Traffic to an unknown blocklisted destination
Description
AlphaSOC detected traffic to an unknown blocklisted destination. Such traffic may indicate communication with infrastructure known to be malicious. Blocklists aggregate destinations associated with threats like malware, phishing, or command and control (C2) servers. This finding may indicate compromise or malicious activity within the network, such as installed malware communicating with adversary infrastructure.
Impact
Communication with blocklisted destinations can indicate malware infection, data exfiltration, or C2 activity. Threat actors may use these destinations to distribute malware or maintain persistence in compromised networks. This activity often precedes larger security incidents or data breaches.
Severity
| Severity | Condition |
|---|---|
Medium | Traffic to an unknown blocklisted destination |
Investigation and Remediation
Identify the systems and users involved in the suspicious traffic. Review logs to determine the nature and volume of communications. Block the destination at network boundaries. Isolate affected systems and scan for malware. Update security controls to prevent future connections to known malicious infrastructure.