A recent cybersecurity advisory1 from the Cybersecurity and Infrastructure Security Agency (CISA) notified organizations, internet service providers (ISPs), and cybersecurity service providers about the threat posed by fast flux-enabled malicious activities. CISA indicated that many networks have inadequate defenses against this threat.
Though no recent activities related to this threat have been observed by Infoblox Threat Intel, Infoblox customers are protected from the attacks mentioned in the notice.
Attackers keep finding new ways to avoid detection
Infoblox Threat Intel monitors Domain Name System (DNS) usage among thousands of customers worldwide and tracks numerous threat activity clusters. While fast flux attacks were in use by some threat actors years ago, Infoblox Threat Intel suggests it is not as common anymore. Some broader insights below:
- Actors Abandon Fast Flux: The fast flux technique is old and to run independently during an attack requires significant skills, resources and planning. In other words, it doesn’t provide that much advantage in an attack. CISA suggests using detection based on unusually low time-to-live (TTL) values in DNS records. (e.g., a fast flux domain may change its IP address every three to five minutes). For threat researchers providing Protective DNS solutions, this can be a relatively easy task by leveraging passive DNS. Widespread adoption of protective DNS over the past years caused actors to move on to abandon fast flux and use more lucrative techniques.
- Effectiveness of Protective DNS: Making only a decision on the fast flux characteristics, like geo-location or TTL, can also be risky and lead to false positives as regular load balancing techniques may use similar techniques. Instead, Protective DNS solutions use a variety of algorithms to provide the most comprehensive protections with the lowest rate of false positives. Protective DNS providers, like Infoblox, can identify bad domain behavior in many ways and block at the domain level, so having numerous IPs actually works against them from a detection perspective.
- Advanced Evasion Techniques Take Over: Many sophisticated actors have progressed to employing more advanced evasion services, such as Traffic Distribution Systems (TDSs) or domain cloaking. Furthermore, instead of developing their own evasion techniques like fast flux, actors today leverage specialized services from malicious adtech providers. These services are significantly more challenging to detect, disrupt, or dismantle compared to fast flux DNS. Attackers use the components of adtech not only to hide their operations, but also to target the most vulnerable victims in their campaigns. Unfortunately for defenders, adtech also remains underreported within the research community or security industry.
Identifying Actors and Tracking Malicious Infrastructures
Modern security teams rely much less on usage of IP reputation lists for detection, as IP address-based threat context is ephemeral now actors rotate their infrastructure continuously.
Instead, usage of DNS-based intelligence offers a solid alternative for several reasons:
- Domains are set up days, weeks, or months before any attack. As a result, DNS intelligence offers protection opportunities before the actor activates their threat campaign.
- DNS-based intelligence offers a broad spectrum of threat insights, like the presence of lookalike domains used in phishing, TDSs to evade threat research, DNS tunneling to hide data theft, and more.
- Domains are elementary building blocks of the internet and can be used as universal control hooks. Laptops, smart phones, IOT devices, servers, and cloud instances all use DNS to initiate connections. The goal with protective DNS is to block the domain resolution, regardless of the IP address and regardless of the technique. Simply put, when you block the domain, you block the IP connection and multiple threats behind it.
Infoblox Threat Intel tracks the actors and their malicious infrastructure in near real-time using advanced data science techniques. By combining highly accurate threat intelligence and machine learning based analytics, customers using Infoblox Threat Defense are protected against a variety of attacks. These can be basic techniques mentioned in CISA’s advisory1 plus many more advanced techniques, for instance those used by malicious adtech providers.
In addition to discovering threats, Infoblox Threat Intel also provides security context around discovered indicators like an actor name behind the attack, the specific DNS technique used and even related indicators. This threat context provides security teams with new clues to investigate ongoing attacks in depth and initiate effective responses.
Effective Protection with Predictive Intelligence
To effectively protect against threats like fast flux or more advanced malicious adtech techniques, security teams need to look beyond detections that are just based on IP addresses. Proactive security starts with leveraging Protective DNS that is powered by real-time threat intelligence tracking actors’ malicious infrastructure and related tactics. Armed with predictive intelligence, security teams are ready to protect their organization against a broad spectrum of attacks techniques and stop actors before they reach their victims.
