Certain life events are unforgettable – your first kiss, your first date, and more! For those of us in the world of computer networking and cybersecurity, there are other special moments. These might include your first computer, your first computer game, your first encounter with a virus, your first firewall, and your first time dealing with Conficker. Yes, I know, I\u2019ve been around for a while!<\/p>\n
When I embarked on this journey, there was no such thing as \u201ccyber\u201d anything, let alone the Internet. Then came networks, followed by the Internet, viruses, and firewalls. Now, we\u2019re dealing with more than just viruses seeking notoriety, testing possibilities, or demonstrating a spy\u2019s loyalty to their country. Today\u2019s cyber threats are complex, multi-layered, multi-actor, multi-attack, and often entirely socially engineered. It is almost amusing to see the lengths cybercriminals will go to disguise their attacks and trick unsuspecting office workers into clicking on a malicious domain and voluntarily handing over their credentials. That is, until you realize that cybercrime is a massive trillion-dollar industry (as of 2023), making it the third-largest economy in the world, trailing only the USA and China. And if that was not enough, we must contend with AI. Despite our annoyance to hearing about AI, we must accept that cybercriminals are already using it, only making protecting and defending our customers more challenging.<\/p>\n
| The\u202fCyber Security industry\u202fis currently experiencing a change in thinking. Increasingly, cyber intelligence teams and threat researchers are\u202fexploring ways to leverage Artificial Intelligence and Machine Learning\u202ffor a more proactive approach.<\/strong><\/td>\n<\/tr>\n<\/table>\n This shift is being communicated in many ways within the industry, including pre-campaign detection, early detection, and early mitigation.\u202fThe old method of waiting for an attack or breach to occur and then identifying the tactics, techniques, and procedures (TTPs) used and\/or the bad actor is no longer sufficient, although it remains an important part of the process.<\/p>\n The Infoblox Threat Intel team has undergone a paradigm shift in terms of the technologies and methodologies we use. The results have been outstanding. While our team has released several papers on these methodologies and findings over the past few years, they were primarily intended for threat intelligence researchers.\u202fThe aim of this blog series is to present this information in a straightforward, concise manner that anyone with basic computer networking knowledge can comprehend.<\/p>\n The Shift<\/h3>\nIn late 2022, the Infoblox threat intel team applied patent pending mathematic techniques, and machine learning to analyze the\u202f70 billion queries\u202fof passive DNS flowing through our customer network. Similar to the FBI\u2019s approach in pursuing Al Capone, they adopted a similar principle:\u202f\u2018Follow the money, follow the infrastructure!\u2019<\/p>\n This concept has long military precedent. Throughout history, the strategy of disrupting the supply chain to weaken adversaries has been successfully employed. For instance, during the Civil War: General Sherman strategically targeted railroads to cripple the Confederate army. During World War I and World War II the same tactic was repeated to slow down enemy forces. The underlying principle remains clear: by identifying and disrupting critical infrastructure, we can effectively thwart or significantly impede hostile forces.<\/p>\n In the realm of Infoblox, trains laden with supplies or currency are not our concern. Cyber-attacks and attribution also lie outside our purview. Our domain (pun intended) revolves around\u202fDNS\u2014that ubiquitous protocol that underpins the internet. We live, breathe, and, well, you know the rest\u2014DNS! Driven by this focus, we embarked on a quest for robust to discover DNS infrastructure used for cyber-criminal activity. We sought the essential building blocks\u2014the very DNA\u2014required to assemble the intricate attacks wielded by today\u2019s cyber criminals. And in this pursuit, the\u202fInfoblox threat intel team began discerning patterns, and in some cases DNS signatures, within the intricate web of DNS infrastructure. These patterns and signatures soon revealed bad actors previously invisible.<\/p>\n Domain Generation Algorithms (DGAs)\u202fserve as a favored tool for adversaries. They enable the creation of command and control (C2) servers\u2014essential hubs for malware communication and command retrieval via DNS. Notably,\u202fConficker\u202fwas a very early adopter of this technique, as documented by Wikipedia. DGAs are typically generated en masse using automated algorithms. Subsequently, the malware synchronizes its communication using the same algorithm, attempting to reach all the dynamically generated domain names. While not all these domains remain operational, a subset of them will be active. The remaining communication attempts inevitably fail.<\/p>\n This approach introduces additional network traffic, traversing firewalls, and inundating security teams with information. When seeking attribution for an attack within the Security Information and Event Management (SIEM) system, this intricate web of DNS communication becomes a crucial puzzle to unravel. Infoblox Threat Intel\u202fembarked on a journey years ago, uncovering these elusive domains through our AI\/ML engine. These domains were subsequently added to dynamic block lists\u2014a constantly evolving roster populated by our automated systems with domains identified in the wild as nefarious. <\/p>\n DGAs continued to evolve – the landscape shifted again. The once-standard Domain Generation Algorithms (DGAs) morphed into a more dynamic breed:\u202fDynamic DGAs. Instead of relying solely on algorithmically generated gibberish, these new DGAs employ sets of actual words. The rationale? To look more like real-word domains and thus appear innocuous. But there\u2019s a twist\u2014their mathematical patterns can be discerned and tracked, leading to the identification of\u202fa sort of fingerprint or signature, and thus allowing the bad actor responsible to be identified and tracked. <\/p>\n Of course, this is a simplified explanation; the intricacies run deeper. Stay tuned for more insights on the evolution of DGAs.<\/p>\n DNS for Early Detection<\/h3>\nInfoblox threat intel, equipped with\u202f25 years of DNS experience, tirelessly develop, and expand their arsenal of tools for identifying DNS infrastructure. Their quest? To create a superior digital DNS mousetrap\u2014a\u202fDNS-based threat intelligence that pinpoints SUSPICOUS<\/em> domains based on intricate DNS patterns, properties, behaviors, and signatures.<\/p>\n I realize I might be oversimplifying, but that\u2019s precisely the intent of this document \u2014clarity and accessibility. Let\u2019s make it easy to understand.<\/p>\n The Domain Name System (DNS) appears deceptively simple\u2014a straightforward protocol for translating human-friendly domain names into IP addresses. However, simplicity doesn\u2019t necessarily equate to ease. While everyday DNS queries seem simple and easy, the layers of intricacy lurking beneath the surface can swiftly transform the simple protocol into a challenging maze. Admittedly, querying a DNS server that stores the copy of the domain name your computer is looking for is straightforward. Yet, as we delve deeper, we encounter a labyrinth of concepts: recursion, referrals, AAAA records, MX Records, DNSSEC, GSS-TSIG (Microsoft), text records, DNS tunneling, DNS exfiltration, Dynamic DNS, DNS over HTTPS (DoH), DNS over TLS (DoT), and more. These elements, though essential for safeguarding against potential attacks, can confound even seasoned investigators.<\/p>\n So, while the everyday DNS query may not require a rocket scientist, deciphering its intricate layers demands both expertise and persistence. It\u2019s about preparing for the attack that hasn\u2019t yet materialized. It’s about being proactive and moving the advantage back to the cyber defenders. In the vast digital landscape, where hundreds of thousands of domains sprout daily, distinguishing the malicious from the benign becomes a daunting task and takes time, the one precious resource we can never get back. As organizations grapple with blocking traffic to specific domain names, precision is paramount. After all, safeguarding an entire organization hinge on getting it right\u2014the delicate balance between vigilance and accuracy.<\/p>\n Our journey into DNS-based threat intelligence began in 2022, and now, nearly two years later, the results have been nothing short of remarkable. <\/p>\n Throughout the entire year of 2023, the Infoblox Intel team unearthed approximately\u202f46 million suspicious and malicious domains. What is even more impressive? Our false positive rate was less than .0002%.<\/p>\n These were not benign entities\u2014they were engaged in unethical activities, despite appearing as legitimate businesses with legitimate websites. Consider this: the domains within the suspicious feed have no associated IoC (Indicators of Compromise). These domains are not categorized as there has not yet been an attack. As incidents unfold, other cybersecurity firms attribute them\u2014whether as phishing attacks, malware infiltrations, or other nefarious deeds. Consequently, these domains are reclassified and shifted to a different type of feed, marking a dynamic journey through the ever-evolving landscape of digital security.<\/p>\n Preemptive protection\u202fshields anyone who utilizes these suspicious feeds from an attack even before it materializes. To put it differently, it\u2019s akin to preventing your children from riding their bikes in a dangerous neighborhood or dissuading them from associating with a group of friends who haven\u2019t yet faced consequences but are already displaying mischievous behavior. It is about stopping the potential for an attack before it fully materializes.<\/p>\n I\u2019m not insinuating there is a \u2018silver bullet\u2019 that can stop all threats. No single approach can address every security challenge comprehensively. In fact Infoblox has a AI\/ML behavioral analytics engine to prevent other types of attacks that are designed to evade threat intelligence based solutions. Various security intelligence studies reveal that different cyber intelligence teams focus on distinct information and types of attacks from their unique perspectives. In an independent study conducted by one of our customers, they found that there was less than an 11% overlap in unique domain indicators of compromise (IoCs). While I would never advise you to discard firewalls or other IoC-based detection solutions for malware, ransomware, or advanced persistent threats (APTs), I strongly recommend leveraging DNS-based protection. This proactive approach shields your organization from DNS-based infrastructure even before it becomes a target in an attack. Ignoring this capability would be unwise. In my more than 30 years in IT and security, I can confidently say that this approach comes closest to being a \u2018silver bullet.\u2019<\/p>\n Stay tuned for our next discussion, where we will delve into the behavioral analytics engine, lookalike domains, and the novel types of domain generation algorithms (DGAs) we have been uncovering.<\/p>\n |