Identifying Malicious Data Exfiltration: A Stealthy Approach

Detecting Suspicious Behavior without Alerting Malicious Actors

Question

A threat feed notes malicious actors have been infiltrating companies and exfiltrating data to a specific set of domains.

Management at an organization wants to know if it is a victim.

Which of the following should the security analyst recommend to identify this behavior without alerting any potential malicious actors?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

B.

The threat feed notes that malicious actors have infiltrated companies and exfiltrated data to a specific set of domains. To identify if the organization is a victim, the security analyst should recommend using a method that doesn't alert potential malicious actors.

Option A recommends creating an IPS (Intrusion Prevention System) rule to block these domains and trigger an alert within the SIEM (Security Information and Event Management) tool when these domains are requested. However, this option may alert potential malicious actors that their activities have been detected and blocked, giving them the opportunity to change their tactics.

Option B suggests adding the domains to a DNS (Domain Name System) sinkhole and creating an alert in the SIEM tool when the domains are queried. This approach allows the organization to redirect the malicious traffic to a non-existent or controlled location, without alerting the attacker. The sinkhole can capture any communication with the malicious domains and alert the security team for further investigation.

Option C involves looking up the IP addresses for these domains and searching firewall logs for any traffic being sent to those IPs over port 443. This option only looks for traffic to a specific port, which may not be sufficient to detect all malicious activity. The attackers may use other ports or protocols to exfiltrate data.

Option D recommends querying DNS logs with a SIEM tool for any hosts requesting the malicious domains and creating alerts based on this information. This option is similar to option B but focuses on DNS logs rather than sinkholing. However, this approach may not capture all traffic to the malicious domains, as some traffic may not involve DNS queries.

Based on the above analysis, option B is the best recommendation. It offers a way to detect malicious traffic without alerting the attacker and provides the security team with valuable information to investigate and respond to the incident.