Signs of Suspect Domain Activity
- An internal host is looking up suspicious external domains
- Suspicious activity may involve looking up machine-generated domain names or nonexistent domain names in rapid succession
- The threat score is driven by successful lookups
- The certainty score is driven by the breadth of domain lookups and the characteristics of successful lookups
What Type of Domain Activity are Considered Suspicious?
- An infected host which is part of a botnet is using a domain generation algorithm (DGA) to locate its command & control servers
- An infected host or adware installed by the user is accessing newly generated domains to present ad impressions to the user
- An internal user visits newly registered domains with unusual names (e.g., letter sequences not normally found in domains)
Business Impact of Suspect Domain Activity
- An infected host can attack other organizations (e.g. spam, DoS, ad clicks) thus causing harm to your organization’s reputation, potentially causing your IP addresses to be black listed and impacting the performance of business-critical applications
- The host can also be instructed to spread further into your network and ultimately exfiltrate data from it
- Software which infected the host can create nuisances and affect user productivity
How to Investigate Suspect Domain Activities
- Do not go directly to the listed domain as it is likely to be malicious
- Look up the domain and IP address to which the communication is being sent via reputation services to see if this is known malware; such lookups are supported directly from the UI
- Inquire whether the user of the host would likely have gone to the listed domain
- Check to see if the host is also exhibiting other detected behaviors to understand the intent of the malware
