Skip to main content

Trace and alert on suspicious domains

Big picture

Add threat intelligence feeds to Calico Cloud to trace DNS queries involving suspicious domains.

Value

Calico Cloud integrates with threat intelligence feeds so you can detect when endpoints in your Kubernetes clusters query DNS for suspicious domains, or receive answers with suspicious domains. When events are detected, an anomaly detection dashboard in the UI shows the full context, including which pod(s) were involved so you can analyze and remediate.

Features

This how-to guide uses the following Calico Cloud features:

  • GlobalThreatFeed resource to add threat intelligence feeds for tracking and analysis in the UI

Concepts

Calico Cloud supports pull methods for updating threat feeds. Use this method for fully automated threat feed updates without user intervention.

Domain name threat feeds

A best practice is to develop an allow-list of "known-good" domains that particular applications or services must access, and then enforce this allow-list with network policy.

In addition to allow-lists, you can use threat feeds to monitor your cluster for DNS queries to known malicious or suspicious domain names. Calico Cloud monitors DNS queries and generates alerts for any that are listed in your threat feed.

Threat feeds for domain names associated with malicious egress activity (e.g. command and control (C2) servers or data exfiltration), provide the most security value. Threat feeds that associate domain names with malicious ingress activity (e.g. port scans or IP sweeps) are less useful since these activities do not cause endpoints in your cluster to query DNS. It is better to consider IP-based threat feeds for ingress activity.

Before you begin...

Required

Privileges to manage GlobalThreatFeed.

We recommend that you turn down the aggregation of DNS logs sent to Elasticsearch for configuring threat feeds. If you do not adjust DNS log aggregation settings, Calico Cloud aggregates DNS queries from workloads in the same replica set. This means if a suspicious DNS query is detected, you will only know which replica set made the query and not which specific pod. Go to: FelixConfiguration and set the field, dnsLogsFileAggregationKind to 0 to log individual pods separately.

How to

This section describes how to pull threat feeds to Calico Cloud.

Pull threat feed updates

To add threat feeds to Calico Cloud for automatic updates (default is once a day), the threat feed(s) must be available using HTTP(S), and return a newline-separated list of domain names.

Using Manager UI

  1. From the Manager UI, select Threat Feeds --> Add Feed.

  2. Add your threat feed on the Add a New Threat Feed window. For example:

    • Feed Name: feodo-tracker
    • Description: This is my threat feed based on domains.
    • URL: https://my.threatfeed.com/deny-list
    • Content type: DomainNameSet
    • Labels: Choose a label from the list.
  3. Click Save Changes.

    From the Action menu, you can view or edit the details that you entered and can download the manifest file.

Go to the Alerts page to view events that are generated when an endpoint in the cluster queries a name on the list. For more information, see Manage alerts.

Using CLIs

  1. Create the GlobalThreatFeed YAML and save it to file. The simplest example of this looks like the following. Replace the name and the URL with your feed.

    apiVersion: projectcalico.org/v3
    kind: GlobalThreatFeed
    metadata:
    name: my-threat-feed
    spec:
    content: DomainNameSet
    mode: Enabled
    description: 'This is my threat feed'
    feedType: Custom
    pull:
    http:
    url: https://my.threatfeed.com/deny-list
  2. Add the global threat feed to the cluster.

    kubectl apply -f <your_threatfeed_filename>

Go to the Alerts page to view events that are generated when an endpoint in the cluster queries a name on the list. For more information, see Manage alerts.

Above and beyond

See GlobalThreatFeed resource definition for all configuration options.