{"id":1371,"date":"2018-07-11T21:32:57","date_gmt":"2018-07-11T21:32:57","guid":{"rendered":"https:\/\/live-infoblox-blog.pantheonsite.io\/?p=1371"},"modified":"2020-05-06T10:27:05","modified_gmt":"2020-05-06T17:27:05","slug":"top-security-report-5-top-malware-amp-dns-tunneling-by-client","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/community\/top-security-report-5-top-malware-amp-dns-tunneling-by-client\/","title":{"rendered":"Top Security Report #5 – Top Malware & DNS Tunneling by Client"},"content":{"rendered":"

This blog discusses the report #5 in a series of seven top security reports that can help you defend against bad actors.<\/p>\n

Here are the previous parts:\u00a0part 1<\/a>, part 2<\/a>,\u00a0part 3<\/a>\u00a0<\/p>\n

Top Malware & DNS Tunneling by Client<\/h2>\n

Accessed through the security dashboard, this report requires Active Trust\/Active Trust Cloud. It provides filters for timeframe, members, source IP addresses, Network Address Translation (NAT) status and source port making the query. For the source IP, the admin can use wildcards or Classless Inter-Domain Routing (CIDR) notation to view a specific subnet. Admins can also see NATed public IP addresses inside their private network for additional visibility. This report returns the top client IP culprits, the number of associated tunneling events, the number of malicious queries and the date\/time last seen. The admin can drill down for historical data, sort by the top number of queries, the most recent, or most prolific to identify and arrest bad actors engaged in malware or data exfiltration activities.<\/p>\n\n\n\n\n\n\n\n\n\n
Top Report #5: Top Malware &\u00a0<\/strong>DNS Tunneling by Client<\/strong><\/td>\n<\/tr>\n
Service Area<\/strong><\/td>\nData Protection & Malware Mitigation<\/td>\n<\/tr>\n
Purpose<\/strong><\/td>\nLists clients with the most outbound malicious queries (RPZ hits) & DNS tunneling events in a given timeframe<\/td>\n<\/tr>\n
Primary User<\/strong><\/td>\nNetwork & Security Admins<\/td>\n<\/tr>\n
Importance<\/strong><\/td>\nIdentifies top infected clients making outbound malicious queries & those<\/p>\n

tied to DNS tunneling, enabling security to prioritize efforts to prevent malware spread & damage from DNS tunneling attempts (e.g. data exfiltration)<\/td>\n<\/tr>\n

Use Case<\/strong><\/td>\nSecurity teams are seeking bad actors who are making malicious DNS queries & DNS tunneling activity related to data exfiltration<\/td>\n<\/tr>\n
Available<\/strong><\/td>\nOut-of-the-box & requires Active Trust\/Active Trust Cloud (AT\/ATC)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

The Top Malware & DNS Tunneling by Client report addresses data protection and malware mitigation by listing clients with the most outbound queries (via Response Policy Zone (RPZ) hits) and DNS tunneling activities in a given timeframe.\u00a0 It\u2019s a favorite of network and security admins because, for\u00a0network teams<\/em><\/strong>, it identifies the top infected clients making outbound malicious queries.\u00a0 For\u00a0security teams<\/em><\/strong>, it identifies IP addresses tied to DNS tunneling, helps prioritize DNS security efforts to prevent malware spread and damage and reveals bad actors trying to steal or get data off the network.\u00a0 This report is frequently used when security teams are seeking those responsible for making malicious DNS queries or engaged in DNS tunneling to exfiltrate sensitive data outside the company in order to remove them from the network.<\/p>\n

\"\"<\/p>\n

Here are the seven (7) security reports that can give you an edge over the bad actors.<\/p>\n