anomalous_traffic_dns

Explanation

This event is triggered by Netography's Fusion Portal when it detects a data transfer over UDP port 53 or over TCP ports 53 or 853 that exceeds an automatically determined baseline threshold. Auto Thresholding observes related network traffic to determine a baseline and then defines thresholds as a number of standard deviations from the typically observed traffic. This event specifically looks for data transfers over UDP port 53 or TCP ports 53 or 853 that are multiple standard deviations greater than the learned baseline.

What to Look For

Anomalous traffic over DNS may be an indication that your network is compromised and attackers are stealing information by moving it (exfiltrating it) off your network. Attackers frequently exfiltrate data using DNS (the Domain Name Service) because it is a fundamental service on the internet used to convert domain names into IP addresses. Attackers often try to hide exfiltration data in the large volumes of normal DNS traffic on networks. Detections of anomalous traffic over DNS are worthy of investigation because they may be indicative of a ransomware attack or industrial espionage.

Investigate hosts that are the source of this sort of activity in order to make sure that it is authorized and expected, and the hosts have not been compromised. Ensure that hosts sending data over DNS are authorized to send data to systems outside your network in an approved file system location. Check network logs for additional information to ensure that sensitive information is secure.

Related MITRE ATT&CK Categories

Exfiltration Over Alternative Protocol, Technique T1048 - Enterprise