Skip to main content

Bad External Host

This alert occurs when Lacework detects an outbound connection has been made from your cloud deployment to an external domain that has not been accessed within the last 24 hours. Additionally, this domain has been flagged as potentially malicious by intelligence sources. Lacework identifies the destination domain name by conducting a reverse IP lookup, which correlates DNS queries and network connections observed in your cloud deployment. Domain names are aggregated based on their second top-level domain, except for AWS domains, which are aggregated by service name (for example, ec2.amazonaws.com).

Why this alert is important

Software running in cloud deployments generally demonstrates consistent network behaviors. Therefore, when there is new access to external domains flagged as malicious, it necessitates investigation, particularly if the domain is unrelated to business operations.

When software establishes connections with potentially malicious domains, it could be due to various reasons, including:

  • Supply chain attacks, where malicious code is injected into open source or third-party software.
  • Malware reaching out to command and control servers.
  • Attackers employing techniques like SSRF (Server-Side Request Forgery) or exploiting vulnerabilities within applications.

These scenarios highlight the importance of thoroughly examining and addressing any connections to potentially malicious domains to ensure the security and integrity of the cloud environment.

Why this might be just fine

There are instances where domains flagged as malicious may no longer pose a threat or have been inaccurately labeled by third-party intelligence sources. Additionally, in certain industries like Cryptocurrency trading, domains that are commonly communicated with may indicate crypto mining activity for organizations outside of that industry.

New tools are regularly introduced in cloud environments, which can result in accessing new domains that are necessary for their operation, including those owned by the software vendor. Therefore, the presence of a new domain alone does not automatically indicate a security breach. Nonetheless, it is important for the security team to monitor the behavior of all newly introduced software.

Certain use cases inherently require access to new domain names. For instance, reputation systems that browse user-supplied URLs or marketing software that gathers intelligence from across the web. Lacework identifies such software or hosts that interact with a significant number of external domains within your deployment. It aggregates these connections to avoid triggering alerts for individual domains. Further customization options for alert criteria can be found at Suppress Crawler-Related Alerts.

Investigation

Each instance of this alert requires investigation. When examining the Alert Details in the Lacework Console, direct your attention to the following critical areas:

  1. Analyze the Threat Tags and Threat Source information in the What section. This will provide insights into why the flagged IP has been identified, such as being a possible Tor exit node.
  2. Utilize the Investigation tab for a more in-depth analysis. The Polygraphs, Process Details, and Container Image Information cards can help identify the specific machine, process, or container associated with the connection. This information can assist in narrowing down the source of the connection. Additionally, review the metadata, including tags, to determine the owner of the service or infrastructure involved. Contact the respective team to inquire if any changes were made during the alert timeframe that may explain the connection.
  3. Check the Where section to verify if any data has been transferred. Investigate further if there is significant data transfer exceeding 10KB.
  4. For an IP address that requires deeper investigation, click the IP address to access the network dossier, which provides additional observations related to that address within your environment. You can also click the View on VirusTotal link at the top of the screen to access VirusTotal for a third-party analysis of the IP address.

Resolution

If the connection is malicious, take steps to restore the affected systems to a known clean state. If possible, implement sinkholing or blocking of the domain to prevent reinfection.