Palo Alto Networks Enhances Advanced DNS Security with New Domain Masquerading Detection Capabilities

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
L1 Bithead

Title_Domain-Masquerading_palo-alto-networks.jpg

 

 

Palo Alto Networks Advanced DNS Security introduces Domain Masquerading, a powerful new detection capability. Integrated into the Grayware Domains category, this advanced feature strengthens the platform’s ability to detect and prevent malicious activities. 

 

What is Domain Masquerading and Why Does it Matter?

 

Domain masquerading is a tactic used by threat actors in which they associate their malicious domains with reputable IP addresses. This strategy deceives content-based detection systems and may bypass security measures. Initially, these domains build a reputation and are whitelisted; subsequently, the threat actors switch back to the IP addresses of their malicious servers. This approach enables them to engage in various malicious activities, including malware distribution, phishing, scams, and command-and-control operations. It is crucial to have proactive measures in place to detect and block domain masquerading, given the limited window of opportunity for such attacks.

 

Case Study: Domain Masquerading In The Real World

In May 2024, the Palo Alto Networks threat research team discovered a collection of malicious domains engaged in deceptive practices by falsely portraying IP addresses belonging to Palo Alto Networks and other prominent firewall vendors as their own. Investigation revealed that these domains were linked to a common group of threat actors. It is crucial to highlight that a substantial portion of these domains continue to demonstrate malicious characteristics.

 

activate .linkblackclover .com

git .face2cover .com

backup .newbitstone .com

 

Please note that this is only a partial representation of the domains found within the identified list.

 

How do products powered by Palo Alto Networks Precision AI help Identify, Detect, and Block Domain Masquerading?

At Palo Alto Networks, we have developed a sophisticated detection system powered by Precision AI to detect and thwart domain masquerading. Our detection system continuously monitors thousands of reputable domains and their associated addresses. Upon detecting new resolutions, our system thoroughly analyzes terabytes of passive DNS (pDNS) data, extracting over 50 current and historical features. These features include the age of the domain, its reputation, the number of previously used IP addresses, and the resolution lifespan. Leveraging these features, our pre-trained ML model effectively identifies masquerading behavior in real-time. In addition, our detection system employs comparative analysis techniques like web crawls, certificate fingerprints, and WHOIS information to enhance the precision of the ML model and proactively block these malicious domains. 

 

When Will the Domain Masquerading Detection be Available?

We are pleased to announce that the domain masquerading detection is released on January 29, 2025 as part of the Grayware Domains. 

 

What Action Is Needed to Benefit from Domain Masquerading Detection?

Customers do not need to make any configuration changes unless they wish to modify the default or configured action of the Grayware Domains category. Domain masquerading detection is categorized as Grayware, and the default action for this category is set to block.

 

What is the Threat ID and Threat Name for Domain Masquerading category?

To assist customers in identifying and managing domain masquerading threats, below are the details:

  • Threat ID: 109,002,006
  • Threat Name: Domain_masquerading:<FQDN>

 

Does Palo Alto Networks Have A Test Domain for the New Domain Masquerading Category?

Yes. To facilitate testing and familiarization with the new detection capability, we have included a test domain 

 

Test Domain: test-domain-masquerading.testpanw.com

 

Sample Threat Log Entry for Domain Masquerading Detection: 

Below are the snippets of how Domain Masquerading detection entries appear in the threat log of the firewall:

 

Monitor -> Logs -> Threat

Fig 1_Domain-Masquerading_palo-alto-networks.jpg 

 

 

Detail Log view

Fig 2_Domain-Masquerading_palo-alto-networks.jpg

 

 Additional Information

Please refer to the provided documentation for a comprehensive understanding of DNS Security Signature Categories and their significance in safeguarding your network.

 

  • 296 Views
  • 0 comments
  • 0 Likes
Register or Sign-in
Labels
Top Liked Authors