Infoblox brings AI to DNS protection service

Infoblox is rolling out an AI-based package to bolster its domain name system (DNS) protection portfolio and boost security for widely disbursed, DNS-networked enterprise resources.

SOC Insights is a cloud-based expansion of the vendor’s current BloxOne DNS Threat Defense package. It lets customers use DNS threat intelligence to bring proactive threat disruption and analytics to the security operations team, according to Craig Sanderson, vice president of security and product management at Infoblox.

The idea with AI and SOC Insights, which is available now, is to give customers a way to reduce response time by turning vast amounts of security event, network, and DNS intelligence data into a manageable set of immediate, actionable insights, Sanderson said. AI SOC Insights takes in networking and security data from Infoblox’s DNS data set and third-party sources, and then it uses AI technology to correlate events, prioritize them, and offer recommendations for resolution. This not only accelerates threat detection and response but also alleviates the strain on overburdened SOC analysts, Sanderson said.

“As much as DNS is a control plane for enterprise networking, it’s also a control plane when it comes to adversaries and malware,” Sanderson said. “That can be a problem because who normally looks at DNS traffic? It’s not normally the security team. It’s the network folks, many times, who have to be able to pass through the billions of DNS events that get sent in a day, trying to work out of the literally hundreds of thousands of DNS domains to get registered every week. It’s very difficult to better identify what the adversaries are doing, and they’re hiding, in many cases, in plain sight,” Sanderson said.

AI will be able to see the most important data through all the noise, Sanderson said. He cited an example of an unnamed customer who recently boiled down about 500,000 events into 24 actionable insights.

In addition, SOC Insights can spot configuration errors, high-risk activity, and other behaviors to help organizations fortify their security posture and mitigate risks proactively, Sanderson said.

Protecting DNS is a central component for enterprise security. That’s because DNS, colloquially known as the phonebook of the internet, brings a decentralized naming system for networked computers and services connected to the Internet or a private network. The technology translates domain names to the numerical IP addresses needed for locating and identifying computer services and devices with the underlying network protocols. 

Because of its widespread use, DNS is a massive and often overlooked attack surface that requires the same scrutiny and protection given to the web, email and other services, according to the Palo Alto Networks Unit 42 Threat Research team. “It can be used for malware delivery, command and control (C2), or data exfiltration,” the Unit 42 team wrote in a white paper on DNS. “Adversaries take advantage of the ubiquitous nature of DNS to abuse it at multiple points of an attack – almost 85% of malware abuses DNS for malicious activity. At the same time, many security teams lack visibility into DNS traffic and how threats abuse DNS to maintain control of infected devices.”

Enterprise Management Associates (EMA) recently did a study that looked at the DNS security challenges that cause enterprises the most pain. The top response was DNS hijacking or DNS redirection, which involves intercepting DNS queries from client devices so that connection attempts go to the wrong IP address. Hackers often achieve this by infecting clients with malware so that queries go to a rogue DNS server, or they hack a legitimate DNS server and hijack queries at a more massive scale. The latter method can have a large blast radius, making it critical for enterprises to protect DNS infrastructure from hackers, according to Shamus McGillicuddy research director at EMA.

Another DNS security issue is DNS tunneling, which is used to evade detection while extracting data from a compromised system and exfiltration. Hackers typically exploit this issue once they have already penetrated a network, and they hide extracted data in outgoing DNS queries. Thus, it’s important for security monitoring tools to closely watch DNS traffic for anomalies, like abnormally large packet sizes, McGillicuddy stated.