In today’s interconnected world, cyber threats pose a significant risk to organizations of all sizes. From sophisticated spear phishing attacks to MFA attacks that use lookalike domains to Traffic Distribution Systems (TDS), the threat landscape continues to evolve at a faster pace than existing defenses, causing breaches and data theft. In many of the attacks, threat actors age their domains for a very long time, sometimes even 120 days after the domains are registered. In other cases, threat actors are very quick and use registered domains within a few hours, targeting specific organizations.
Current security tools use a malware-centric approach, which means there must be some evidence of compromise before they start blocking malicious domains, and it could already be too late. There is a need to take a different approach to security, one that can proactively protect enterprises from criminal actors as they build their infrastructure to launch attacks.
Threat actors create thousands of new domains every day and rely on DNS to run malicious campaigns. All it takes is one DNS query to compromise a network. But the good news is 92% of attacks can be blocked using DNS, if done correctly.
Infoblox Threat Intel: Hunts Threats in DNS to Disrupt Cybercrime at its Core
Infoblox takes a unique approach to threat detection and response. It uses AI and patented algorithms to identify dangerous domains before actors use them, often months ahead of other security tools.
Here’s how Infoblox Threat Intel works:
- DNS Expertise: Infoblox specializes in DNS. Our team of experts have a deep understanding of and unique visibility into DNS, allowing us to identify attacker infrastructure as it gets created to preempt and block emerging threats.
- Data Science and Correlation: We combine DNS expertise with cutting-edge data science techniques. Tens of algorithms identify suspicious domains among the 200,000+ newly registered every day. Machine learning identifies groups of domains that are registered or used together for malicious purposes. These detections are correlated and connected to threat actor infrastructure to allow a holistic view of the threat landscape.
- Threat Actor Tracking: Infoblox connects the dots between threat actors and their infrastructure. A patent pending architecture allows Infoblox Threat Intel to identify emerging threats and watch threat actors as they set up their domains for attack. Actor algorithms monitor infrastructure for changes and harvest new threats.
Infoblox Threat Intel has researchers in 5 countries across 8 time zones and is the first and only team in the world with the combination of deep expertise in DNS, data science, ML/AI, intelligence analysis, S/W reverse engineering and malicious spam detection. It is headed by Dr. Renée Burton, a 22-year veteran of the NSA.
By the Numbers
Infoblox Threat Intel:
- Detects 60% of threats before the first DNS query and 82% within 24 hours of the first query
- Blocks attacks on an average of 63 days earlier
- Has 0.0002% false positive rate
- Adds close to 4M new malicious and suspicious domains monthly
- Analyzes 70 billion DNS events daily
Powering BloxOne Threat Defense for Proactive Protection
The DNS centric threat intelligence is used in Infoblox’s DNS Detection and Response solution, which includes the flagship product BloxOne Threat Defense, to proactively protect customers against emerging threats, while ensuring critical domains are not blocked.
Threat Actor Reports: Infoblox Threat Intel also frequently publishes reports on threat actors detected in customer networks and domains related to those threat actors, and these publications are now easily accessible from within the BloxOne Threat Defense user interface.
Zero Day DNSTM: Complementing the threat intelligence is another feature of BloxOne Threat Defense that addresses threats from domains that are registered and used immediately for attacks. This capability, called Zero Day DNS™, inspects customer network DNS traffic in near real time to detect and block threats from domains that are registered by threat actors just minutes to hours before being used in an attack. This protects customers against targeted attacks like spear phishing that leverage lookalike domains, providing the earliest defense against these attacks.
Sharing with the Ecosystem: BloxOne Threat Defense can also automatically share Infoblox Threat Intel with other existing security and observability ecosystem tools such as SIEMs, NGFWs and proxies to enhance protection against DNS threats across all control points and maximize security ROI.
In conclusion, Infoblox Threat Intel is more than just threat detection; it’s a proactive defense strategy. By focusing on DNS, we disrupt threat actors’ operations and enhance your existing security ecosystem. Cybersecurity is a collective effort. Stay informed, stay vigilant, and partner with Infoblox to secure your digital future.
Click here for more information on Infoblox Threat Intel.
Click here for more information on BloxOne Threat Defense.