Palo Alto Networks Advanced DNS Security introduces new detection, Stockpiled Domain APT attribution. This new detection is part of the DNS Malware Domains category.
Stockpiled domains typically refer to a practice where malicious actors register multiple domain names simultaneously or set up infrastructure in an automated fashion without immediate plans for their use. Attackers leverage this technique, often rotating between them to carry out malware, phishing, scams, and command-and-control attacks. To learn more about how to defend against these malicious domains, please visit the Stockpiled Domain Detection blog.
Given the various ways an attacker uses stockpiling domains, it's crucial to understand its severity, especially in the context of Advanced Persistent Threats (APTs). APT is a type of cyberattack in which an unauthorized user gains access to a network and remains undetected for an extended period. The proactive capabilities of the new stockpiled domain APT attribution feature allow organizations to identify potential new and existing attack campaigns used within their environment, prioritize their responses, and enhance their overall defenses. Users can view the context, such as associated campaigns and threat actors, why the traffic is blocked/sinkholed, and its APT attribution in threat log details. By analyzing threat campaigns associated with stockpiled domains, Advanced DNS Security gives customers real-time insights into how many users are connecting to such domains and IPs, enabling rapid and effective incident response. This approach facilitates the identification and isolation of affected users as a critical step in remediation with more confidence.
Palo Alto Networks Unit 42 threat research team discovered the FormBook campaign, which is meant to exfiltrate encoded stolen data. On September 25, 2023, attackers registered eight malicious domains. FormBook malware-infected clients consistently accessed several encoded URLs on these domains and exfiltrated stolen data.
As attackers increasingly utilize automation and adhere to sophisticated tactics, they inadvertently leave traces across various data sources, such as passive DNS (pDNS) and SSL/TLS certificate transparency logs. At Palo Alto Networks, we have developed over 300 features to analyze terabytes of data and billions of pDNS and certificate records. This thorough analysis of our extensive database containing millions of malicious and benign domains enables us to identify critical certificate and domain-specific attributes to compute their reputations effectively.
We analyze key features of certificates such as their validity duration, associated root domains, last seen time, and start date. For domains, we examine the number of certificates and issuers, the randomness of the domain name, and word count. We also track the age of domains, how many certificates are assigned to each IP, and how many IPs are assigned for all domains in the certificates. These details are essential for training our cloud-based machine learning models, helping us to proactively block maliciously stockpiled domains in real time, ensuring user protection.
Additionally, Palo Alto Networks new Stockpiled APT attribution tracks and identifies all types of stockpiling behaviors quickly and includes associated campaign details, context, and techniques used by attackers. Our advanced automated detection system takes a complete list of domains and extracts related URLs (Advanced URL Filtering), IPs, and malware samples (from Advanced Wildfire), passive DNS, and active web crawl data. It creates a distinct graph for each domain, showing how it connects to these elements. By clustering these correlated elements, we can detect attack campaigns that share the same infrastructure and traffic distribution systems or have contact with the same malware samples. Using this correlation from various entities increases precision, enhances early malicious domain detection, and prevents patient zero. This approach also allows us to enrich our threat logs with insights into the campaign and techniques used by attackers. It enables users to gain visibility into attack campaigns targeting their organization, allowing them to confidently block and sinkhole malicious DNS traffic.
The Stockpiled Domain attribution detection is added under the DNS Malware Domains category, which is part of PAN-OS 10.0, meaning customers with PAN-OS 10.0 or later can benefit from this new detection. Customers do not need to make any configuration changes unless they need to change the default or configured action of the DNS Malware Domains category.
Below are the snippets of how Stockpiled Domains APT Attribution detection entries appear in the threat log of the firewall:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
| Subject | Likes |
|---|---|
| 1 Like | |
| 1 Like | |
| 1 Like | |
| 1 Like | |
| 1 Like |
