Skip to main content

New Outbound Connection From Application

This alert occurs when Lacework detects a software in your cloud deployment that has made an outbound connection to an external domain that it has not contacted in the past 90 days. It is possible that other components of your deployment have interacted with this domain, but this particular software has not.

Lacework determines the destination domain name by conducting a reverse IP lookup, which involves correlating DNS queries and network connections observed within your cloud deployment. Domain names are aggregated based on their second top-level domain, except for AWS domains, which are aggregated using service name (for example, ec2.amazonaws.com).

Why this alert is important

Software operating within cloud deployments generally demonstrates consistent network behavior. Therefore, when there is new access to external domains, it is advisable to investigate the situation, particularly if the domain is unrelated to business operations.

Why this might be just fine

The occurrence of this connection may be anticipated if it originates from a recently updated piece of software, such as an upgrade to a new version or a change in name, with its primary functionality largely preserved. It is important to note that software can exist in the form of a container image (for example, sourced from docker.io) running on a cluster, or as a new software binary operating on a host. In the case of interpreters like Java and Python, the primary program files (for example, the main class or JAR file for Java) are considered software binaries.

Investigation

Each alert of this nature requires an initial investigation. Here are the key steps to follow:

  1. Gather information about the domain in question:
    • Determine whether the domain is owned by your company or a trusted third-party.
    • Explore other sources such as Whois registration and historical records to gain additional insights.
    • Assess whether the domain is associated with any known malicious activity or if it is flagged as suspicious by any sources.
  2. Determine the originating software and its normal egress connection behavior by reviewing historical data. Click the application name in the Alert Description to access the application dossier. Consult the External Out Connections and Polygraph sections to assess the software's regularity in establishing external connections.
  3. Determine the user responsible for the connection by checking the Who section.
  4. Determine the number of bytes transmitted in both directions. Pay attention to figures exceeding 10KB, as they indicate a significant amount of data exchange took place.
  5. Verify whether the egress connection is associated with the software supply chain. For instance, check if the software has been recently updated, potentially introducing a new version of a library that now relies on an external dependency.
    • Depending on your organization, it is advisable to examine platforms like Jira, ServiceNow, or your preferred SCM provider such as GitHub or GitLab for relevant information.
  6. If there are any suspicious indications, escalate the investigation further. Look for patterns in logs that involve the specific IP address and involve your DevOps peers to gather their insights and opinions.

Resolution

If the connection appears to be the result of malicious use of an existing administrative tool, malware, or an exploited application, review logs from the source machine and application. If the machine is compromised, take the necessary steps to restore it to a known, clean state.