- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Palo Alto Networks Advanced DNS Security introduces Domain Masquerading, a powerful new detection capability. Integrated into the Grayware Domains category, this advanced feature strengthens the platform’s ability to detect and prevent malicious activities.
Domain masquerading is a tactic used by threat actors in which they associate their malicious domains with reputable IP addresses. This strategy deceives content-based detection systems and may bypass security measures. Initially, these domains build a reputation and are whitelisted; subsequently, the threat actors switch back to the IP addresses of their malicious servers. This approach enables them to engage in various malicious activities, including malware distribution, phishing, scams, and command-and-control operations. It is crucial to have proactive measures in place to detect and block domain masquerading, given the limited window of opportunity for such attacks.
In May 2024, the Palo Alto Networks threat research team discovered a collection of malicious domains engaged in deceptive practices by falsely portraying IP addresses belonging to Palo Alto Networks and other prominent firewall vendors as their own. Investigation revealed that these domains were linked to a common group of threat actors. It is crucial to highlight that a substantial portion of these domains continue to demonstrate malicious characteristics.
activate .linkblackclover .com
git .face2cover .com
backup .newbitstone .com
Please note that this is only a partial representation of the domains found within the identified list.
At Palo Alto Networks, we have developed a sophisticated detection system powered by Precision AI to detect and thwart domain masquerading. Our detection system continuously monitors thousands of reputable domains and their associated addresses. Upon detecting new resolutions, our system thoroughly analyzes terabytes of passive DNS (pDNS) data, extracting over 50 current and historical features. These features include the age of the domain, its reputation, the number of previously used IP addresses, and the resolution lifespan. Leveraging these features, our pre-trained ML model effectively identifies masquerading behavior in real-time. In addition, our detection system employs comparative analysis techniques like web crawls, certificate fingerprints, and WHOIS information to enhance the precision of the ML model and proactively block these malicious domains.
We are pleased to announce that the domain masquerading detection is released on January 29, 2025 as part of the Grayware Domains.
Customers do not need to make any configuration changes unless they wish to modify the default or configured action of the Grayware Domains category. Domain masquerading detection is categorized as Grayware, and the default action for this category is set to block.
To assist customers in identifying and managing domain masquerading threats, below are the details:
Yes. To facilitate testing and familiarization with the new detection capability, we have included a test domain
Test Domain: test-domain-masquerading.testpanw.com
Below are the snippets of how Domain Masquerading detection entries appear in the threat log of the firewall:
Monitor -> Logs -> Threat
Detail Log view
Please refer to the provided documentation for a comprehensive understanding of DNS Security Signature Categories and their significance in safeguarding your network.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Subject | Likes |
---|---|
2 Likes | |
1 Like | |
1 Like | |
1 Like | |
1 Like |