Organizations are spending more and more on security. The global cybersecurity market was $173.6B in 2022 and is projected to grow to $298.5B in 20281. Yet cyberattacks continue to succeed and cause significant negative impact to businesses. The cost of downtime and recovery is skyrocketing, not to mention the brand damage and fines that come with becoming the victim of a cyberattack. As digital transformation permeates all industries, organizations find themselves grappling with an ever-expanding attack surface, creating fresh pathways for malicious actors to exploit.
DNS can play a pivotal role in early threat detection as well as fast threat response. For several decades cybersecurity approaches have been reactive and malware centric. An incident must occur before it can be stopped. Malware is always morphing, and threat actors easily change their malware to make it harder to detect. What if you could change your approach to proactively identify threat actor infrastructure before they are used in malware campaigns and before an IOC lands on an organization’s network?
This is exactly what DNS Detection and Response (DNS DR) does. It revolutionizes threat detection by shining a spotlight on threat actor infrastructure as bad actors register domains and configure them. It blocks DNS queries to those domains even before they are weaponized. In addition, DNS DR automates remediation via ecosystem integrations and helps SecOps teams to quickly identify which users or devices are making DNS queries to high-risk domains without having to go through multiple logs, enabling the benefits of faster triage and reduced MTTR.
The IDC Market Perspective
The IDC Market Perspective document titled “Infoblox Leverages Domain Name System for Detection and Response and Threat Intelligence” explores how Infoblox utilizes the Domain Name System (DNS) to enhance cybersecurity through detection, response, and threat intelligence. A summary of the report is provided below.
DNS Visibility
DNS visibility is crucial for detecting and responding to threats. Proper DNS hygiene ensures smooth transactions and blocks access to malicious sites. DNS detection and response (DR) companies provide visibility into command and control (C2) servers and high-risk domains.
Indicators of Compromise Unique to DNS
- DNS Tunneling: Used for legitimate purposes but can be exploited for data exfiltration.
- High Number of DNS Queries: Indicates potential malicious activity.
- Failed DNS Queries: Adversaries may use these to phish for usernames or applications.
Infoblox Threat Intel
Infoblox’s threat intelligence service focuses on contextual information about threat actors. It maintains billions of DNS transaction records and actively tracks malicious domains, blocking 60% of threats before the first DNS query and 82% within the first 24 hours.
Advice for Technology Suppliers:
- Educate Clients: Highlight the benefits of DNS-based security products.
- Focus on Integrations: Collaborate with NDR and threat intelligence vendors.
- Leverage DNS for Detection and Response: Use DNS as a platform for both preventative and proactive cybersecurity measures.
Key Takeaways
Infoblox leverages DNS to provide visibility into domain-to-domain connections and identify indicators of compromise (IOCs), significantly reducing the mean time to respond (MTTR) by 34%. The approach includes maintaining billions of DNS transaction records and actively tracking malicious domains.
- Enhanced Cybersecurity: Infoblox’s DNS-based solutions offer crucial detection, response, and threat intelligence capabilities.
- DNS Hygiene: Essential for preemptive threat mitigation, DNS hygiene involves blocking malicious domains and ensuring secure DNS transactions.
- Integration: DNS-based security solutions integrate seamlessly with existing IT and security operations, enhancing overall cybersecurity posture.
Recommended Actions
- Prioritize DNS Hygiene: Implement response policy zones (RPZs) and establish a DNS firewall with zero trust controls.
- Integrate DNS Capabilities: Combine DNS detection and response with network detection and response (NDR) platforms and threat intelligence vendors.
- Leverage DNS Logs: Use DNS logs to identify IOCs such as DNS tunneling and high numbers of DNS queries.
In summary, DNS plays a pivotal role in cybersecurity, offering unique advantages in threat detection, intelligence, and response. Infoblox’s innovative use of DNS demonstrates its potential to significantly enhance cybersecurity measures.
Read the full IDC report here.