But remember that simply blocking access to the C&C domains doesn’t actually solve the malware problem. Systems are still infected, and users are still engaging in risky behaviors. An IPS block on C&C should be accompanied by an action, such as a notification or in-person visit (for smaller colleges) to help the user clean up an infected system.
In the case of intentional mining, notifications can help students understand the negative consequences of their actions to the institution, along with potential penalties for continued noncompliance.
It’s likely that many students don’t consider cryptomining a security problem, because they don’t understand how their PC can be instantly repurposed for more malicious tasks. Information security teams should regularly review IPS logs and combine the review with end-user notification about when and why a block occurred. That’s the best way to change user behaviors: Help them understand what’s wrong with their PCs and give them the information they need to solve the problem.
Augment Cryptomining Defenses with Domain Name Service
Domain Name Service-based protections may be a good addition. DNS-based filtering services, such as OpenDNS and Quad9, advertise their ability to block connections to malicious domains.
To use them, IT managers configure the public resolvers into their Dynamic Host Configuration Protocol servers, possibly backed up by firewall rules to redirect noncompliant users who want to override the DHCP default DNS service.
In theory, these types of services would be perfect complements to network-based IPS, working in concert to block lookups of known cryptomining domains and malware sources.
In practice, there’s a lack of efficacy data and third-party testing showing coverage in areas such as cryptomining. DNS filtering has also been criticized by organizations such as the Internet Society for creating collateral damage and fragmentation of the internet. In environments such as higher education, DNS filtering can be a difficult tool to wield.
IT managers who have already chosen to implement DNS-based filtering should enable cryptomining categories for their campus. Where DNS filtering services are not already in place, local modifications, including adding known cryptomining domains to a local DNS block list in campus DNS resolvers, will help to reduce the impact of this malware.