DNS Threat Intelligence
The term threat intelligence is a generic industry term that refers to any compiled data, usually in the form of a list or “feed,” that identifies active cybersecurity threats. This article will describe the generic threat intelligence concept, then focus specifically on DNS threat intelligence.
Cyber Threat Intelligence
Cyber threat intelligence, or just threat intelligence, is information on potential threats against your organization, such as attack methods to take down the network infrastructure, or ransomware to extort money. Security researchers around the world gather and analyze raw data about emerging or existing threats, and compile them into threat intelligence lists or feeds. The feeds are published either directly by security researchers, or more often, published through a security vendor. Vendors may maintain several sources of threat intelligence, and curate them into a single feed for customers to subscribe to, or into specific categories, such as a ransomware feed or malware feed. As new threats emerge (and as old ones fade away), the feed data is updated, and customers are notified of the changes to the threat landscape.
Threat intelligence can be built from both external and internal sources. External threat intelligence covers attacks everyone should be protected from, attacks that aren’t specifically targeted at any one organization but target the Internet community as a whole. The quality of external threat intelligence feeds depend largely on the update frequency of the data. A good quality feed will constantly update itself with the latest information regarding spam, malware, ransomware, and phishing schemes.
While external threat intelligence provides generic umbrella protection, attacks targeted specifically at your organization or group can only come from good internal threat intelligence. This is information gathered based on the behavior of your users and their network activities, and typically requires a dedicated security team and/or appliance to monitor, analyze, and produce the data. An example of internal threat intelligence would be identifying users sending suspicious emails to the competitor, or questionable outbound VPN connections originating from the secret new product lab.
Threat intelligence data is generally sourced by government agencies such as US Computer Emergency Response Team (US-CERT), from large ISPs or network operators, and by dedicated teams within cybersecurity technology and service providers. The feed process is not, however, strictly a one-way street. Users of security software – for instance, the IT security team within a financial services organization – could selectively share data on a threat identified within their infrastructure by publishing the detected internal threat externally. First, this would usually be shared through their security vendor, but then it would flow on to the rest of the world through that vendor’s public feed. When this process is automated, it guards the larger Internet community as a whole against zero-day attacks: the first organization that is attacked would share the internal threat intelligence publicly, and it becomes external threat intelligence for everyone else.
DNS Threat Intelligence
DNS threat intelligence is specifically tailored for DNS services, meaning it contains a list of malicious domain names. Because the DNS already has publishing (zones) and updating mechanisms (zone transfer) in place, the distribution of DNS threat intelligence can be done natively through the use of Response Policy Zones (RPZ). Whenever new feed data is available, it gets sent via incremental zone transfer to the subscribers. External threat intelligence for DNS is also readily available. Vendors such as Infoblox offer subscription services to DNS Threat Intelligence feed data. Infoblox data is based on multiple sources, including SURBL, Farsight Security, FireEye, Proofpoint, CrowdStrike, ThreatTrack, and others. For home users, Quad9 (184.108.40.206) offers a similar service, albeit with no administrative control.
Obtaining internal threat intelligence for DNS requires specific features from the DNS vendor to recognize DNS attack patterns, which many traditional DNS vendors still lack today. This type of intelligence usually relies on query logging and reporting, then an analysis of the data would need to be performed after the fact to identify potential internal DNS-based threats. The major drawback of this approach is that, by the time the analysis is complete, it is usually too late to take action against the malicious activity that took place.
Today’s more advanced DNS security products, such as Infoblox Threat Insight, inspect the traffic on-the-wire, as the queries and responses are passing through the DNS servers, analyzing them in real-time. This approach builds internal threat intelligence much faster, and is more suited for the fast-paced world of security. When dealing with large amounts of queries, the detection engine can tap into the greater computing power of the cloud, alleviating the DNS servers of any performance degradation, while catching the attacker red-handed as the crime is still in progress.
As we have seen in the section on DNS Data Exfiltration, some attacks are so sophisticated and targeted, it is impractical or impossible for human operators to detect, and its impact too critical to be left to batch-process style analysis after the fact. This makes real-time detection the only choice for producing adequate internal threat intelligence.