Posted in:

How to Narrow Down the Amount of Suspicious Traffic in Network Logs

© by Photo courtesy of Pixabay

Suspicious network traffic can come from anywhere, and no organization is immune to getting attacked. And while being alerted to all suspicious domains and IP addresses is a good thing when it comes to maintaining network security, getting too many alerts can be overwhelming.

In fact, the security teams of a huge majority of companies suffer from alert fatigue, which is avoidable, at least to some extent, by narrowing down the amount of suspicious traffic. How can organizations do that, though? Take a look at some of the ways below.

Filter Out Disreputable Domains and IP Addresses

Not all suspicious domains and IP addresses need to be blocked outright. Some domains could belong to stakeholders but have been compromised. The best way to deal with them is to inform their owners of the problem so they can address it.

In the same vein, not all of the domains resolving to suspicious or even malicious IP addresses are malicious. That said, IP-level blocking may result in overblocking, especially if some of the resolving domains belong to your stakeholders.

A possible way to address the issues mentioned above is using a sorting mechanism like domain reputation that can help tell if a domain or IP address is malicious.

To lessen the amount of suspicious traffic you may need to analyze and consequently block, if necessary, you can take out and block the domains and IP addresses that are definitely malicious at once. These have already been subjected to deep dives and should be kept out of networks.

Pay Attention to Domains Sporting Specific TLDs

Subscribing to threat reports is a security best practice. Security companies and independent research organizations typically publish such reports regularly. One example is the APWG’s Phishing Trends Report that’s published quarterly. The information from the report can keep you updated on the top-level domain (TLD) extensions that phishers most use. As of 9 February 2021, some of the TLDs cited for suspicious activity includes .com, .uk, .info, .net, .live, .link, .org, .xyz, .me, and .br. 

Make sure, however, that you use a whitelist containing your stakeholders’ domains, so you don’t end up keeping them out of your network. Also, should some of the domains identified as suspicious belong to legitimate users (e.g., partners, suppliers, and customers), let them know about the issue so it can be addressed. Doing so should leave your security team fewer suspicious domains to look into and consequently block, if necessary.

Consider Limiting Access to Suspicious Non-Publicly Attributable Domains and IP Addresses

Cyber attackers are ready to do anything to evade detection and their identification. That’s notably why they’d avoid mentioning any of their personally identifiable information (PII) in domain records and would typically resort to anonymizing services. And while WHOIS record privacy protection and redaction is surely not a telltale sign of involvement in malicious activity, it’s still not a usual practice for legitimate companies to leave out their PII despite the implementation of stricter privacy regulations like the General Data Protection Regulation (GDPR).

Among some of the top Fortune 500 companies, for instance, only a minority have redacted or privacy-protected WHOIS records at the time of this writing. This means that the majority of those companies’ official domains likely can be publicly attributed to their owners via WHOIS lookups.

That said, delaying or even blocking access to suspicious domains and IP addresses that aren’t publicly attributable to well-known organizations when they probably should be can reduce the volume that requires further analysis.

The three strategies above can help reduce the volume of suspicious traffic that security teams need to spend time and effort on to either blacklist or give access to—contributing to alert fatigue reduction in the process.