Skip to main content

Outbound Connection to New Domain From Host

This alert occurs when Lacework detects an outbound connection from your cloud deployment to an external domain that has not been accessed in the past 90 days. Lacework uses reverse IP lookup to determine the destination domain by correlating DNS queries and network connections in your cloud environment. Domain names are grouped based on their second-level domain, except for AWS domains, which are grouped by service name (for example, ec2.amazonaws.com). This categorization enhances organization and analysis of connection data in Lacework.

Why this alert is important

In cloud deployments, software typically demonstrates consistent network behaviors, making new access to external domains a potential cause for investigation, particularly if the domain is unrelated to business operations.

Why this might be just fine

New tools are regularly introduced in cloud environments, which can result in accessing new domains that are necessary for their operation, including those owned by the software vendor. Therefore, the presence of a new domain alone does not automatically indicate a security breach. Nonetheless, it is important for the security team to monitor the behavior of all newly introduced software.

Certain use cases inherently require access to new domain names. For instance, reputation systems that browse user-supplied URLs or marketing software that gathers intelligence from across the web. Lacework identifies such software or hosts that interact with a significant number of external domains within your deployment. It aggregates these connections to avoid triggering alerts for individual domains. Further customization options for alert criteria can be found at Suppress Crawler-Related Alerts.

Investigation

Each alert of this nature requires an initial investigation. Consider the following steps:

  1. Gather information about the domain:
    • Is it a domain owned by your company or a trusted third-party?
    • Check the Whois registration and historical records to identify the domain's owner.
    • Look for any known threat information associated with the domain.
  2. Identify the originating software and assess its normal behavior by reviewing its historical connections. To access the application dossier, click the application name in the Alert Description. Examine the external connection details and Polygraph sections to determine if the software typically establishes external connections.
    • Determine the user responsible for the connection by reviewing the Who section.
    • Determine the volume of exchanged data (both directions), focusing on significant amounts exceeding 10KB.
  3. Investigate if the egress connection is related to the software supply chain. Check for recent software updates, particularly if a new version of a library introduced an external dependency. This check can be performed in tools such as Jira, ServiceNow, GitHub, or GitLab, depending on your organization.
  4. If any findings appear suspicious, escalate the investigation. Look for patterns in logs related to the domain and involve your DevOps peers to gather their insights and opinions.

Resolution

If the connection appears to be the result of malicious use of an existing administrative tool, malware, or an exploited application, review logs from both hosts. If the machine is compromised, take the necessary steps to restore the affected systems to a known, clean state.