New Strategically Aged Domain Detection for DNS Security

As DNS threats become more and more sophisticated, adversaries are identifying DNS as a key threat vector to successfully attack organizations. This is why with Palo Alto Networks’ cloud-delivered DNS security service, we are constantly identifying new threats to secure your DNS traffic. Our latest protection identifies domains that have been intentionally aged to bypass security vendors reputation checks. We call it Strategically Aged Domains. Palo Alto Networks’ DNS security service proactively identifies strategically aged domains based on traffic distribution, domain analysis and characteristics of the subdomain.

What is a Strategically Aged Domain?

It’s well known that Newly Registered Domains (NRD) are widely used for various malicious activities. At Palo Alto Networks, we have mechanisms in place like monitoring DNS zone files and passive DNS data to detect these emerging malicious domains before a patient zero web threat appears. However, it’s not enough to focus on threats behind NRD only as threat actors are coming up with advanced ways to evade existing protections.

Strategically Aged Domains are domains that are registered in advance. The domains are reserved and left dormant for months or even years before using them for attacking campaigns to bypass security vendor reputation checks. Sometimes, it will take longer to detect when malicious activity begins as these domains have developed a benign reputation over time. Thereby, attackers gain an advantage from using these strategically aged domains for their attacks.

For example, Advanced Persistent Threat (APT) malware can stay dormant for years so they are deemed as benign, but then suddenly activate and produce a large amount of exploiting traffic through their command and control (C2) domains. TheSolarWinds supply chain attack with SUNBURST trojan in December of 2020 utilized strategically aged domains along with domain generation algorithms (DGA) to bypass security controls and exfiltrate identities of the compromised hosts.

How Strategically Aged Domain Detection works?

Our advanced cloud-based DNS security service leverages below filters to identify potential attacks using strategically aged domains:

Traffic Pattern Classifiers to identify abnormal burst of traffic
ML-powered Domain Analysis to monitor domain statistics, activity during dormant state and traffic profile
Subdomain DGA Detection to recognize any significant amount of emerging DGA sub-domain that could be used to exfiltrate the data out.

When will Strategically Aged Domain Detection be available in DNS Security?

Strategically Aged Domain detection results are released in real time under the DNS Grayware category which is part of the Pan-OS 10.0 release. Customers can then allow, block, or alert these detections based on their policy for handling Grayware. Customers with PAN-OS 10.0 or later are able to benefit from this new detection.

To learn more about how the DNS security service can protect your DNS traffic from threats, sign up for:

A Security Lifecycle Review - A simple, free cyber threat assessment of potential exposure to ransomware attacks, breaches, threats and risk
Best Practice Assessment - Maximize your security posture