The Transformation of Infoblox Threat Intel – Part 1
Certain life events are unforgettable – your first kiss, your first date, and more! For those of us in the world of computer networking and cybersecurity, there are other special moments. These might include your first computer, your first computer game, your first encounter with a virus, your first firewall, and your first time dealing with Conficker. Yes, I know, I’ve been around for a while!
When I embarked on this journey, there was no such thing as “cyber” anything, let alone the Internet. Then came networks, followed by the Internet, viruses, and firewalls. Now, we’re dealing with more than just viruses seeking notoriety, testing possibilities, or demonstrating a spy’s loyalty to their country. Today’s cyber threats are complex, multi-layered, multi-actor, multi-attack, and often entirely socially engineered. It is almost amusing to see the lengths cybercriminals will go to disguise their attacks and trick unsuspecting office workers into clicking on a malicious domain and voluntarily handing over their credentials. That is, until you realize that cybercrime is a massive trillion-dollar industry (as of 2023), making it the third-largest economy in the world, trailing only the USA and China. And if that was not enough, we must contend with AI. Despite our annoyance to hearing about AI, we must accept that cybercriminals are already using it, only making protecting and defending our customers more challenging.
The Cyber Security industry is currently experiencing a change in thinking. Increasingly, cyber intelligence teams and threat researchers are exploring ways to leverage Artificial Intelligence and Machine Learning for a more proactive approach. |
This shift is being communicated in many ways within the industry, including pre-campaign detection, early detection, and early mitigation. The old method of waiting for an attack or breach to occur and then identifying the tactics, techniques, and procedures (TTPs) used and/or the bad actor is no longer sufficient, although it remains an important part of the process.
The Infoblox Threat Intel team has undergone a paradigm shift in terms of the technologies and methodologies we use. The results have been outstanding. While our team has released several papers on these methodologies and findings over the past few years, they were primarily intended for threat intelligence researchers. The aim of this blog series is to present this information in a straightforward, concise manner that anyone with basic computer networking knowledge can comprehend.
The Shift
In late 2022, the Infoblox threat intel team applied patent pending mathematic techniques, and machine learning to analyze the 70 billion queries of passive DNS flowing through our customer network. Similar to the FBI’s approach in pursuing Al Capone, they adopted a similar principle: ‘Follow the money, follow the infrastructure!’
This concept has long military precedent. Throughout history, the strategy of disrupting the supply chain to weaken adversaries has been successfully employed. For instance, during the Civil War: General Sherman strategically targeted railroads to cripple the Confederate army. During World War I and World War II the same tactic was repeated to slow down enemy forces. The underlying principle remains clear: by identifying and disrupting critical infrastructure, we can effectively thwart or significantly impede hostile forces.
In the realm of Infoblox, trains laden with supplies or currency are not our concern. Cyber-attacks and attribution also lie outside our purview. Our domain (pun intended) revolves around DNS—that ubiquitous protocol that underpins the internet. We live, breathe, and, well, you know the rest—DNS! Driven by this focus, we embarked on a quest for robust to discover DNS infrastructure used for cyber-criminal activity. We sought the essential building blocks—the very DNA—required to assemble the intricate attacks wielded by today’s cyber criminals. And in this pursuit, the Infoblox threat intel team began discerning patterns, and in some cases DNS signatures, within the intricate web of DNS infrastructure. These patterns and signatures soon revealed bad actors previously invisible.
Domain Generation Algorithms (DGAs) serve as a favored tool for adversaries. They enable the creation of command and control (C2) servers—essential hubs for malware communication and command retrieval via DNS. Notably, Conficker was a very early adopter of this technique, as documented by Wikipedia. DGAs are typically generated en masse using automated algorithms. Subsequently, the malware synchronizes its communication using the same algorithm, attempting to reach all the dynamically generated domain names. While not all these domains remain operational, a subset of them will be active. The remaining communication attempts inevitably fail.
This approach introduces additional network traffic, traversing firewalls, and inundating security teams with information. When seeking attribution for an attack within the Security Information and Event Management (SIEM) system, this intricate web of DNS communication becomes a crucial puzzle to unravel. Infoblox Threat Intel embarked on a journey years ago, uncovering these elusive domains through our AI/ML engine. These domains were subsequently added to dynamic block lists—a constantly evolving roster populated by our automated systems with domains identified in the wild as nefarious.
DGAs continued to evolve – the landscape shifted again. The once-standard Domain Generation Algorithms (DGAs) morphed into a more dynamic breed: Dynamic DGAs. Instead of relying solely on algorithmically generated gibberish, these new DGAs employ sets of actual words. The rationale? To look more like real-word domains and thus appear innocuous. But there’s a twist—their mathematical patterns can be discerned and tracked, leading to the identification of a sort of fingerprint or signature, and thus allowing the bad actor responsible to be identified and tracked.
Of course, this is a simplified explanation; the intricacies run deeper. Stay tuned for more insights on the evolution of DGAs.
DNS for Early Detection
Infoblox threat intel, equipped with 25 years of DNS experience, tirelessly develop, and expand their arsenal of tools for identifying DNS infrastructure. Their quest? To create a superior digital DNS mousetrap—a DNS-based threat intelligence that pinpoints SUSPICOUS domains based on intricate DNS patterns, properties, behaviors, and signatures.
I realize I might be oversimplifying, but that’s precisely the intent of this document —clarity and accessibility. Let’s make it easy to understand.
The Domain Name System (DNS) appears deceptively simple—a straightforward protocol for translating human-friendly domain names into IP addresses. However, simplicity doesn’t necessarily equate to ease. While everyday DNS queries seem simple and easy, the layers of intricacy lurking beneath the surface can swiftly transform the simple protocol into a challenging maze. Admittedly, querying a DNS server that stores the copy of the domain name your computer is looking for is straightforward. Yet, as we delve deeper, we encounter a labyrinth of concepts: recursion, referrals, AAAA records, MX Records, DNSSEC, GSS-TSIG (Microsoft), text records, DNS tunneling, DNS exfiltration, Dynamic DNS, DNS over HTTPS (DoH), DNS over TLS (DoT), and more. These elements, though essential for safeguarding against potential attacks, can confound even seasoned investigators.
So, while the everyday DNS query may not require a rocket scientist, deciphering its intricate layers demands both expertise and persistence. It’s about preparing for the attack that hasn’t yet materialized. It’s about being proactive and moving the advantage back to the cyber defenders. In the vast digital landscape, where hundreds of thousands of domains sprout daily, distinguishing the malicious from the benign becomes a daunting task and takes time, the one precious resource we can never get back. As organizations grapple with blocking traffic to specific domain names, precision is paramount. After all, safeguarding an entire organization hinge on getting it right—the delicate balance between vigilance and accuracy.
Our journey into DNS-based threat intelligence began in 2022, and now, nearly two years later, the results have been nothing short of remarkable.
Throughout the entire year of 2023, the Infoblox Intel team unearthed approximately 46 million suspicious and malicious domains. What is even more impressive? Our false positive rate was less than .0002%.
These were not benign entities—they were engaged in unethical activities, despite appearing as legitimate businesses with legitimate websites. Consider this: the domains within the suspicious feed have no associated IoC (Indicators of Compromise). These domains are not categorized as there has not yet been an attack. As incidents unfold, other cybersecurity firms attribute them—whether as phishing attacks, malware infiltrations, or other nefarious deeds. Consequently, these domains are reclassified and shifted to a different type of feed, marking a dynamic journey through the ever-evolving landscape of digital security.
Preemptive protection shields anyone who utilizes these suspicious feeds from an attack even before it materializes. To put it differently, it’s akin to preventing your children from riding their bikes in a dangerous neighborhood or dissuading them from associating with a group of friends who haven’t yet faced consequences but are already displaying mischievous behavior. It is about stopping the potential for an attack before it fully materializes.
I’m not insinuating there is a ‘silver bullet’ that can stop all threats. No single approach can address every security challenge comprehensively. In fact Infoblox has a AI/ML behavioral analytics engine to prevent other types of attacks that are designed to evade threat intelligence based solutions. Various security intelligence studies reveal that different cyber intelligence teams focus on distinct information and types of attacks from their unique perspectives. In an independent study conducted by one of our customers, they found that there was less than an 11% overlap in unique domain indicators of compromise (IoCs). While I would never advise you to discard firewalls or other IoC-based detection solutions for malware, ransomware, or advanced persistent threats (APTs), I strongly recommend leveraging DNS-based protection. This proactive approach shields your organization from DNS-based infrastructure even before it becomes a target in an attack. Ignoring this capability would be unwise. In my more than 30 years in IT and security, I can confidently say that this approach comes closest to being a ‘silver bullet.’
Stay tuned for our next discussion, where we will delve into the behavioral analytics engine, lookalike domains, and the novel types of domain generation algorithms (DGAs) we have been uncovering.
References:
- https://it.nc.gov/documents/cybersecurity-newsletters/2023/esrmo-newsletter-february-2023/download?attachment#:~:text=Cybersecurity%20Ventures%20released%20a%20new,after%20the%20U.S.%20and%20China
- https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/