Skip to main content

Bad External Client DNS

This alert occurs when Lacework detects an external host, that has been flagged as malicious by intelligence sources, connects to an internal host. If an application cannot be associated with a connection, Lacework generates a machine alert.

Why this Alert is Important

This alert typically indicates that an external host associated with various attacks is attempting to connect to an Internet-facing service in your infrastructure. These connection attempts may include automated port scanning, service discovery, brute-forcing, or application exploitation. Such an alert may highlight services that have been mistakenly exposed to the Internet.

Investigation

Investigate threat tags and any open source information to determine what activity has been associated with this external host in the past. Examine the number of connections and size of data transfer for the connections to determine if meaningful data has been transferred - over 10 KB per connection. If the target application requires a password, review logs for successful login activity from the remote IP.

Resolution

Determine if the activity associated with the external host was successful. If successful, remediate damaged services, inspect for signs of persistence and lateral movement. If possible, block future communications from the host. Additionally, determine if the application in question should be Internet-accessible.