Don’t Wait To Be Attacked: Stop Phishing, C2 and Data Exfiltration with Infoblox Threat Intelligence in AWS Network Firewall

Share On Facebook
Share On Twitter
Share On Linkedin

Security teams running AWS Network Firewalls are under constant pressure. Attacks keep getting more sophisticated, faster and automated, while teams and budgets do not. According to IBM’s 2024 Cost of a Data Breach Report, the average global cost of a data breach reached USD 4.88 million, a 10 percent increase over the prior year, and the largest jump since the COVID-19 pandemic began.1 At the same time, multiple studies indicate that over 90 percent of cyberattacks begin with phishing, and that attackers increasingly rely on domain-centric infrastructure for command and control (C2) and data theft.2,3

AWS has responded by making managed rules from AWS Marketplace available directly in AWS Network Firewall,4 so customers can quickly add curated protections from trusted partners without extra infrastructure or complexity. This moves security controls closer to the edge of your AWS environment, rather than relying only on downstream detection tools, and even small, incremental improvements at the edge compound into sizeable reductions in both breach likelihood and impact by:

  • Stops more threats before they ever touch workloads
  • Shifts security from reactive cleanup to preemptive blocking
  • Reduces the cost and complexity of dealing with compromises later in the stack

Building on that foundation, Infoblox Managed Rules for AWS Network Firewall are now available for free as an Expanded Free Preview. Together, AWS and Infoblox give customers a preemptive, Protective DNS layer that helps stop phishing, C2 and data exfiltration before they impact AWS workloads.

What’s in It for You as an AWS Network Firewall Customer

With Infoblox Managed Rules enabled in AWS Network Firewall, you can:

  • Block high-risk domains before connections are made.
    Reduce successful phishing sessions, credential theft and C2 callbacks by enforcing decisions at the domain layer instead of waiting for downstream alerts.
  • Cut incident volume and noise for your security operations center (SOC).
    Prevent many attacks from ever reaching endpoints or downstream tools, so your team spends less time chasing avoidable alerts and more time on high-value investigations.
  • Improve time-to-protection with AWS-native simplicity.
    Subscribe, enable and monitor curated rule groups directly in the AWS Network Firewall console, with no new appliances or agents to deploy.
  • Strengthen defense in depth in line with AWS best practices.
    Add DNS-layer security at the firewall to complement existing AWS Network Firewall policies, AWS Managed Rules and partner managed rules. This aligns with the Security Pillar of the AWS Well-Architected Framework, which recommends multiple, mutually reinforcing controls around critical workloads.
  • Scale protection automatically as your AWS footprint grows.
    As you add virtual private clouds (VPCs), regions and traffic, curated Suricata-compatible rule groups and automated feed updates scale with you without multiplying manual rule maintenance.
  • Enable best-of-breed protection DNS security (Infoblox) directly in the AWS console without needing to traverse back and forth between Marketplace and AWS console.
  • Easily validate the security effectiveness by trying the solution without a big upfront commitment.
  • Enjoy consumption-based pricing to match cloud purchasing and billing models.

Why DNS-Based, Preemptive Blocking Matters

Every phishing click, C2 callback and domain-based exfiltration attempt depends on DNS. That makes the DNS the earliest and most universal signals of malicious intent.

Independent research and DNS-focused reports highlight that:

  • Phishing remains a leading initial attack vector, responsible for a significant share of breaches and user-initiated incidents. For example, StationX data summarized by Paubox2 shows that 91 percent of all cyberattacks begin with a phishing email and an estimated 3.4 billion phishing emails are sent every day.
  • DNS is routinely abused for tunneling, C2 and exfiltration, and is a critical layer to secure in modern architectures.5,6

This is why Protective DNS and DNS-layer security are becoming core parts of cloud security programs. By enforcing predictive, DNS-based threat intelligence and decisions at your AWS Network Firewalls, you can:

  • Block known and predicted malicious domains before workloads or users connect.
  • Cut off entire clusters of attacker infrastructure that sit behind those domains, even as IPs and URLs change, so you catch fast-moving, domain-driven campaigns that IP or URL-only controls often miss.
  • Reduce the number of attacks that reach endpoints, web proxies or security information and event management (SIEM), lowering the cost and time of cleaning them up later.

In other words, you move from reactive detection to preemptive, domain-centric control at a high-leverage point in your AWS environment.

What Infoblox Managed Rules for AWS Network Firewall Are

Infoblox Managed Rules for the AWS Network Firewall deliver curated rule groups that you enable natively within the AWS Network Firewall console.7

These rule groups are:

  • Powered by Infoblox Predictive DNS Threat Intelligence
    Built from rich DNS telemetry, leveraging millions of indicators and years of DNS focused research to identify malicious and high-risk domains earlier in the kill chain.
  • Focused on High-Impact Protections
    • Phishing and credential theft
    • C2 communications
    • DNS and domain-based data exfiltration
  • Continuously and Automatically Updated
    Curated rule groups that include millions of malicious domains that are automatically refreshed as attacker infrastructure changes, so customers stay protected without having to hand edit or tune domain level rules.
  • Delivered as Suricata-Compatible Rule Groups
    Tuned specifically for use in AWS Network Firewall policies, alongside AWS-native and other partner rules.

You get all of this through an AWS-native experience. You use tools you already know, such as AWS Network Firewall and AWS Marketplace for preemptive protection behind the scenes.

Figure 1

Figure 1. AWS Network Firewall deployment protecting an AWS Virtual Private Cloud (VPC)

How It Works in AWS Network Firewall

From a customer’s point of view, enabling Infoblox Managed Rules is straightforward:

  1. Subscribe via AWS Marketplace
    1. In the AWS Network Firewall console, go to Managed rules from the AWS Marketplace.
    2. Subscribe to Infoblox Managed Rules AWS Network Firewall and select the desired rule groups in the AWS Marketplace listing.
  2. Attach to existing firewall policies
    Associate Infoblox Managed Rules with AWS Network Firewall policies that protect:
    • Internet facing traffic (north-south)
    • VPC to VPC and hybrid traffic (east-west, via transit gateways and inspection VPCs)
  3. Monitor and tune with AWS-native logging
    1. Use AWS Network Firewall logging to see when Infoblox rules trigger and where they are blocking or alerting.
    2. Forward logs to Amazon CloudWatch, S3 and your SIEM or security orchestration, automation and response (SOAR), so they fit into your existing investigation and automation workflows.

There is no new hardware to rack, no agents to deploy and no custom rule language to learn. AWS manages the lifecycle of managed rules in the firewall, while Infoblox keeps the rule groups and DNS intelligence current.

Two Concrete Ways Customers Benefit

1. Fewer Successful Phishing and Credential-Theft Incidents

Phishing continues to dominate cybercrime statistics. As noted earlier, StationX data summarized by Paubox2 shows that 91 percent of cyberattacks begin with phishing, and an estimated 3.4 billion phishing emails are sent daily.

With Infoblox Managed Rules active in AWS Network Firewall, when a user, workload or third-party service in AWS attempts to reach a domain known or predicted to be part of a phishing campaign, the firewall can block that traffic before any sensitive data is submitted.

This protects:

  • End users, such as developers or admins accessing AWS resources
  • Cloud-hosted web applications and APIs
  • Backend services that might follow links or redirect automatically

Customer Value: Fewer stolen credentials, compromised cloud identities and high-urgency incidents for your security and cloud teams

2. Disrupted C2 Channels and Lateral Movement

Once adversaries gain a foothold, they typically establish C2 channels to coordinate movement and payloads. These channels are often built on rapidly changing, domain-centric infrastructure.

Infoblox Managed Rules help by:

  • Blocking outbound domain-based connections to C2 infrastructure identified by Infoblox predictive intelligence
  • Preventing beacons, remote tooling downloads and other C2 behavior at the network perimeter, often before endpoint or log-based tools would have enough evidence to raise an alert

Customer Value: Attackers lose the communication path they rely on for persistence and lateral movement. That reduces both dwell time and the scope of potential compromise in your AWS environment.

How This Fits into a Broader AWS Security Strategy

AWS has steadily evolved the AWS Network Firewall to support greater defense in depth at the cloud network perimeter, and managed rules from AWS Marketplace are a natural extension of that vision.4 Infoblox Managed Rules align with this approach by:

  • Delivering Protective DNS capabilities as an AWS Network Firewall managed rule option, right alongside AWS-authored and other partner-authored rules
  • Giving customers more choice to layer in specialized DNS-based protections without leaving the AWS management plane or changing their deployment models
  • Reinforcing best practices from the AWS Well-Architected Framework Security Pillar, which emphasizes multiple, mutually reinforcing controls around critical workloads

Additional Value for Existing Infoblox Threat Defense™ Customers

If you already use Infoblox Threat Defense or other Infoblox Protective DNS capabilities across on-premises, branch or multi-cloud environments, Infoblox Managed Rules for AWS Network Firewall help you:

  • Extend the Same Predictive DNS Intelligence into AWS Network Firewall
    The same signal that powers resolver-level enforcement and analytics now drives curated rule groups at the AWS network perimeter.
  • Build Consistent Policies across Environments
    Align how you block phishing, C2 and exfiltration domains across enterprise DNS resolvers, hybrid and multi-cloud deployments, and AWS Network Firewall-protected VPCs and transit gateways.
  • Simplify Operations while Increasing Coverage
    Use one DNS-centric threat intelligence foundation while AWS Network Firewall provides regionally distributed, cloud native enforcement close to your AWS workloads.

For Threat Defense customers with significant AWS footprints, this can be a low-effort way to expand preemptive protection while keeping policy and signal sources consistent.

Getting Started: A Simple Path to Preemptive Protection

If you are an AWS Network Firewall customer, you can start evaluating Infoblox Managed Rules with a few simple actions:

  1. Visit the AWS Marketplace Listing
    1. Infoblox Managed Rules AWS Network Firewall
    2. Review pricing, supported regions and offer details.
  2. Read the Joint Launch Content
  3. Enable Infoblox Managed Rules in a Pilot AWS Environment
    1. Attach Infoblox rule groups to a non-production AWS Network Firewall policy.
    2. Start in alert or log-only mode for medium- and low-risk categories. Promote high and critical categories to block once behavior is validated against your traffic patterns and change processes.
  4. Integrate with Your Existing Observability and SOC Workflows
    Route AWS Network Firewall logs to CloudWatch, S3 and your SIEM or SOAR so your teams see when Infoblox rules are stopping threats and can build automation around those events.
  5. Plan Your Rollout across Additional VPCs and Regions
    Once you are comfortable with the behavior and results, extend Managed Rules usage to additional AWS environments, guided by your risk profile and critical workloads.

Moving Ahead with AWS and Infoblox

As attackers adopt AI, automation and DNS-centric techniques, organizations need security controls that are equally automated, intelligent and easy to operationalize. AWS Network Firewall, with support for managed rules from AWS Marketplace, gives customers a powerful platform to do exactly that.

Infoblox Managed Rules for the AWS Network Firewall add a preemptive, Protective DNS layer to that platform. They help you stop phishing, C2 and data exfiltration earlier, with less effort and in a way that fits naturally into how you already run AWS.

To learn more or see a deeper architectural walkthrough, visit the AWS Marketplace listing or the Infoblox for AWS partner page, and start exploring how preemptive DNS-based protection can help you get more value from AWS Network Firewall.

Footnotes

  1. IBM Report: Escalating Data Breach Disruption Pushes Costs to New Highs. IBM Newsroom. July 30, 2024. https://newsroom.ibm.com/2024-07-30-ibm-report-escalating-data-breach-disruption-pushes-costs-to-new-highs
  2. 2024 phishing statistics: Latest figures and trends. Anthoney, Caitlyn. Paubox. August 5, 2024. https://www.paubox.com/blog/2024-phishing-statistics-latest-figures-and-trends
  3. Statistics on Phishing Attacks. Danielson, Lizzie. Huntress. March 11, 2026. https://www.huntress.com/phishing-guide/phishing-attack-statistics
  4. Simplify cloud security with managed rules from AWS Marketplace for AWS Network Firewall. Parwani, Dhanil. Shah, Amish. AWS Security Blog. November 19, 2025. https://aws.amazon.com/blogs/security/simplify-cloud-security-with-managed-rules-from-aws-marketplace-for-aws-network-firewall/
  5. 2024 DNS Threat Landscape. Lenaerts, Bart. Grimes, Tom. Infoblox Threat Intel. December 20, 2024. https://www.infoblox.com/blog/threat-intelligence/2024-dns-threat-landscape/
  6. The Most Common DNS Security Risks in 2026 (And How to Mitigate Them). Heimdal. February 8, 2026. https://heimdalsecurity.com/blog/dns-security-risks/
  7. Infoblox Managed Rules from AWS Marketplace for AWS Network Firewall (Infoblox solution note). Infoblox. 2025. https://insights.infoblox.com/solution-notes/infoblox-solution-note-infoblox-managed-rules-from-aws-marketplace-for-aws-network-firewall

Labels:

Ben Fischer

Senior Product Marketing Manager, Infoblox

Ben Fischer is a Senior Product Marketing Manager with over 20 years of experience in cybersecurity, spanning network engineering, product management, and product marketing. He has held impactful roles at industry-leading companies including Cisco, RSA, Arbor Networks, Pulse Secure, and Red Hat, where he helped bring to market innovative solutions in network security, threat detection, and cloud-delivered security services. At Infoblox, Ben leads product marketing for the Threat Defense product, shaping strategic positioning and messaging, and driving go-to-market initiatives that connect security innovation to customer value. A founding member of the Confidential Computing Consortium, Ben has a track record of advancing emerging security technologies and fostering industry collaboration. He is currently part of Infoblox’s product and solutions marketing team. Ben holds an MBA from Rice University and a bachelor’s degree from Worcester Polytechnic Institute.

View All Posts
×