Infoblox Security EcoSystem was designed to support responses to attacks that use DNS, which can further move to HTTPS/SSL. There is not one solution to ‘do it all’, so our goal is to enable sharing as much Cyber Threat Intelligence with other security vendors in the proper context to create a Security EcoSystem.
By leveraging not only the security and threat intelligence available from Infoblox, but also enabling alert based outbound commands to other parts of an enterprise security ecosystem, Infoblox supports the concept of an automated, rapid response to real-time threats.
Real World Example: DNSbot
Background:
How is DNSbot delivered?
- Attackers send phishing emails that include malicious documents to targets.
- The malicious documents include a MsgBox display that asks targets to update Microsoft service.
- Once the victims have double-clicked the image in order to unlock document service, the obfuscated JS file gets dropped onto the victims’ systems.
- This file executes the JavaScript-based DNSbot.
DNSbot is a multiprotocol backdoor which is used to exchange commands and push data to and from the compromised system.
“Primarily, it operates over DNS traffic, but can also switch to encrypted channels such as HTTPS or SSL,” researchers said.
How does Infoblox EcoSystem help with response and mitigation?
- Detection: Infoblox ThreatInsight (TI) will detect DNSbot by doing a Deep Packet Inspection on all DNS queries in your environment.
- Response: TI will detect extra packets inside the DNS query and block it with RPZ.
- Mitigation: So now that Infoblox has blocked the DNS query via RPZ it will then share this information via the Infoblox Security EcoSystem to your WebProxy and Firewall.
Source:CYWARE
