Skip to main content

New External Client DNS

This alert occurs when Lacework detects a new external client's DNS request is made to a system or network for the first time.

The alert indicates that an external client, such as a computer or device outside of the organization's network, has attempted to establish a connection with the network by making a DNS request. DNS requests translate human-readable domain names into IP addresses that can be used to establish network connections.

Why this alert is important

Monitoring new external client DNS requests is important to detect potential threats or unauthorized access attempts. You can use this alert to identify new external clients attempting to connect to their network and take appropriate action to investigate or block any suspicious activity. In some cases, the alert may be benign and represent legitimate network activity, but in other cases, it may indicate an attempted attack or compromise of the network.

Investigation

Investigating this alert involves analyzing the alert data and performing additional network and system checks to determine the nature and intent of the external client's connection attempt.

Follow these steps to investigate the alert:

  1. Review the incident’s data for information on the external client's IP address, the DNS query made, the domain name queried, and the timestamp of the request. This information can help determine the location of the external client and whether the request was made during known business or non-business hours.
  2. Verify that the domain name queried is legitimate and not a malicious domain name used in phishing or other types of attacks. Use threat intelligence sources to check if the domain has a known reputation for malicious activity.
  3. Determine if the external client IP address is on any blocklists or known to be associated with malicious activity. Use IP reputation services to check if the IP address has a known history of attacks or has been previously associated with suspicious activity.
  4. Review network logs to determine if the external client's connection was successful and if any data was transferred during the connection. Look for signs of suspicious activity, such as repeated connection attempts, large data transfers, or attempts to access unauthorized resources.
  5. Conduct additional checks, such as port scanning and vulnerability assessments, to determine if the external client is attempting to exploit any known vulnerabilities or gain unauthorized access to the network.

Resolution

Resolving this alert involves taking appropriate measures to mitigate any identified risks or threats to your organization. Here are some suggested steps:

  1. If the external client's IP address is associated with malicious activity, block the IP address using firewall rules or other access control mechanisms.
  2. Review security policies and procedures to ensure they are up-to-date and effective in preventing unauthorized access and other security threats.
  3. Implement DNS filtering: Use DNS filtering to block access to known malicious domains and to prevent employees from accessing unauthorized sites.
  4. Conduct employee training: Conduct employee training to educate staff on the risks associated with unauthorized access and the importance of adhering to security policies and procedures.
  5. Update security controls such as firewalls, intrusion detection systems, and antivirus software to ensure that they effectively detect and prevent security threats.
  6. Conduct continuous monitoring of network traffic and DNS requests to identify and mitigate future security threats.