BloxOne™ Threat Defense Intelligence Feeds Blog

Did you know that Infoblox® provides 30 different threat intelligence feeds?  Infoblox provides the most feeds of any DDI vendor. A Carnegie-Mellon University study of threat intelligence feeds from different sources or ISPs show that no two feeds are alike. By selecting more than one threat intelligence feed, you get more threat intelligence coverage. Most DDI vendors only sell one threat intelligence feed.

Infoblox markets the TIDE feeds in 4 different packages:

• BloxOne™ Threat Defense Essentials
• BloxOne™ Threat Defense Business On-Premises and Business Cloud
• BloxOne™ Threat Defense Advanced

• Base Hostnames • Anti-malware

• Ransomware • Bogon

• DHS_AIS_IP • DHS_AIS_ Hostname

• DHS AIS NCCIC Watch list Hostnames and Domains

• DHS AIS NCCIC Watch list IPs

 

• Base Hostnames • Anti-malware • Ransomware • Bogon • DHS_AIS_IP

• DHS_AIS_ Hostname • DHS AIS NCCIC Watch list Hostnames and Domains • DHS AIS NCCIC Watch list IPs

• Malware IPs • Bot IPs • Exploit Kit IPs • Malware DGA hostnames

• TOR Exit Node IPs • SURBL Multi domains • SURBL Multi Lite domains • SURBL Fresh domains

• US OFAC Sanctions IPs • EECN IPs • Cryptocurrency hostnames and domains

 

• Base Hostnames • Anti-malware • Ransomware • Bogon • DHS_AIS_IP • DHS_AIS_ Hostname

• DHS AIS NCCIC Watch list Hostnames and Domains • DHS AIS NCCIC Watch list IPs • Malware IPs • Bot IPs • Exploit Kit IPs

• Malware DGA hostnames • TOR Exit Node IPs • SURBL Multi domains • SURBL Multi Lite domains • SURBL Fresh domains • US OFAC Sanctions IPs

• EECN IPs • Cryptocurrency hostnames and domains • Extended Base & anti-malware Hostnames • Extended malware IPs

• Extended TOR Exit Node IPs • Extended Ransomware IPs • Extended Exploit Kits IPs • SpamBot IPs • Spambot IPs DNSBL

 

BloxOne™ Threat Defense Essentials in Detail

Eight threat intelligence feeds can be downloaded to Infoblox appliance DNS firewalls

1. Base hostnames: The base hostnames set enables protection against known hostnames that are dangerous as destinations and are sources of threats such as APTs, bots, compromised host/domains, exploit kits, malicious name servers and sinkholes.
2. Anti-malware: This set enables protection against hostnames that contain known malicious threats that can act on or take control of your system, such as malwarecommand and control (C&C), malware download and active phishing sites.
3. Ransomware: The ransomware set enables protection against hostnames that contain malware that restricts access to the computer system that it infects and demands a ransom for removal of the restriction. Some forms of ransomware encrypt files on the system’s hard drive. Others some may simply lock the system and display messages intended to coerce the user into paying.
4. Bogon: Bogons are often the source addresses of DDoSattacks. “Bogon” is an informal name for an IP packet on the public Internet that claims to be from an area of the IP address space reserved, but not yet allocated or delegated by the Internet Assigned Numbers Authority (IANA) or a delegated Regional Internet Registry (RIR). The areas of unallocated address space are called “bogon space.” Many ISPs and end-user firewalls filter and block bogons because they have no legitimate use, and usually are the result of accidental or malicious misconfiguration.

5/6. DHS AIS_IP and DHS AIS_Hostname (2 feeds): The Department of Homeland Security (DHS) Automated Indicator Sharing (AIS) program enables the exchange of cyber threat indicators between the federal government and the private sector. AIS is a part of the DHS’s effort to create an ecosystem in which, as soon as a company or federal agency observes an attempted compromise, the indicator is shared with AIS program partners, including Infoblox. IP indicators contained in this feed are not validated by DHS because the emphasis is on velocity andvolume. Infoblox does not modify or verify the indicators. However, indicators from the AIS program are classified and normalized by Infoblox to ease consumption

7/8. DHS AIS NCCIC Watch list Hostnames and Domains and DHS AIS NCCIC Watch list IPs (2 feeds): Indicators contained in these feeds appear on the watch list from the National Cybersecurity and Communications Integration Center (NCCIC) and are not verified or validated by DHS or Infoblox. NCCIC acts as a hub for information-sharing activities among public and private sector partners to build awareness of vulnerabilities, incidents and mitigations. Data included in these AIS_IP, AIS_Hostname, DHS AISNCCIC Watch list Hostnames and Domains and DHS AIS NCCIC Watch list IPs feeds includes AIS data subject to the U.S. DHS Automated Indicator Sharing Terms of Use available: www.us-cert.gov/ais. and must be handled in accordance with the Terms of Use. Prior to further distributing the AIS data, you may be required to sign and submit the Terms of Use available at: www.us-cert.gov/ais. Please email ncciccustomerservice@hq.dhs.govfor additional information.

BloxOne™ Threat Defense Business On-Premises and Business Cloud in Detail

BloxOne Threat Defense Business On-Premises and BloxOne Threat Defense Business Cloud offer data sets available with BloxOne Threat Defense Essentials plus additional data sets that can be applied to the security infrastructure, including Infoblox DNS Firewall RPZ policy. It provides a total of 19 feeds. The additional data sets included in BloxOne Threat Defense Business On-Premises and BloxOne Threat Defense Business Cloud are:

9. Malware IPs: The malware IP set enables protection against known malicious or compromised IP addresses. These are known to host threats that can act on or control a system by way of C&C malware downloads and active phishing sites.
10. Bot IPs: This set enables protection against self-propagating malware designed to infect a host and connect back to a central server or servers that act as a C&C center for an entire network of compromised devices, or “botnet.” With a botnet, attackers can launch broad-based, remote-control flood-type attacks against targets. Bots can also log keystrokes, gather passwords, capture and analyze packets, gather financial information, launch DoS attacks, relay spam and open back doors on the infected host.
11. Exploit kit IPs: This set enables protection against distributable packs that contain malicious programs used to execute “drive-by down-load” attacks to infect user with malware. These exploit kits target vulnerabilities in the user’s machine (usually due to unpatched versions of Java, Adobe Reader, Adobe Flash, Internet Explorer and other applications) to load malware onto the victim’s computer.
12. Malware DGA hostnames: Domain generation algorithms (DGA) appear in various families of malware used to periodically generate many domain names that can act as rendezvous points with their C&C servers. Examples include Ramnit, Conficker and Banjori.
13. Tor Exit Node IPs: Tor Exit Nodes are the gateways where encrypted Tor traffic hits the Internet. This means an exit node can monitor Tor traffic (after it leaves the onion network). The Tor network is designed to make it difficult to determine its traffic’s source.
14. SURBL Multi domains: This set of malicious domains includes up-to-date intelligence on active malware, phishing, botnet and spam domains, based on data provided by our partner SURBL.
15. SURBL Multi Lite domains: A subset of SURBL Multithreat feed, Multi Lite is designed to fit on appliances with limitations on the number of threat intelligence entries that they can accommodate. SURBL Multi Lite offers more concise and targeted threat intelligence focusing on only the most current malicious sites. The combined set includes malware, phishing and botnet activity.
16. SURBL Fresh domains: The SURBL Fresh feed deals with newly observed domains (NOD), providing critical, accurate information about when new domains are placed into service. This set of domains can be applied to Infoblox DNS Firewall RPZ security policies (e.g., block, quarantine, walled garden and others) to prevent resolution of new domains, based on the user’s defined policies. The set is based on data from our partner SURBL.
17. US OFAC Sanctions IPs: This policy-based feed contains IPs of U.S. sanctioned countries listed by the U.S. Treasury Office of Foreign Assets Control (OFAC), which administers and enforces economic sanctions imposed by the United States against foreign countries. More information is available on the “Sanctions Programs and Country Information” page found here: www.treasury.gov/resource-center/sanctions/Programs/Pages/Programs.aspx.
18. EECN IPs: This policy-based feed contains IPs of countries in Eastern Europe and China that are often sources of cyberattacks seeking intellectual property or other sensitive or classified data, as well as theft of credit card or financial information.
19. Cryptocurrency hostnames and domains: This feed features threats that allow malicious actors to perform illegal and/or fraudulent activities, coinhives that allow site owners to embed cryptocurrency mining software into their webpages to replace normal advertising, cryptojacking that lets site owners mine for cryptocurrency without the owner’s consent and cryptocurrency mining pools.

BloxOne™ Threat Defense Advanced in Detail

BloxOne Threat Defense (B1TD) Advanced includes all the data feeds described above plus additional data feeds and the TIDE platform. It provides a total of 26 feeds. The additional data sets in BloxOne Threat Defense Advanced include:

Extended TTL feeds: These feeds expand the base, anti-malware, ransomware, exploit kits and TOR Exit Node feeds that contain recently expired threats with an extended time-to-live (TTL) applied. The extended TTL feeds increase the reach of protection for a DNS Firewall. However, they may also increase the risk of false positives because indicators may no longer be active.

The Extended TTL feeds are:

20. Extended base & anti-malware: Base and anti-malware hostname feeds combined into a single feed with the extended TTL feeds applied
21. Extended malware IPs
22. Extended TOR Exit Node IPs
23. Extended ransomware IPs
24. Extended exploit kit IPs
25. Spambot IPs: This feed protects against a computer or bot node as part of a botnet seen sending spam. IPs listed are also frequently found with a poor or negative reputation for those addresses.
26. Spambot IPs DNSBL: In DNSBL format, this feed contains IPs of known spam servers. It guards against a computer or bot node as part of a botnet seen sending spam. It can help block incoming spam or potentially malicious emails from known spam sources by feeding into your email platform or appliance.

3^rd Party Feeds

Infoblox also offers third party feeds. They are available when you purchase the BloxOne Threat Defense Advanced package.

Crowdstrike™:  This is a leading provider of next-generation endpoint protection, threat intelligence and services. CrowdStrike Falcon hostname and IP intelligence enables customers to prevent damage from targeted attacks, detect and attribute advanced malware and adversary activity in real time and effortlessly search all endpoints, reducing overall incident response time. Customers must purchase the CrowdStrike feed directly from CrowdStrike, but Infoblox can help to “turn on” thefeed in the TIDE platform.

FireEye™: Its IP and hostname cyber threat intelligence equips enterprises with strategic, operational and tactical analysis derived by its global team of experts. A ThreatScape subscription provides the intelligence necessary to align a security program with business risk management goals and to proactively defend against new and emerging cyber threats. Although customers to purchase the iSight feed directly from FireEye, Infoblox can help to “turn on” the feed in the TIDE platform.

ThreatTrack™ Security BorderPatrol Feed: The BorderPatrol Sites feed is a blacklist consisting of domains associated with the distribution of potentially unwanted software and advertising.

Farsight Security™ Newly Observed Domains (NOD) Feed: This feed supplies an incremental layer of defense to combat malware exfiltration, brand abuse and spam-based attacks that originate or terminate at newly launched domains.

Proofpoint™ Emerging Threats (ET,previously, IQRisk) IP and Domain Reputation Feed: This feed provides actionable IP and domain reputation entries that are scored based on observations of in-the-wild threat actor behavior and direct observations by Proofpoint’s ET Labs. Built upon a proprietary process that leverages one of the world’s largest active malware exchanges, victim emulation at massive scale, original detection technology and a global sensor network, Proofpoint ET Intelligence is updated in real time to provide organizations with the actionable intelligence to combat today’s emerging threats.

Which package should you choose? Different enterprises can experience different hits.  It is best to try out all of the feeds to determine which ones get hit.  The Infoblox sales account team can help in conducting a proof-of-concept testing.