Enterprise Security Needs are Changing Rapidly
The manner in which employees work in global organizations has changed drastically over the years. Employees are less often stuck in their company building that is behind the corporate network a firewall and much more likely to be working remotely, from home, coffee shops, or co-working spaces. This change in work patterns requires modern security mechanisms. To ensure security in a complex environment, enterprises use a multitude of security solutions. The key is to be able to leverage the context and intelligence across these solutions to get the maximum security coverage. Infoblox is proud to take an ecosystem approach to facilitate holistic security against DNS-based attacks through its TIDE integrations.
Infoblox TIDE Integration with Windows 2016
TIDE stands for Threat Intelligence Data Exchange and includes various kinds of threat feeds. It is available to our ActiveTrust SuiteTM customers. Infoblox ActiveTrust Suite contributes to the security landscape by blocking DNS based data exfiltration, stopping malware communications with command-and-control servers and automatically preventing access to content not in compliance with the policy.
The TIDE API provides a mechanism to pull real-time, curated threat feeds for use in third-party applications. The normalized and high-quality threat feeds form part of the data API. Check out the Infoblox community TIDE Solution Integrations section for an up-to-date information on the available integrations.
The TIDE API provides threat feeds in various formats including CSV and JSON. Besides the TIDE API, these feeds are also available through RPZ (Response Policy Zones) which are absorbed by DNS servers for the same purpose of real-time filtering of the detected threats or indicators of compromise. Response policy zones are part of BIND and are not available in Microsoft DNS. The introduction of DNS policies in Microsoft Windows 2016 can be utilized for a similar purpose as RPZs, as a mechanism for first level filtering of DNS queries. The Infoblox TIDE integration with Microsoft Windows 2016 utilizes the DNS policies to this effect by taking the threat feeds from ATC TIDE and applying it on the local Windows 2016 DNS server.
Installation and Setup
The integration is handled through PowerShell scripts which are part of the installation package. The package includes an installer which creates scheduled tasks and runs in two modes, incremental and reset. The incremental mode pulls in delta threat feeds from TIDE and appends to the existing DNS policies. While the reset mode pulls all feeds afresh and cleans up old policies, this mode runs less frequently than the incremental. The tasks also handle removing of expired indicators of compromise thus ensuring the presence of only relevant policies. This setup only requires an API key which is easily available from an ATC account profile.
Hence the main prerequisite here is the need for an ATC account. The package also includes a utility called “GetDNSTool,” the tool is useful to track policies added by the Infoblox task and also to zoom into the contents of a specific policy.
Get more from your Windows 2016 investments
The additional threat feeds from the TIDE integration works well in aiding an existing Windows DNS servers (version 2016 or later) to become more secure through real-time awareness and filtering of known indicators of compromise.