Here's the pattern I've seen today in Cisco Umbrella.
We normally get around 6000 blocks per day for the category 'C&C'. When I look at a specific domain it only ever gets around 25 hits per month then stops being used.
The domains initially start out as 'uncatagorised', then moved to 'C&C', but weirdly get moved back to 'Uncategorised' just before they stop being used.
However, around the 9th Dec that all stops - the pattern doesn't change, the latest batch of domains simply stop mid-cycle and never re-appear, not allowed or blocked - just disappeared.
Now we are seeing precisely zero hits per day in the C&C category, and whilst there is also a drop in the Malware slot, all the others are logging about the same volumes as ever.
It's almost as if someone simply turned off the C&C domain registration process last week (around the 9th Dec).
I'm not that familiar with Umbrella so I could be mistaken, hence the call out, but for the life of me I can't think of a rational explanation that fits the profile here.
I feel like the intel is stale. 6000 C2 hits per day, if truly malicious would indicate a major ordeal.
Go to your EDR and identify what processes are hitting these IOCs, if you find that its web browsers, its likely stale intel. C2 servers live short lives and return to the provider pools. Its not unusual to see a cobalt strike related IP be an ad-server or CDN a week later.
You can also use something like riskIQ to investigate some of them and see what hostnames are resolving, which will likely net you a lot of cdn names.
The drop in hits may indicate higher fidelity intel (cisco improved it) or it may indicate that you have users that routinely hit a site that is leveraging stale ips and they may have updated.
Really going to come down to what processes are reaching out.
Thanks, it's looking like there are multiple changes that have been taking place which will need closer scrutiny, name server updates and an AD hardening project to name but two that could have been the source.
This is one of those companies that buys all the toys and then outsources all their support, expecting everything to be run properly :) poor buggers.
Here's the pattern I've seen today in Cisco Umbrella.
We normally get around 6000 blocks per day for the category 'C&C'. When I look at a specific domain it only ever gets around 25 hits per month then stops being used.
The domains initially start out as 'uncatagorised', then moved to 'C&C', but weirdly get moved back to 'Uncategorised' just before they stop being used.
However, around the 9th Dec that all stops - the pattern doesn't change, the latest batch of domains simply stop mid-cycle and never re-appear, not allowed or blocked - just disappeared.
Now we are seeing precisely zero hits per day in the C&C category, and whilst there is also a drop in the Malware slot, all the others are logging about the same volumes as ever.
It's almost as if someone simply turned off the C&C domain registration process last week (around the 9th Dec).
I'm not that familiar with Umbrella so I could be mistaken, hence the call out, but for the life of me I can't think of a rational explanation that fits the profile here.
I feel like the intel is stale. 6000 C2 hits per day, if truly malicious would indicate a major ordeal.
Go to your EDR and identify what processes are hitting these IOCs, if you find that its web browsers, its likely stale intel. C2 servers live short lives and return to the provider pools. Its not unusual to see a cobalt strike related IP be an ad-server or CDN a week later.
You can also use something like riskIQ to investigate some of them and see what hostnames are resolving, which will likely net you a lot of cdn names.
The drop in hits may indicate higher fidelity intel (cisco improved it) or it may indicate that you have users that routinely hit a site that is leveraging stale ips and they may have updated.
Really going to come down to what processes are reaching out.
Thanks, it's looking like there are multiple changes that have been taking place which will need closer scrutiny, name server updates and an AD hardening project to name but two that could have been the source.
This is one of those companies that buys all the toys and then outsources all their support, expecting everything to be run properly :) poor buggers.
What IOC feed are you using?
This is from Cisco Umbrella (OpenDNS) filtering
Could be scheduled maintenance. How long has it been down?
No, everything else appears to be alerting normally