How threat intelligence is applied in DNS security

For over two decades, Infoblox has been synonymous with domain name system (DNS) security, helping organisations in defending against attacks targeting the availability or stability of a network’s DNS service.

These attacks encompass flooding a particular domain’s DNS servers in a distributed denial of service (DDoS) attack and DNS cache poisoning that may direct users to malicious or fraudulent websites, among others.

“The days where you could just turn on a DNS service on your server that answered every DNS query isn’t what is now marketed as zero trust,” said Chris Usserman, director of security architecture at Infoblox, referring to the well-known security model that defaults to denying access to an enterprise’s digital resources.

“What we’re doing with DNS for our users on the network is we’re going to evaluate whether or not you should go to a destination on the internet,” he added.

In 2016, the company elevated its capabilities with the $45m acquisition of IID, a threat intelligence firm, making it the first DNS, Dynamic Host Configuration Protocol (DHCP) and IP address management supplier – collectively known as DDI – at the time to combine contextual network data with federated threat intelligence to mitigate DNS security threats.

“We realised that tying in threat intelligence early on in an attack scenario that could be hugely instrumental in protecting networks and preventing attacks,” said Usserman. “And we’ve stayed true to our bread and butter [DDI] as networks expanded from bare metal to virtual and into cloud.”

The complexity of distributed networks makes network management particularly challenging. Network managers and architects will need to know where their network is and “you can’t just put your arms around it and say it’s inside these four walls”, said Usserman.

He added that by bridging real-time network intelligence network management at the DHCP layer with DNS, security operations teams can identify which network resources are at risk and prioritise their responses accordingly.

The network intelligence comes from billions of petabytes of data on global DNS activity, enabling Infoblox to identify not only anomalous behaviour, but also patterns in potential threat activity. “For example, if you type in a wrong domain like Gogle.com, that’s anomalous, but if you see that repeated time and time again, it becomes a pattern that needs further investigation,” said Usserman.

For “bad” destinations, he said Infoblox will validate and categorise them based on motivations and tactics, techniques and procedures to help guide the work of incident response teams. It also looks out for behavioural anomalies, such as the presence of Cobalt Strike beacons being deployed to conduct remote code executions, domain generating algorithms and other types of malicious activities.

“We’re also looking across packets and complete communications paths because these things are often bi-directional – we’re evaluating not only the outbound request, but also the return to identify anomalous behaviour,” said Usserman, adding that suspicious domains and other indicators are then fed into threat intelligence feeds and detection models.

Usserman, who has over 32 years of experience in the US intelligence community, noted that having a handle on DNS security can help organisations fend off potential software supply chain attacks. “It’s the aspect of knowing what’s on your network and being able to control or limit what’s there, so that you don’t have any rogue devices or network segments,” he said.