This proof of value study showcases the effectiveness of detecting DNS exfiltration and Command and Control (C2) communications through Suspicious Domain feeds and Threat Insight technology, utilized by two distinct customers: a large retail company and an educational institution. The study reveals varying security policies and responses to identified threats, particularly highlighting the SideWinder APT group that exploits DNS for malicious activities. Affected: e-commerce/retail, education, cybersecurity sector
Keypoints :
- The study involved two customers with different security policies reacting to DNS threats.
- Infoblox offers early detection of Suspicious Domains to enhance protection.
- Threat Insight technology utilizes machine learning to inspect DNS traffic for risks.
- SideWinder APT group is identified as a key threat actor using DNS for command and control.
- Cobalt Strike, a legitimate weapon, is misused by threat actors to launch attacks.
- Using multiple defense layers is emphasized for optimal DNS protection.
- The study suggests a combined use of Suspicious Domain feeds and Threat Insight.
- A specific malicious domain, army-lk[.]org, was flagged and analyzed in this context.
MITRE Techniques :
- Command and Control (T1071): The SideWinder APT is using DNS for command and control communications.
- Data Exfiltration Over Command and Control Channel (T1041): Infoblox detects potential data exfiltration activity related to suspicious domains via DNS traffic.
Indicator of Compromise :
- [Domain] army-lk[.]org
Full Story: https://blogs.infoblox.com/threat-intelligence/dns-early-detection-cobalt-strike-dns-c2/