Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Platform
Modern NDR
Resources
DETECTION OVERVIEW
Risk Factors
Domain fronting can be an effective technique for obscuring traffic that is sent to a command-and-control (C&C) server. However, large companies and content delivery networks (CDNs) are beginning to prevent domain fronting, and this technique is highly complex compared to other C&C techniques. Overall, the presence of a C&C channel on your network indicates that an attacker might be conducting a persistent attack, which could have a significant impact on a business.
Kill Chain
Risk Score
67
After an attacker installs malware on a device, the malware can be programmed to periodically check in with a C&C server for instructions. Firewalls are configured to block traffic to and from malicious domains as a part of a network perimeter defense. Domain fronting takes advantage of the architecture of shared virtual hosting and CDNs, which host thousands of domains and can allow domain forwarding. The compromised device sends an HTTPS request with a legitimate domain in the TLS SNI field, and a malicious domain in the encrypted HTTP host header. The domain name in the SNI field helps the request move beyond the perimeter defenses and arrive at the CDN gateway, which the gateway then decrypts and forwards to the malicious domain.
Report the suspicious domains to threat intelligence platforms, which can help third parties remove malicious domains from the internet
Check suspicious domains for their registration date, because short-lived domains might be malicious
Implement SSL interception with an TLS proxy to drop outbound traffic that has mismatched SNI and host fields
