Get A Demo

Detect Unusual DoT Communications

By Joshua Burgin

May 02, 2024

We are excited to announce a new detection type, identifying unusual DoT activity.

This detection notifies you of unusual DNS over TLS (Transport Layer Security) communication, often referred to as DoT, which could indicate attempts to blend malicious communications with regular encrypted web traffic to evade detection.

DNS over TLS (DoT) 

DNS is a crucial part of infrastructure that maps out IP addresses for hosts connected to the internet through a process called DNS resolution, allowing users to access websites with user-friendly names rather than remembering specific IP addresses for sites.

DNS is a fundamentally “insecure” network whose communication can easily be intercepted. To avoid security risks, DNS needs TLS or HTTPS (Hypertext Transfer Protocol Secure) encryption protocols to improve network security.

TLS is a widely-used protocol that is designed to keep data secure in Internet communications. By using DNS over TLS, users can protect data that is being transferred, keeping it private even if it is intercepted. By using DNS over TLS (DoT), you send DNS requests over an encrypted TLS tunnel and can ensure the data is not readable by unauthorized parties – acting as a needed safeguard against data breaches. 

This is why DoT has become a popular method of safeguarding DNS communications.

Indicators of Compromise 

While DoT helps safeguard data, it can still be compromised by attackers. Upwind detects when a host or container in your cloud environment engages in DoT communication that deviates from established baseline behavior, which may indicate a “Command and Control” or “Defense Evasion” attempt using encrypted channels. This unusual communication could indicate an attacker’s method to compromise your system remotely, exfiltrate data, or deliver further payloads, blending malicious communications with regular encrypted web traffic to evade detection.

Upwind leverages runtime data to rapidly identify unusual DNS over TLS (DoT) communication and immediately alert you to suspicious activity. Read more about DNS over TLS (DoT) detections in the Upwind Documentation Center.

Further Reading

Product

Top Ways Upwind Helps DevOps Engineers Monitor APIs & CI/CD

By Lavi Ferdman

May 10, 2024

This is part two of a two-part blog series on how Upwind helps DevOps teams. You can read part 1 here. The Upwind Cloud Security Platform helps organizations accelerate productivity and empower their Dev, Security, and DevOps teams to innovate within a secure and efficient environment. In our last article on how Upwind helps DevOps […]

Product

Detect Suspicious Communication with a Public DNS Resolver 

By Denise Ashur

May 08, 2024

We are excited to announce a new capability to detect unusual DNS resolver activity. This detection notifies you of unusual behavior by a virtual machine or container in your cloud environment, which is communicating with a public DNS resolver that it hasn’t communicated with recently. DNS Resolvers Trusting your DNS resolvers is a critical part […]

Product

Detect Malicious Port Sweep Activities

By Joshua Burgin

May 03, 2024

We are excited to announce support for a new detection type – the identification of malicious port sweeps. Port sweeps can occur when compromised hosts or containers within your environment probe a port on a large number of publicly routable IP addresses or a large number of internal IP addresses. This type of activity is […]

Stay in touch

Product

Get A Demo
CNAPP
CDR
Vulnerability Management
CWPP
CSPM
Container Security
Data Security
API Security
Identity Security

General

About
Contact
Careers
Feed
Events
Customers

Social

Twitter
LinkedIn
Facebook

Documentation

Privacy Policy
Terms of Use

© 2023, upwind, all rights reserved