Update: Webfilter now blocks portalllbbua.com.mx so maybe it just took a few minutes to iterate on the UTM.

Question: Brightcloud lists this website as created on 9/22/22. If the website is too new to be listed as a blocked malware/phishing site through WebFilter, Threat Prevention, or the endpoint applications like Bitdefender, are there other ways to protect users from new threats like these? Thanks

You can set it to block anything that's not categorized, but IME this tends to have unwanted side effects.

While whole new sites are relatively rare, people tend to visit pages within legitimate sites that are not categorized for legitimate reasons all the time: the page within the site is new, it's generated based on a database record of which there are arbitrarily many possible pages, it's a behind a login so the category engine can't see it, using HTTPS + hosted on AWS/Azure IP range + no unecrypted domain header, etc.

You've just discovered one of the things that makes phishing (especially spear-phishing) campaigns so dangerous: the campaigns tend to be short lived; they'll stand up a domain, use it for a few weeks, and then move on to run the same software at another location with a new set of potential victims. In this way, each web site doesn't last long enough for most of their targeted traffic to be blocked by security products.

Yeah, and I've worked with other products that provide specific tools in this case. OpenDNS for example will let you say, never allow access to a "new" site until it's X days old. And that policy helps in these cases!

Right up until you deploy a new app somewhere... and all of a sudden your subdomain.whatever won't work for two weeks because you told it to keep anything new away for that period.

I believe Threat Prevention will block these sites if it's set to "suspicious"... but that has even more broad reaching impact.

There is no perfect solution to this problem, and yes... that means spear phishing will be around a very long time.

Thanks to both of you for your responses. Any chance NGFW has poisoned DNS entries? OpenDNS idea seems like a good one.

We don't cache any DNS lookups; it's a live/real-time query every time. Unless it's an issue with the DNS server itself (or you're using your own internal DNS resolver), this shouldn't be the case.

Edit: turns out I'm wrong and the DNS daemon does actually cache a very small number of DNS lookups. This doesn't affect my overall answer, however: it's not DNS poisoning.

Ok, thank you for the clarification.

The web filter has a button on the advanced tab to flush cached results.

DNSMasq does cache things, but it's extremely short duration. Web Filter can in some cases hold onto a bad categorization for AGES... which is why we have the aforementioned button.

It's not SUPPOSED to work that way, but sometimes... gremlins.

Just for Category lookup results, though. Doesn't have anything to do with DNS lookups.

This was just brought to my attention! I (and my previous post) stand corrected.