Skip to main content

New External Server IP Address Connection

This alert occurs when Lacework detects a host or software in your cloud deployment that has made an outbound connection to an external IP address that it has not contacted in the past 90 days. The IP address is considered external based on the host's routing tables, excluding private IP ranges according to RFC 1918. Lacework performs a reverse IP lookup by correlating DNS queries and network connections in your cloud deployment. This alert indicates a direct connection to a raw IP address without a corresponding DNS query.

Why this alert is important

Raw IP addresses raise significant suspicions in cloud environments. Cloud deployments rarely utilize direct IP addresses due to frequent changes caused by mechanisms like load balancers, proxies, virtual hosting frameworks, content distribution networks, and more. Conversely, malicious actors often prefer raw IP addresses to evade traceability and the overhead associated with setting up a dedicated domain name. Attackers are unfazed by the unreliable and temporary nature of raw IPs.

Why this might be just fine

Though connections to IP addresses can be legitimate in some cases, it is important to consider that such instances are relatively uncommon. Certain services may be hosted behind static IP addresses for reasons related to reliability or performance. However, these fixed-IP services are typically rare, and if they exist, they usually involve a static or slowly changing set of IP addresses that are frequently and consistently used.

In specific scenarios, Lacework may encounter difficulties correlating an IP address to a resolved domain name. This can occur when the DNS query takes place on a different machine, and the IP address is transmitted within a network message, or due to application-level caching in libraries used for connecting to cloud providers. Additionally, high CPU usage or memory pressure can sometimes cause Lacework's agent to drop data necessary for identifying the DNS query.

In such cases, it is possible for this alert to generate false positives. However, the alert is still triggered to prevent attackers from concealing their activities behind a high system load. It is crucial to carefully evaluate the circumstances and gather additional context to determine the validity of the alert.

Investigation

To thoroughly investigate each alert, focus on the following key areas:

  1. Use the Investigation tab for deeper analysis. The Polygraphs, Process Details, and Container Image Information sections also provide valuable insights into the specific machine, process, and container involved in the connection. This helps narrow down the source of the connection.
  2. From the Alert Details, click the Details tab, then check if any data has been transferred by examining the Where section. Data transfers exceeding 10KB should prompt further investigation.
  3. For IP addresses that require further scrutiny, click the IP address to access the network dossier. Here, Lacework provides additional information on any observed activities related to that address within your environment. Additionally, you can click the View on VirusTotal link at the top of the screen for a third-party analysis of the IP address.

Resolution

If the connection appears to be the result of malicious use of an existing administrative tool, malware, or an exploited application, review logs from both hosts. If the machine is compromised, take the necessary steps to restore the affected systems to a known, clean state.