Making External Threat Data Actionable
By Chris Richardson, Sr. Security Solutions Advisor
Infoblox Federal & CI Sectors
Several years ago, people started complaining to me about how difficult it was to apply external threat data (later called threat intelligence) at the right place at the right time within their security systems. Back then, I assumed this defined need would spark the growth of a boutique industry around technical data integration where trained specialists would come on site to map and tailor the various streams of data in various formats. They would then execute and fine-tune the use case to the security component, while vendors would work to make their offerings more malleable. Perhaps an academic field would spring up to create a large talent pool in response to this demand. To a certain extent this happened with Cybersecurity Engineering Ops curricula being developed at some universities and with the advent of the Threat Intelligence Platform business. More generally, the information security industry has responded by geometrically growing the venture capital investment in recent years– some 1,400 security vendors now all have “the answer” you need to invest in, and there are more in development or being launched every month. Yet what do we see and hear out there today?
- My SIEM “funnel” is too broad and my team is not getting to all the important alerts.
- My SIEM “funnel” is too narrow and my team is missing some of the avenues being abused by threat actors.
- Even with highly trained analysts and incident response professionals, we lack visibility into what assets are populating our network of concern.
- Even with some integrations into the SIEM, we are still not responding to incidents quickly enough.
- Poor data quality and lack of interoperability requires us to clean things up and devote time to “babysitting” process workarounds.
- I am at a point where I am ignoring potentially important meetings just to do my job.
Next-Level DNS as a First Responder
All the above complaints (or variants thereof) focus on one thing: You need more time in getting to the what, where, and how. You need to get greater returns out of what you currently have deployed. You need to break the logjam of “only our data works only on our technologies.” Even organizations that have hired dozens of analysts and incident responders encounter these issues and those that have deep benches also face the capacity, overhead management, and cost justification problems that come with teams that sprawl. In all cases, positioning a professional at a console as the very front line of defense leads to a hard ceiling on achieving the effectiveness you desire.
What if we look at the network control plane itself and see what happens when there is a threat event? In most cases, a connected device first makes a communication attempt out to other devices and other networks. The protocol it uses for this is DNS. So, whether you utilize it as such, your DNS resolver is a first responder on malicious communication attempts. It sits on the frontline as a threat tries to reach across or out from a device that you are responsible for securing. Is it worthy of activating as a frontline defender? It would be need to perform on some key criteria:
- Performance Scale – Not only should it be on 24×7, it should adjust to the changing scope and demands of your network.
- Data Scale – With threat data stores and newly observed hostname stores growing every month, such a solution should be able to “read and react” at the scale of tens of millions of records, continuously. And you need to be able to quickly and centrally augment this defensive component with additional data sets and apply them in a distributed fashion.
- Quality Scale – Amplifying junk only causes more headaches. You need a constant effort in place to ensure quality control and seek continuous improvement of the data itself. And even if you take the intelligent step of routing port 53 traffic to resolvers you authorize, can you trust the entity that is now providing directions “out there” for your sensitive systems? Ensuring that level of integrity is no longer optional.
As a leader in providing core network services, Infoblox has innovated enterprise-grade DNS for almost 20 years, and Infoblox ActiveTrust provides a first line of defense on all of these fronts for over 1,000 customers every day. In addition, Infoblox continues to drive toward certification and compliance on a host of standards and regulatory requirements. This effort illustrates our long-term commitment to being there for our customers in the public sector. We are a DNS Security leader. By maximizing your DNS Resolver as a smart gatekeeper for port 53 traffic now and in the future, you not only address how threat actors use your infrastructure but also how they mutate it via tunneling and surreptitious communications that traditional defenses simply don’t detect.
Your Network Control Plane as a Data Service
Let’s face it. DNS used to be a very dark art in the security world. It was something owned and operated in another building by another department. It can be a very arcane protocol with plenty of gotchas and idiosyncrasies. As long as DNS was up and answering queries, it was generally not something to be messed with due to concern over prolonged network disruptions. But what if it was easy? What if it was easy to engage, easy to collaborate with peers about, and easy to get valuable data out of? What if you could manage it the way you might manage the rules in your local email client, for an entire network? That’s exactly what Paul Vixie envisioned when he created response policy zones several years ago. In the accompanying announcement, he envisioned a vibrant marketplace of RPZ data suppliers and consumers. As an industry we are on our way toward achieving that vision – this is all far less exotic than it used to be. However, we must think big in terms of what data we can get from the DNS Resolver beyond merely applying blacklists:
- Can we easily set custom RPZs for network segments and even individual high-risk users? Yes.
- Can we access large-set DNS query logs as simply another source of intelligence to Regex, keyword, and Rest API Integrations? Yes.
- Can we instantly see if a device if generating a large spike in NXDOMAIN responses, indicating highly suspect activity? Yes.
- Can it learn from large sets of traffic patterns and determine what is malicious on a behavioral level? Yes.
- Can I cross-check queries from the last hour against those from the last 30 days, to see what’s new and potentially suspicious to me? Yes.
- Can I immediately see if a new device on a restricted network is trying very hard to reach the outside? Yes.
- Can I transmit the event data I specify from the network control plane out to my host of security solutions? Yes.
- Can I automatically have my ticket system handle the issue in the rare event that a user needs to get to a new hostname that I have deemed blockable? Yes.
Conclusion
Unleashing the creativity of your team to maximize DNS as a security asset is the power of next level networking. I have been involved in threat response for over 15 years and I have had the privilege of working alongside and learning from some of the masters in our field. I don’t claim to be a DNS expert. And I would not call myself a Threat Intelligence expert (yet!). But I can see clearly the immense potential value that bringing DNS front and center has for both Incident Response and efficient discovery of trouble on any modern network. At the end of the day, you have a user on a device reaching out to a threat. DNS, DHCP, and IP address management are the authoritative cadre you already have deployed that can see all three, and mitigate with confidence and without disruption. As our whitepaper, Why You Need Next Level Networking, Security and an Informed Ecosystem, points out, the sooner you see it, the faster you can manage it. Tens of billions of dollars have been invested in next-generation security technologies at the edge and at the end point without proper attention to the core of the network. Isn’t it time we focus on taking core network services to the next level?