Palo Alto Networks Knowledgebase: Threat landscape: Why DNS Signatures and URL categorizations for malware change
Threat landscape: Why DNS Signatures and URL categorizations for malware change
Created On 09/26/18 13:44 PM - Last Updated 09/26/18 14:00 PM
A suspicious DNS signature (3,800,000 - 3,999,999 in WildFire content, and 4,000,000-4,199,999 in AV Content) has changed.
A URL for a site that hosted malicious traffic is not classified as Malware, or was previously classified and is no longer classified.
The threat landscape is constantly changing and evolving; modern exploit kit authors are capable of leveraging complex cloaking mechanisms to remain dormant. Reference this link for a recent example. The domains hosting malicious activity can have finely tuned filters to prevent the exploitation or revealing of malicious content to users visiting the site depending on a variety of factors, such as geolocation, browser behavior, cookie values, previous visits to the site, and time of visit.
What does this mean for us?
Categorizing every domain hosting malicious traffic as malware is not currently desirable, unless the negative behavior is reliably reproducable and impactful globally to users visiting the site. Doing so otherwise could generate blocking for legitimate content and services hosted alongside the malicious content.
DNS signatures are rapidly changing based on what is active according to available data sources. WildFire content is updated every 15 minutes, and which domain is assigned to a current signature can change up to every 15 minutes in the most extreme circumstance, although this will depend on currently configured WildFire content update schedule.
The approach to blocking and protecting customers has to be adaptive to match the techniques used by malicious actors; flexible and accurate detection to avoid blocking legitimate traffic is paramount. Triggering on the code used for delivery of the actual malicious content as opposed to reputational based filtering for sites that leverage these cloaking features is more accurate than reputational blacklisting in some instances.
In order to keep our protections relevant, our signature pool changes constantly to stay relevant to current threats. If protections were not constanting tested, updated, and purged based on the active threat landscape, they would not be as useful.