- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
As DNS threats become more and more sophisticated, adversaries are identifying DNS as a key threat vector to successfully attack organizations. This is why with Palo Alto Networks’ cloud-delivered DNS security service, we are constantly identifying new threats to secure your DNS traffic. Our latest protection identifies domains that have been intentionally aged to bypass security vendors reputation checks. We call it Strategically Aged Domains. Palo Alto Networks’ DNS security service proactively identifies strategically aged domains based on traffic distribution, domain analysis and characteristics of the subdomain.
It’s well known that Newly Registered Domains (NRD) are widely used for various malicious activities. At Palo Alto Networks, we have mechanisms in place like monitoring DNS zone files and passive DNS data to detect these emerging malicious domains before a patient zero web threat appears. However, it’s not enough to focus on threats behind NRD only as threat actors are coming up with advanced ways to evade existing protections.
Strategically Aged Domains are domains that are registered in advance. The domains are reserved and left dormant for months or even years before using them for attacking campaigns to bypass security vendor reputation checks. Sometimes, it will take longer to detect when malicious activity begins as these domains have developed a benign reputation over time. Thereby, attackers gain an advantage from using these strategically aged domains for their attacks.
For example, Advanced Persistent Threat (APT) malware can stay dormant for years so they are deemed as benign, but then suddenly activate and produce a large amount of exploiting traffic through their command and control (C2) domains. TheSolarWinds supply chain attack with SUNBURST trojan in December of 2020 utilized strategically aged domains along with domain generation algorithms (DGA) to bypass security controls and exfiltrate identities of the compromised hosts.
Our advanced cloud-based DNS security service leverages below filters to identify potential attacks using strategically aged domains:
Strategically Aged Domain detection results are released in real time under the DNS Grayware category which is part of the Pan-OS 10.0 release. Customers can then allow, block, or alert these detections based on their policy for handling Grayware. Customers with PAN-OS 10.0 or later are able to benefit from this new detection.
To learn more about how the DNS security service can protect your DNS traffic from threats, sign up for:
Palo Alto Networks DNS Security: Disrupt DNS-Based Attacks
Unit 42: Strategically Aged Domain Detection: Capture APT Attacks With DNS Traffic Trends
Unit 42: SolarStorm Supply Chain Attack Timeline
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Subject | Likes |
---|---|
5 Likes | |
3 Likes | |
2 Likes | |
1 Like | |
1 Like |