Hidden in Plain Sight

Chris McNab
Jan 10, 2018 · 2 min read

You’ve solved the false positive issue, but what about the false negatives?

Many security teams use the Alexa Top 1 Million list and associated API to whitelist network traffic and focus threat hunting efforts around uncommon domains. For some time we’ve known of issues with this data at AlphaSOC, and in this post we detail the malicious domains hidden from teams using it.

AlphaSOC tracks actors and leverages third-party services to map and understand malware campaign infrastructure. As such, we maintain a list of effective TLDs, including dynamic DNS and hosting provider domains.

As a quick example, f3322.net is a Chinese dynamic DNS provider domain with an Alexa Top Sites rank of 50,891, and luoxk.f3322.net is a malicious hostname beneath (as demonstrated below). The parent domain is commonly whitelisted, leading to malicious subdomains not being flagged as suspicious.

VirusTotal output for luoxk.f3322.net

Within the Alexa Top Sites data we found 246 effective TLDs that can be used to mask attack infrastructure. Upon cross-referencing them with our data and third-party services we found 5,190 hidden C2 and phishing domains.

Researching this further, we found that many commercial services return misleading reputation scores for domains operated by dynamic DNS and hosting providers in particular.

Use the hidden domain list and our open source Network Flight Simulator utility to generate known-bad traffic patterns and identify gaps within your SIEM and threat hunting stack.

Have questions or want to learn more about AlphaSOC? Drop us a line!

AlphaSOC

AlphaSOC Blog

Chris McNab

Written by

Author of Network Security Assessment (O’Reilly Media) and co-founder of AlphaSOC, Inc.

AlphaSOC

AlphaSOC

AlphaSOC Blog