously mark the model number to assure the correct support information can be found for that specific product.  With such exchange forums as Craigslist and Ebay, used items are bought and sold more frequently than ever before.   And with those exchanges, the paper manuals and packaging are not always included.  The new owner needs to know how to assure their purchase can be supported.

System Reset – There should be a way to reset the device to its original manufactured state, including the software load.  If a device is infected with malware, we need a way to be able to restore a known “clean” state.  In some cases a software update may entirely replace the old software image, which may be sufficient.  However, as systems are becoming more complex, we should not expect this type of solution to continue.

No Default Password – In our weekly AT&T ThreatTraq program, we report weekly on literally billions of probes that are conducted on the Internet looking for devices, systems, and applications that are vulnerable.  Often, these probes are looking for systems that are using default and guessable passwords.  There is no reason these probes should ever be successful, but they are successful all too often.  Every device needs to have a “default” setting – the point at which the device has not yet been configured for operation.  Typically, the default setting establishes a well-known password for access to the device, no encryption, easy access, and effectively no security.  This is done for convenience; to avoid product support costs for the manufacturer.  Unfortunately, these devices using default settings are a hacker’s dream, and the savings for the manufacturer can become quite costly for a owner/victim.  Even if there is no defined manufacturer software update procedure as suggested above, a weakly-selected or default password allows hackers to gain access to devices, and often hackers can devise their own software update process and inject malicious software into devices.  A product that is starting from a reset state or “default” setting should not connect to any network until minimally appropriate security settings are configured.  At a minimum, set-up prompts should require the user to define a unique and reasonable password for access from a network interface.

Many of the above suggestions are in common practice in more sophisticated software systems and are common practice with smart-phones.  It is time we recognize any network-connected devices as a sophisticated software system and expect the necessary support to help keep them secure.

The question remains, how do we get enough energy behind this to make it happen? Are you making headway on updates, security, and support for your network-connected device?

1. Learn by doing

• Prioritize the types of things that are most important to you.
• Implement something that you think might work.
• Tune the solution to balance false-positive with false-negative event detection.
• Iterate by evaluating what worked and how even a good solution can be made better.

2. Adapt Rapidly to Threats

Flexibility and adaptability are important attributes of any security analysis platform.  Network systems and operations are engineered with a focus on reliability.  Engineer a security analysis environment that has some autonomy from the constraints of network reliability requirements.  This allows processes to be adapted to satisfy the adaptability needs of the analysis systems, while balancing that with the reliability needs.

3. Think Behavior Analysis rather than Signatures

A SIEM platform should be thought of as a platform to perform analysis on many contributing behaviors and activities that may be indicative of a security threat.  Sophisticated threats such as APT generally conduct a series of allowed events that point to an undesired result.  No one event will be the conclusive indicator; search for numerous indicators that are potential  contributing elements.  Things like frequency analysis, volumetric analysis, diurnal patterns, baseline references should be the foundation of the analytical solution.

4. Create structure but not boundaries

Establish an organizational structure and the resources around the security operations activity. Here is an example structure that can help create an environment that organizes:

• Actionable Events (Tier 1 – Responder)
• Investigation (Tier 2 – Coordinators)
• Non-actionable & RCA (Tier 3 – Investigators/Analysts)
• Evolution & Revolution (Tier 4 – Research and Development)
• Vendors & Community (Tier 5 – Tools Providers)

5. Engineer for the solution

• Use best-in-class commercial tools, but don’t settle for stand-alone or non-scalable solutions
• Partner with organizations that can overcome the constraints

6. Reduce noise

• Prioritize on improvements where the most effort is spent
• Aggregate related records
• Suppress Repeats of Like Alerts
• White-list acceptable behaviors, but don’t loose the info.
• Perform staged processing; refrain from tiered alerting.

7. Compel Improvement

• Capital investment vs expense
  • Reward Successes
  • Reach outside
  • Research, Development & Analyst working groups

So what do you think?  How many of these principles are you implementing?  Are there others you feel should be included?  We look forward to your ideas and thoughts on this important topic.

1. Operators of business enterprise networks should restrict the DNS resolvers that computers in their enterprise can use.  Either provide internal DNS resolver services or configure firewall policies for access to only known good DNS resolvers on the Internet.  This will prevent any DNS Changer malware from successfully manipulating DNS resolution in your enterprise network.

2. If you have received notices from your ISP or the FBI that identify only legitimate DNS resolvers for your enterprise, then the notice is most likely false.  The DNS Changer malware primarily affects end-user devices.  In some circumstances, DNS resolvers will legitimately contact these formerly rogue DNS resolvers.

3. If your current firewall policy allows access to any DNS resolver on the Internet, and if you received an infection notice that identifies your firewall, then you likely will need to check firewall logs to identify affected machines.  Look for internal addresses that are accessing the addresses of the formerly rogue DNS servers primarily on port 53/udp.  The address blocks of these formerly rogue DNS servers are:

•         85.255.112.0 through 85.255.127.255
•         67.210.0.0 through 67.210.15.255
•         93.188.160.0 through 93.188.167.255
•         77.67.83.0 through 77.67.83.255
•         213.109.64.0 through 213.109.79.255
•         64.28.176.0 through 64.28.191.255

4. If you are using one or more Small Office or Home Office routers in your business, it is possible DNS settings have been changed on that device.  This is particularly true if the device was not configured with a good password.  Reset the device to the default configuration settings using manufacturer instructions.  There is usually a little reset button on the device.  Be sure to set a good password after the reset.

5. The US court system to has extended the operation of the temporary DNS servers to July 9, 2012.  This provides more time to resolve the issues and institute improved security policies.

6. Be sure to keep anti-virus software current on all computers, and track or check the updates.  The DNS Changer malware, as well as numerous other types of malware, will disable updates on infected machines.  The lack of updates not only leaves the malware undetected but leaves the affected machines unprotected against other malware.

7. Infection avenues for DNS Changer and other malware vary.  If Anti-virus does not have a current detection signature for a specific piece of malware, machines could be infected.  70% of the new malware samples we find are not detected by well known anti-virus tools when first identified.  Network detection and protection is a necessary supplement to host-based protection.  I recommend a comprehensive Secure Internet Gateway service, which includes network-based firewall, IDS, URL filtering, email scanning, and VPN remote access.  This combination will provide a comprehensive prevention.

8. In the eventuality that security events do occur, it is advisable to have a 24×7 detection and mitigation support service such as our Security Event and Threat Analysis (SETA) service. This service can be tailored to your needs and works in conjunction with a Secure Internet Gateway service and/or your own premise-base security protections.  The service provides an automated security analysis platform as well as access to expertise to help detect security events, diagnose the cause, and help with quick remediation.

What questions do you have about detection and remediation of DNS Changer Malware? How are you protecting from that now?  What can we be doing to serve your security needs better?

We also need to be acutely aware of this same balance in the networked/virtual world.  Unfortunately, the facts are often obscured in techno-jargon or complex protocols.  It is important that we try to cut through the chaff.

The security of our DNS infrastructure is an example.  DNS is like the GPS of the Internet.  If you are trying to get someplace and DNS lies about where to go, you may end up in a bad neighborhood.  For example, you may be pointed to phishing web site that is trying looking like your bank and steal your user ID and password.

The FBI recently brought the existence of DNSChanger malware into the public.  That DNSChanger Trojan operated for a number of years propagating numerous versions of the DNSChanger Trojan through a variety of malware payloads.

In this case, the criminals’ objective was to inject fraudulent advertising on web sites.  This is fortunate for the end users since the criminals are not known to have been directing users to phishing sites and stealing user identity information.  It was not so good for advertisers who likely lost millions in revenue as noted by the more than $14M in assets were seized in the raid.  The consequences of this DNSChanger Trojan could have been worse.

And in the wake of the FBI takedown, numerous organizations are struggling with the process of helping to make victims aware of the latent infections so the temporary DNS servers can be turned off.

The FBI’s Operation Ghost Click may have neutralized the most prolific DNSChanger malware so far, but the underlying vulnerabilities still exist and there are still other similar Trojans in the wild.

How Do We Prevent DNS Changer Trojans from Working?

The DNSChanger Trojan caused computers to use DNS servers that were operated by the criminals, and those DNS servers would occasionally provide intentionally misleading responses (directions).  This allowed the criminals to direct users to bad neighborhoods where they could be robbed.  So how do we prevent this from happening?

Of course, appropriate protections should be taken on the computer itself.  This includes keeping the computer operating system and applications up to date, use of quality security software, and practicing safe computer use habits.  But it is well known this isn’t enough.  We cannot rely solely on the computer to protect itself.  Defense in depth is the best strategy to defend against security threats in the foreseeable future.

One way would be to take steps in the network to assure users are not inadvertently pointed to rogue DNS servers on the Internet.  Users could be restricted to accessing known good DNS servers.  This is (or at least should be) a common practice in enterprise networks where firewalls are in place.

DHS knows this well and facilitates this through the Trusted Internet Connection (TIC) initiative.  However, implementing this restriction on the Internet would be by some to be in conflict with the principles of Net Neutrality and is not in practice.  The DNS case is perhaps a good example since controlling accessible DNS services would not restrict access to any content on the Internet.

I am not suggesting one way over another.  The objective here is simply to raise some awareness that we are making (perhaps unconscious) choices between the potential freedom of going outside our ISP for DNS services and the security of knowing our DNS services are honest.

Incidentally, if you believe DNSSEC can help protect against a threat such as DNSChanger, consider this:

Even if all of the ISPs on the Internet implement DNSSEC validation, this does nothing if the attackers point users away from valid DNS servers and implements their own DNS servers that operate under the criminals’ rules.  The attackers/criminals will choose to pass whatever lies are convenient to their objective.

It is common practice for malware to modify various settings on the computer.  This includes blocking antivirus checks, blocking software updates, and adding key loggers, modifying “host” table settings.  So long as the computer is compromised, there is nothing that can be done to assure the DNSSEC validation will not also be subverted.

Do you think we are paying enough attention to the choices we make between security and freedom on the Internet?

What other choices like this are we overlooking?

Do you have some of your own security concerns with DNS security?

We look forward to your comments.

First, the offense would quickly adapt their plays to exploit the weakest aspects of their opponent’s defense, and then they would proceed to score relentlessly against them. Common sense suggests there needs to be dynamics in an effective defensive strategy. The defense needs to understand the strengths of their opponents, develop a game plan that can weaken those strengths and force plays in a particular direction that can slow or stop the offensive gain.

Now let’s consider a network defensive strategy. What if we tried to use the same firewall port filters, the same IDS, the same email spam scrubbing, and same response strategy over and over? The opposition will naturally adapt their techniques. They will learn your defense, and find a way around them. Here’s an interesting look at how technology defense can learn from Sun Tzu’s Art of War.

Don’t think you have any opponents? Think again. If your business has money, intellectual property, and/or computing resources, then there are others that would like to gain from your losses. They are your opponents, and you need to defend your business against them.  There is no such thing as a nice quiet neighborhood on the Internet. When you connect to the Internet, you are joining in with billions of other Internet users in the entire world. Along with this come some great opportunities to expand business and also all of the malicious and competitive attacks against you.

So what do we do? Let’s look back to football. The defensive strategy starts well before game day. The defensive coordinators will study their opposition. They will observe the strength of their players, observe the plays they have used, observe the sequences of running and passing, consider what other defensive strategies have been successful. They will use this information to help identify and build a defensive strategy for their own team.

For example, they may focus on the rush to shut-down a star quarterback’s passing play. They will strengthen the primary to stop a running play.  They will match the skills of their secondary against the offensive receivers.

Similarly, the planning does not stop when the game starts. If the planned strategy is not working, the defensive coordinators will adjust the strategy, change the line-up, and make adjustments. Tactical changes are as necessary as part of the overall strategy.

Now we see a need for dynamics in both strategy and tactics to be used.  How do we build some dynamics into a network defensive strategy?  This is the basis behind the Security Event and Threat Analysis (SETA) service offered by AT&T, and perhaps there are aspects of this in other Managed Security Services. Inherent in such a service is the Security Operations Center (SOC), but it is more than that.  An effective SOC needs five elements:

1. Insight – It needs insight into the many offensive strategies used by many attackers. It is not sufficient to be looking at one enterprise and gain the level of understanding that is needed to see new attacks in development and to see how those strategies evolve in time. You want coordinators that know the landscape.

2. Strategery – Strategery wasn’t a word until coined by George W. Bush some years ago and kept alive by Will Ferrell in numerous episodes of Saturday Night Live.  But I find it fitting here. The SOC needs to partner with customers to become a defensive coordinator for a network. Their role is to learn about the threats, observe trends, and prepare plans for preventing the opponents from executing successful plays/attacks against an enterprise.

3. Creativity — Attackers are creative and continuingly evolving. That means the protective strategies also need to be continually evolving in an innovative manner. It is not enough to have a set of tier 1 analysts that simply respond to events with a scripted response plan. There needs to be a tie into a research and development community that can help provide innovative and new detection and protection strategies for customers.

4. Depth – Similarly, as new types of events are discovered in the community and as new types of situations occur with customers, there needs to be a full repertoire of escalation paths that help to adapt the service to counter the changing offensive strategies of attackers.

5. Teamery – Okay, teamery isn’t a word any more than Strategery, but it fits. The SOC is a coordinating component for preventing and mitigating security threats. The SOC generally does not design or control the network. It generally does not design or operate the systems connected to the network either. The SOC needs to be in a position to build team relationships with the IT partners in an enterprise and establish all of the necessary plans for managing scenarios that are expected to take place. As the legendary football coach Paul “Bear” Bryant, from Alabama, said, “”You must learn how to hold a team together. You must lift some men up, calm others down, until finally they’ve got one heartbeat. Then you’ve got yourself a team.”

The next time you watch a game of football, consider how the dynamics of your protection strategy can help protect your business.  Make sure candidates for your service are able to provide good answers to your questions about the 5 elements needed in a Security Operations Center.

How about you?  How do you see security adapting and changing in light of new threats?  What do enterprise-level security professionals need to watch for today? What steps have you implemented that work?  We’d love to hear from you and get your opinion.

I think the app stores are doing the best they can too.  But apps are like the fruit section.  In contrast with the traditional shrink-wrap software markets where only the most reputable products ever got to store shelves, readily downloadable apps and the developing array of alternative markets operate on a different paradigm.  This leaves us, the wary users, to be on guard for that occasional bad banana, the bruised orange, or the smelly batch of peaches that get through.

The DroidDream series of Trojans are but one example of bad bananas that leaked through the system.  More recently, we are finding GGTracker to be an evolving menace.  How do we protect ourselves?  Here are 9 APPlicable things to consider:

1. Use Reputable App Stores — Some stores manage their inventory better than others.  There is some vetting of apps in reputable app stores.  If malicious or poor quality apps are found, a reputable store will remove the app from the shelf and/or compel the creator to fix the problem.  The official app stores usually have the capability to help remove malicious apps from devices, which can be an important part of rapid mitigation of serious threats.  If you elect to bypass official app stores (a la jailbreak your device), be aware you are on your own.  This is akin to buying your fruit from a street-side stand.  The product may be very good, but you may not have the benefits of health inspectors.  You won’t know what chemicals have been used or other hidden secrets might exist in the product.
2. Only Load Apps that you Need — Any app presents risks to your information and the app may have bugs that place your device at risk.   The app may perform functions that you don’t expect.  Only load apps that you expect will provide real value to you and offset the risks.
3. Look at the Reviews – Look at the low ranking reviews as well as the high reviews.  This is the way to find the bruised peaches among the crowd of attractive looking apps.
4. Free Apps Probably are not “free” –  The creators want to monetize their efforts.  As with social media, app creators are trying to strike that balance between valuable and lucrative.  Make sure you have at least a notional understanding of how this app is making money for the creators.
   • There are some basic models:
     • Promote other products, upgrades, or subscription services
     • Ad supported
     • Charge for the app
     • Sell your information including the actions you perform with the app.  None of these are exclusive of another.  You should expect at least one of these mechanisms is in use.
5. Scrutinize the Permissions - If an app asks for access to your contact list, location, and other attributes, ask yourself why?  If there is no logical explanation that satisfies you, don’t allow.
6. Contribute to the App Reviews -  Looking at the reviews will be of little value if users have not provided valuable feedback.  If an app is not providing the value you expect, then make sure others know about it.
7. Run Anti-Malware Protection on your Device -  Running anti-malware is particularly important if you are going to use side-loaded or alternative market apps that may not be scrutinized as well or there may be no method to pull the app if it is found to have malicious intent.
8. Keep your Apps up to Date - Updating apps has become much easier than it used to be.  Take a moment and help assure your apps are up to date, which should patch any discovered vulnerabilities.
9. Clean House – Even apps that have not been used can be running in the background on your device.  They may be performing functions that you don’t know about or want.  If you are not using it, remove it.

Most of this is pretty much common sense.  It is not nearly as complex as selecting that extra sweet melon from the pile.

What steps are you taking to help ensure that your apps are safe, functional and helpful?  What are some of the best apps you’re using and would recommend?  Share your insights with others and then read what they are using by posting your comment below.  We look forward to hearing from you.

• Created controls to keep an inventory of their computing resources, including system type, location, processing speed, network bandwidth, storage, and status applications.
• Created methods to manage applications on machines both singularly and in large numbers. Early versions of this command and control utilized Internet Relay Chat (IRC) as the means of communicating this information. The technology has continued to advance and complex P2P protocols and HTTP-based means are also used.
• Made use of multiple protocols, servers, and techniques to help manage a variety of attributes including robustness from take-down efforts, traceability, and forensic investigation.
• Created numerous methods to rapidly add new computing resources. Unfortunately, this is done by promulgating malware that steals access to computer and network resources.  Methods such as network exploits (a la worms), application exploits (a la browser and reader exploits), and deception (malware links in emails) are used.
• Created methods to run applications in the background. Often, these applications are not only imperceptible to the co-host (i.e. legitimate owner) of the infected computer, but the malware often goes undetected by anti-virus tools.
• Created numerous methods of monetizing these resources through illegal acts such as DDoS attack extortion, the flooding of email accounts with spam advertisements, identity theft, bank fraud, sale and distribution of pirated media content, and even the leasing of botnet/computing resources to third parties.

Botnet operators were also early adopters in terms of purchasing cloud computing resources.  Early providers of leased computing services on the Internet have been attractive to botnet operators for their command and control functions for a while.  More advanced attackers use drop servers to help hide the ultimate destination of stolen data.  Key attributes that botnet operators seek are agility (the ability to set-up server functions quickly and to move them around the Internet) and anonymity (the ability to pay for resources without significant interaction). This helps them evade detection and maintain robustness in their command and control with minimal interference and traceability.

A cloud services provider may be perfectly legitimate and may have security protections that detect viruses and enforce security policy. But these measures are primarily to protect you from common external attacks or assure you that you’re not infected. The primary means of protecting against sharing public cloud computing with the “bad guys” is accountability. It‘s important that the cloud provider know who it’s selling to and ensure there is a means to seek retribution if any customers are adversely affected.

Here are some questions to consider when choosing a public cloud provider:

• Does the cloud provider ensure that they know exactly who is paying them for services and that credit card purchases are not being made using stolen credit card information?
• Does the cloud provider maintain sufficient validation to ensure that the contact information of its customers–including phone numbers and street addresses—are accurate and current?
• Does the cloud provider perform a reputation check on purchasing organizations to ensure they don’t have a reputation for malicious or suspect behavior?
• Does the cloud provider have a good relationship with its network service provider? One that ensures that reported abuse issues are addressed promptly?
• Does the cloud provider cooperate with law enforcement when and if abuses are discovered?

(Hybrid cloud computing and private cloud computing provide additional protections to those furnished by public cloud computing, but they almost always do so at a higher cost.)

Given that you run a legitimate business or are a consumer in good standing, you may wonder why this is important to you. I’ll tell you why: If your cloud provider does not provide proper checks to certify the legitimacy of its customers, you may find yourself sharing cloud infrastructure with criminals. Most likely, the infrastructure will include a common ISP and network equipment.  You may also end up sharing common server hardware and an IP address. A malicious co-resident may be interested in finding ways to get to your information. Additionally, if a co-resident user is discovered performing malicious activities on the Internet, network providers may take action by blocking activity to and from the IP address—your IP address. The one you’re unknowingly sharing with a criminal.

Recently, there’s been a concerted effort to encourage ISPs to take action against botnets, and it’s been suggested that offending customers be disconnected from the Internet. We think it’s best to avoid disrupting service to customers, so AT&T is researching more surgical methods to detect, and thus minimize, malicious behavior on the Internet. However, choosing a cloud provider that avoids hosting bad actors will help ensure that your cloud services continue to work for you.

Rexroad’s official AT&T bio tags him as “the technical lead developing processing systems to analyze Internet activity for security events such as distributed denial of service attacks, network worms and botnets.” Named on three patents (and a fourth patent applied for), Rexroad’s expertise includes network data security analysis, public key infrastructure and secure messaging, network architecture, cryptographic systems design, and security protocol design.

While that description may be over the heads of most people, they’re glad Rexroad does what he does. By developing unique and innovative analytical techniques, he and his team are a big part of AT&T’s efforts to track malicious activity on the Internet. As the sophistication of cybercriminals increases, Rexroad and his AT&T colleagues work diligently to stay a step ahead of the bad guys. “We’re focused on looking for activity or events that are of concern to us as a network service provider,” Rexroad explains. “Activity or events that might grow to interfere with network performance.” If there’s an infection traversing the network, Rexroad and his cohorts would much rather find it first and mitigate the threat than have a customer call and ask what’s going on.

Given what he does for a living, one might think Rexroad would be an early adopter, but he’s not big on technology for technology’s sake. “I tend to be more focused on what technology does in terms of human value and the importance it provides to society,” Rexroad says. “At AT&T, there’s relentless innovation for the improvement of human kind. That’s exactly the right way to look at it.”

With AT&T for 15 years, Rexroad received his BS in Electrical Engineering from Penn State University and an MS in Electrical Engineering from Johns Hopkins University.