1 Introduction
This document will explain what actions need to be taken when a specific SecureDNS detection category has been seen in your environment.
Keep in mind that the categories explained in this document are blocked by us, meaning the endpoint is protected because we are not allowing it to connect towards the malicious actor. As it is not sure what is generating these queries it is the goal of this document to help in finding out what is generating these queries and to get rid of the software/malware/script in your environment.
2 SecureDNS categories
We have 3 types of categories specified inside the SecureDNS. The first type of category is Dynamically loaded by our back-end DB, the second type of category is Secutec Managed and the third type is based on certain behavior in the security landscape at a certain point in time.
3 Dynamically loaded categories
These categories are generated by using a multitude of input sources.
3.1 APT – Advanced Persistent Threat
3.1.1 Description
This category contains detections in regards of Advanced Persistent Threats. APT’s are mostly linked to hacker groups, state-sponsored hackers. These are the more sophisticated attacks.
3.1.2 Remediation steps
If such categories are seen in the environment it is needed to check the source of these DNS queries by manually digging into the logs or using our enrichment engine which will automatically enrich the data with the private IP (ONLY for customers who are sending us their DNS logs). Once the source has been found it is important to find out what process or program is generating these events.
Ask the user if there has been an installation of some new software recently around the detection time frame. We notice that in such cases it could be that an addon or extension has been installed that is generating these queries. Remove accidentally installed ad-ware, verify that the installed software is sanctioned by your IT department and company policy.
Perform an On-Demand scan with the Endpoint security software to see if a threat is found and can be cleaned. If an application was installed prior or during the detection time-frame, reimage the device as quickly as possible as you are unsure what happened on the device and don’t know if data might have been exfiltrated.
Check your firewall logs to see connections from the infected system as well as from other systems to those IP addresses or websites and block these connections (external connections). Also check for lateral movement of the malware in your network. (internal connections)
3.2 Botnet – collection of bots
3.2.1 Description
This category contains detections in regards of botnet activity. Botnet activity can indicate that the device is part of a collection of bots that is used to perform cyberattacks on specific parties/companies. The botnet always consists of a bot master which will sent instructions to its bots to start an attack or start sending SPAM, move laterally inside the network. The bots from their side can sent information to the bot master, such as a simple call-home, or exfiltrate data from the endpoint.
3.2.2 Remediation steps
If such categories are seen in the environment it is needed to check the source of these DNS queries by manually digging into the logs or using our enrichment engine which will automatically enrich the data with the private IP (ONLY for customers who are sending us their DNS logs). Once the source has been found it is important to find out what process or application is making these calls back to the botnet master.
Ask the user if there has been an installation of some new software around the detection time frame. We notice that in such cases it could be that an addon or extension has been installed that is generating these queries. Remove accidentally installed ad-ware, verify that the installed software is sanctioned by your IT department and company policy.
Ask the user to what websites he went around the detection time frame. We have seen that on certain websites connections through Advertisements on that websites are connecting towards botnet domains.
Perform an On-Demand scan with the Endpoint security software to see if a threat is found and can be cleaned.
Check your firewall logs to see connections from the infected system as well as from other systems to those IP addresses or websites and block these connections (external connections). Also check for lateral movement of the malware in your network. (internal connections)
3.3 Newdomain - Newly seen domain
3.3.1 Description
This category contains detections in regards of newly seen domains. These domains where just registered and might contain malicious downloads, phishing links,…
These domains are being blocked for 24hrs. During these 24hrs our SOC team is checking and moving it to another category based on their findings.
3.3.2 Remediation steps
If such categories are seen in the environment it is needed to check the source of these DNS queries by manually digging into the logs or using our enrichment engine which will automatically enrich the data with the private IP (ONLY for customers who are sending us their DNS logs). Once the source has been found it is important to find out when the event occurred.
As this DNS query is also blocked and in the meanwhile being analyzed by our SOC team, it will be re-categorized into another Secutec Managed category if found to be malicious or suspicious. If not found to be malicious it will automatically be unblocked the next day (after 24hrs). For exceptions needed during these 24hrs please contact support.
4 Secutec managed categories
The Secutec managed lists are generated and maintained by input we get from our SOC team that analyses the domains coming from customers that are using our SecureDNS.
4.1 Phishing - Phishing websites
4.1.1 Description
This category contains websites analyzed by our SOC team that are used to perform phishing attacks. Examples of phishing’s seen against: O365, banks, general information gathering.
4.1.2 Remediation steps
If such categories are seen in the environment it is needed to check the source of these DNS queries by manually digging into the logs or using our enrichment engine which will automatically enrich the data with the private IP (ONLY for customers who are sending us their DNS logs). Once the source has been found it is important to find out when the event occurred.
Ask the user what has happened around the detection time frame. Try to figure out what source was used: link in email, link in a document. Adjust your security policies linked to the product where it was received from, for example email server, and block the email received. Also check if the same email was sent to other users inside the company. Verify if impacted users have shared personal, security or corporate related data. Modify passwords, adapt authentication methods, verify if unauthorized logins occurred based on leaked or stolen credentials on any impacted platform, if such one exists.
4.2 Spam - Spam links
4.1.1 Description
This category contains websites analyzed by our SOC team that are used to perform spam attacks. By clicking on such links, the spammer knows the email address is valid and will sent even more rubbish emails. We’ve seen multiple spamming links also leading to phishing or malicious websites. Which also pose a risk to the end-user and the company in the end.
4.1.2 Remediation steps
If such categories are seen in the environment it is needed to check the source of these DNS queries by manually digging into the logs or using our enrichment engine which will automatically enrich the data with the private IP (ONLY for customers who are sending us their DNS logs). Once the source has been found it is important to find out when the event occurred.
Ask the user what has happened around the detection time frame. And see if you can figure out what email address it was coming from by looking into email logs and headers. Adjust your security policy of your email provider to block such addresses to prevent other users having the same issue.
4.3 Malware - Malware distributing websites
4.3.1 Description
This category contains websites analyzed by our SOC team that are used to distribute malware. These links will contain malicious software that once installed can spread viruses or other malware creating havoc on the customers environment.
4.3.2 Remediation steps
If such categories are seen in the environment it is needed to check the source of these DNS queries by manually digging into the logs or using our enrichment engine which will automatically enrich the data with the private IP (ONLY for customers who are sending us our DNS logs). Once the source has been found it is important to find out when the event occurred.
Ask the user if he/she has installed new software around the detection time frame. We notice that in such cases it could be that an addon or extension has been installed that is generating these queries to malicious websites. Remove accidentally installed ad-ware, verify that the installed software is sanctioned by your IT department and company policy.
Perform an On-Demand scan with the Endpoint security software to see if a threat is found and can be cleaned.
Check your firewall logs to see connections from the infected system as well as from other systems to those IP addresses or websites and block these connections (external connections). Also check for lateral movement of the malware in your network. (internal connections)
4.4 Blacklist - Blacklisted websites
4.4.1 Description
This category contains websites analyzed by our SOC team that are not falling under any other category described above. Suspicious websites, websites reported by customers, …
4.4.2 Remediation steps
If such categories are seen in the environment it is needed to check the source of these DNS queries by manually digging into the logs or using our enrichment engine which will automatically enrich the data with the private IP (ONLY for customers who are sending us our DNS logs). Once the source has been found it is important to find out when the event occurred.
Ask the user what he/she was doing around the detection time frame and try to figure out what the source was that triggered this event.
5 Extra detection information
If after using this document, you are still not able to remove and find the malicious process, application, ... You can still contact Secutec Support on:
Specifically for SecureDNS: support@secure-dns.eu
03/877.82.92