Detecting Young Domains with Palo Alto Networks and LogRhythm

As the world continues dealing with a pandemic involving the coronavirus disease (COVID-19), malicious campaigns are well underway. For example, an opportunistic attacker will leverage a user’s sense of urgency and curiosity to prompt them to open a malicious email, visit a malicious website, or spread misleading information.

Attacks are more likely to be successful today due to the added risk of widespread work-from-home policies. This blog post will explore how you can use domain classification to identify young domains and how you can flip the advantage to defenders by using the Palo Alto Networks and the LogRhythm NextGen SIEM Platform integration.

Using Domain-Generating Algorithms

Attackers that use Domain Generating Algorithms (DGA) have an advantage in creating campaigns that prey on novel news stories. This is especially true in the current environment because these news stories are global.

DGAs are also an identified MITRE ATT&CK® technique (ID: T1483). MITRE ATT&CK describes this technique’s threat as the following: “This has the advantage of making it much harder for defenders block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions … Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc.). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.”

MITRE lists mitigations for this technique such as “Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware.” MITRE also highlights the challenges of detecting DGAs. It says, “Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms.”

Therefore, it’s vital to have methods of categorizing URLs to better detect DGAs. Palo Alto Networks URL categorizations, for example, can likely detect, and prevent DGAs with categorizations such as “Newly Registered Domain*.” Palo Alto Network’s Unit 42 also has a great blog that offers detail on this phenomenon.

Beyond DGAs, other next-generation firewalls (NGFW), web proxies, and DNS proxies have similar categorizations that exist in your environment today. You can easily use them to not only obtain insight into suspicious domains but also actively block them.

How to Detect Young Domains via Palo Alto Networks

Palo Alto Networks classifies URL data in several ways. The category we are particularly interested in is called “Newly Registered Domain*”, described as “Domains that have been registered within the last 32 calendar days.” You can learn all about Palo Alto Network’s URL filtering here. Palo Alto Network’s complete list of PAN-DB URL filtering categories can be found here.

Logging URL Categories

Palo Alto Networks needs to be configured to not only detect the URL category “Newly Registered Domain*,” but to also send that log to the SIEM via Syslog. This blog post assumes that Palo Alto Networks NGFW is already configured to send logs to the SIEM. We’re going to focus specifically on the “Configure URL Filtering,” and how you would be alerted to the “Newly Registered Domain*” category. Per the Palo Alto Networks instructions, it’s straightforward.

  • Select, or create a new URL filter.
  • Under the “Categories,” select “Alert” for “Newly Registered Domain*.”
    1. Note, Alert will not block the access. It is required to Syslog out to the SIEM.
    2. Block will not only block access to the URL, but it will also log it to the SIEM.
  • Clear the “Log container page only” checkbox.
  • Enable “HTTP Header Logging,” by selecting “User-Agent,” “Referrer,” and “X-Forward-For.”
  • Save the URL filtering profile.
  • Commit the setting.

LogRhythm WebUI: Custom Analyze Dashboard for Newly Registered Domain

In the screenshots below, we can see what the log from the Palo Alto Networks looks like.

Figure 1: WebUI Analyze Dashboard showing a log message from the Palo Alto where the URL category is Newly Registered Domain*

Figure 2: LogRhythm WebUI Analyze Event pane shows details of the URL category where the URL and Domain (Impacted) are omitting the TLD on purpose in this example

We can see details of the Domain (Impacted), which is COVID-19. (TLD/gTLD are omitted on purpose in this example. You will see the full domain with TLD/gTLD.) We see the URL, which is COVID-19/Coronavirus. We also see the URL category being parsed under Process Name, named Newly-Registered-Domain*.

Now that we have the logs coming into the SIEM, it’s straightforward to create additional WebUI dashboards or even AI Engine rules.

LogRhythm – Palo Alto: Dynamic Block List for Newly Registered Domains

If Palo Alto Networks is configured to alert on young domains, rather than block, it may be that you are correlating with other log sources to perform broader analytics that results in an AI Engine alert indicating a malicious young domain with a high degree of certainty. In this case, you may wish to proactively block that domain on the Palo Alto Networks device.

LogRhythm has a great discussion on Community discussing how to use dynamic block lists in Palo Alto Networks here. One of our Community Managers and LogRhythm customer, Daniel Dallmann (community handle: ddallmann), contributed a great method of also utilizing Palo Alto Networks Minemeld here.

If you have Palo Alto Networks in your environment, it’s worth evaluating what Daniel Dallmann developed.

In Summary

Detecting malicious, nefarious, and otherwise unwanted URLs poses a big challenge with newly created domains. As we read from MITRE ATT&CK technique T1483: Domain Generation Algorithms, detection is not trivial either. Using a next-generation firewall solution, such as Palo Alto Networks, where URL filtering categorizes a great number of websites and tracks “Newly Registered Domain*” as a URL filter category is needed to detect and protect organizations.

There are also ways to extend these categories with custom content using LogRhythm lists and publishing back into the Palo Alto Networks NGFW with LogRhythm RespondX security orchestration, automation, and response (SOAR) solution. Correlating the Palo Alto Networks URL filtering logs in the LogRhythm SIEM also allows for greater detection and pivoting to forensic activities by downloading the PCAP from LogRhythm NetMon, for example, helps a SOC analyst determine if the domain is truly malicious.