This blog discusses the report #5 in a series of seven top security reports that can help you defend against bad actors.
Here are the previous parts: part 1, part 2, part 3
Top Malware & DNS Tunneling by Client
Accessed through the security dashboard, this report requires Active Trust/Active Trust Cloud. It provides filters for timeframe, members, source IP addresses, Network Address Translation (NAT) status and source port making the query. For the source IP, the admin can use wildcards or Classless Inter-Domain Routing (CIDR) notation to view a specific subnet. Admins can also see NATed public IP addresses inside their private network for additional visibility. This report returns the top client IP culprits, the number of associated tunneling events, the number of malicious queries and the date/time last seen. The admin can drill down for historical data, sort by the top number of queries, the most recent, or most prolific to identify and arrest bad actors engaged in malware or data exfiltration activities.
|Top Report #5: Top Malware & DNS Tunneling by Client|
|Service Area||Data Protection & Malware Mitigation|
|Purpose||Lists clients with the most outbound malicious queries (RPZ hits) & DNS tunneling events in a given timeframe|
|Primary User||Network & Security Admins|
|Importance||Identifies top infected clients making outbound malicious queries & those
tied to DNS tunneling, enabling security to prioritize efforts to prevent malware spread & damage from DNS tunneling attempts (e.g. data exfiltration)
|Use Case||Security teams are seeking bad actors who are making malicious DNS queries & DNS tunneling activity related to data exfiltration|
|Available||Out-of-the-box & requires Active Trust/Active Trust Cloud (AT/ATC)|
The Top Malware & DNS Tunneling by Client report addresses data protection and malware mitigation by listing clients with the most outbound queries (via Response Policy Zone (RPZ) hits) and DNS tunneling activities in a given timeframe. It’s a favorite of network and security admins because, for network teams, it identifies the top infected clients making outbound malicious queries. For security teams, it identifies IP addresses tied to DNS tunneling, helps prioritize DNS security efforts to prevent malware spread and damage and reveals bad actors trying to steal or get data off the network. This report is frequently used when security teams are seeking those responsible for making malicious DNS queries or engaged in DNS tunneling to exfiltrate sensitive data outside the company in order to remove them from the network.
Here are the seven (7) security reports that can give you an edge over the bad actors.
- Top Security Report #7: DNS Top NXDOMAIN – NOERROR
- Top Report #6: Threat Protection – Top Rules by Source
- Top Report #5: Top Malware & DNS Tunneling by Client
- Top Report #4: Tunneling Traffic by Category
- Top Report #3: DNS Top Tunneling Activity
- Top Report #2: Malicious Activity by Client
- Top Report #1: DNS Top RPZ Hits
- Join the Infoblox Reporting & Analytics Technical Demo Series to continue the discussion in the free webinar on 7/17, 2018, 9A PDT, 12P EDT, 5P BST. Register
- As an existing Infoblox DDI customer, you can deploy a virtual Infoblox Reporting & Analytics appliance free of charge — no strings attached. Download and try the Reporting & Analytics Free Tier today.