Skip to main content

New External Host Server Connection

This alert is triggered when Lacework identifies a host or software in your cloud deployment that has established a new outbound connection to an external domain it hasn't communicated with in the past 90 days. Though the domain may have been accessed by other parts of your deployment, this specific host or software has not interacted with it before.

Lacework identifies the destination domain name by conducting a reverse IP lookup, which correlates DNS queries and network connections observed within your cloud deployment. Domain names are grouped based on their second-level domain, except for AWS domains, which are categorized by service name (for example, ec2.amazonaws.com).

Why this alert is important

In cloud deployments, software typically demonstrates consistent network behaviors. Therefore, when there is new access to external domains, it may require investigation, particularly if the domain is unrelated to business operations.

Why this might be just fine

The connection may be anticipated if it originates from recently updated software, such as an upgraded or renamed version that retains its core functionality. It's important to note that the software can be a container image (for example, from docker.io) running on a cluster or a new software binary operating on a host. For interpreters like Java and Python, the primary program files, such as the main class or JAR file in Java, are considered software binaries.

Investigation

Each alert of this nature requires an initial investigation. Here are the key steps to follow:

  1. Gather information about the domain:
    • Is it a domain owned by your company or a trusted third-party?
    • Check the Whois registration and historical records to identify the domain's owner.
    • Look for any known threat information associated with the domain.
  2. Identify the originating software:
    • Determine the software responsible for the egress connection.
    • Review its historical behavior to establish if making egress connections is normal.
    • Click the application name in the Alert Description to access the application dossier. Examine the external connection details and the Polygraph section to determine if the software regularly establishes external connections.
  3. Identify the user responsible for the connection: look for information about the user in the Who section of the alert.
  4. Determine the volume of data exchanged:
    • Assess the number of bytes exchanged in both directions.
    • Significant data exchange exceeding 10KB suggests a meaningful amount of data transfer.
  5. Investigate if the egress connection is related to the software supply chain. Check for recent software updates, particularly if a new version of a library introduced an external dependency. This check can be performed in tools such as Jira, ServiceNow, GitHub, or GitLab, depending on your organization.
  6. If any findings appear suspicious, escalate the investigation. Look for patterns in logs related to the domain and involve your DevOps peers to gather their insights and opinions.

Resolution

If the connection appears to be the result of malicious use of an existing administrative tool, malware, or an exploited application, review logs from the source machine and application. If the machine is compromised, take the necessary steps to restore it to a known, clean state.