Top Security Report #5 – Top Malware & DNS Tunneling by Client

Share On Facebook
Share On Twitter
Share On Linkedin

This blog discusses the report #5 in a series of seven top security reports that can help you defend against bad actors.

Here are the previous parts: part 1, part 2part 3 

Top Malware & DNS Tunneling by Client

Accessed through the security dashboard, this report requires Active Trust/Active Trust Cloud. It provides filters for timeframe, members, source IP addresses, Network Address Translation (NAT) status and source port making the query. For the source IP, the admin can use wildcards or Classless Inter-Domain Routing (CIDR) notation to view a specific subnet. Admins can also see NATed public IP addresses inside their private network for additional visibility. This report returns the top client IP culprits, the number of associated tunneling events, the number of malicious queries and the date/time last seen. The admin can drill down for historical data, sort by the top number of queries, the most recent, or most prolific to identify and arrest bad actors engaged in malware or data exfiltration activities.

Top Report #5: Top Malware & DNS Tunneling by Client
Service Area Data Protection & Malware Mitigation
Purpose Lists clients with the most outbound malicious queries (RPZ hits) & DNS tunneling events in a given timeframe
Primary User Network & Security Admins
Importance Identifies top infected clients making outbound malicious queries & those

tied to DNS tunneling, enabling security to prioritize efforts to prevent malware spread & damage from DNS tunneling attempts (e.g. data exfiltration)
Use Case Security teams are seeking bad actors who are making malicious DNS queries & DNS tunneling activity related to data exfiltration
Available Out-of-the-box & requires Active Trust/Active Trust Cloud (AT/ATC)

The Top Malware & DNS Tunneling by Client report addresses data protection and malware mitigation by listing clients with the most outbound queries (via Response Policy Zone (RPZ) hits) and DNS tunneling activities in a given timeframe.  It’s a favorite of network and security admins because, for network teams, it identifies the top infected clients making outbound malicious queries.  For security teams, it identifies IP addresses tied to DNS tunneling, helps prioritize DNS security efforts to prevent malware spread and damage and reveals bad actors trying to steal or get data off the network.  This report is frequently used when security teams are seeking those responsible for making malicious DNS queries or engaged in DNS tunneling to exfiltrate sensitive data outside the company in order to remove them from the network.

Here are the seven (7) security reports that can give you an edge over the bad actors.

Learn more:

  • Join the Infoblox Reporting & Analytics Technical Demo Series to continue the discussion in the free webinar on 7/17, 2018, 9A PDT, 12P EDT, 5P BST. Register
  • As an existing Infoblox DDI customer, you can deploy a virtual Infoblox Reporting & Analytics appliance free of charge — no strings attached. Download and try the Reporting & Analytics Free Tier today.

Labels:

Bob Rose

Sr. Product Marketing Manager, Solutions Marketing & DDI Value-Added Services at Infoblox

Bob has over 25 years of mid-to-senior level experience in B2B and B2C product marketing, product, project, program and partner management. This includes 14 years in technology (DDI, RPA, fintech, wireless and mobile apps, GIS and biometrics), 9 years in financial services, 3 years in healthcare and 2 years in manufacturing. He did his post-graduate work in Project Management and Quality and holds a Marketing Management BBA from Pacific Lutheran University in Tacoma, WA. He spends his personal time engaged in adult and youth ministries, coaching and watching soccer (go Liverpool FC & Sounders FC), sailing, camping, and listening to a variety of Christian, jazz and instrumental music.

View All Posts
×