Infoblox’s global team of threat hunters uncovers a DNS operation with the ability to bypass traditional security measures and control the Great Firewall of China. Read about “Muddling Meerkat” and the many other threat actors discovered by Infoblox Threat Intel here.

Product Announcements


ActiveTrust® with improved data protection and New Dossier UI for faster threat investigation

[ Edited ]
Posts: 23
3326     0

Infoblox ActiveTrust® allows our customers to proactively detect, investigate, prioritize and protect against cyber threats. ActiveTrust bundles Infoblox DNS Firewall, Infoblox Threat Insight in the Cloud, Infoblox Threat Intelligence Data Exchange (TIDE), and Infoblox Dossier. The solution prevents data exfiltration and malware command-and-control (C&C) communications via DNS, centrally aggregates curated internal and external threat intelligence, distributes validated threat data to the customer’s security ecosystem for remediation, and enables rapid investigation to identify context and prioritize threats. Here is the link to the video that shows New Dossier UI: 



Infoblox ActiveTrust® is a key component of our Threat Containment and Operations and Data Protection and Malware Mitigation solutions. The most recent enhancements further enhance both these solutions. We have updated the content on our website to reflect the enhancements launched.


In the latest version of ActiveTrust, we have added following features, which are available to our existing customers at no additional cost:


  1. Dictionary DGA blocking for preventing the spread of malware: Domain generated algorithm (DGA) is a technique used by hackers to establish stealth communication and is used by malware in C2 communication to evade blacklist based blocking mechanism such as firewall. Dictionary DGA differs from normal DGA in that Dictionary DGA uses words from the dictionary (Eg:, and is used by malware families such as Suppobox and Matsnu. Dictionary DGA is really important because it uses graph analysis to catch about 95% of the domains with a very low false positive rate.

 2. Lookalike domains for enhanced threat intelligence: Lookalike domain uses distance analysis to detect the likelihood of lookalike attacks. Common forms of Lookalike domains include:

  • Letter replacement: w to vv, l to 1, o to 0
  • Change top-level domains: ->
  • Cyrillic/Greek/Armenian/Hebrew alphabet replacement  
  • Other generic highly-resembled domain names:


Enterprises spend big $$$ to protect their business. Lookalike domain detection provides early prevention of much bigger issues later.


  1. New Dossier UI for faster threat hunting: Dossier is a threat indicator research tool that provides information on URLs, domains and IP addresses by automatically aggregating contextual information from dozens of sources including feeds from security partners such as SURBL, Threat Track, Proofpoint. Dossier’s rich threat intelligence adds the security context needed to uncover and predict threats and empowers the analysts to make accurate decisions quickly and with greater confidence. While Dossier is a compelling and comprehensive threat investigation platform, the new version of Dossier UI has a cleaner design, more context for threat identification and closer alignment with real-world workflows for faster threat hunting.


Here are some of the new sections that are added to the latest version of Dossier:


The Summary view of indicator section allows users to quickly prequalify and prioritize the threat for further investigation.


The Categorization section provides an aggregated view of how the indicator was categorized across multiple sources of data.


The WhoIs section provides additional information such as the name and contact information of the registrant, the registration dates, most recent update, and the expiration date. 


The Current DNS section to provide results from querying DNS name servers for information about host addresses, mail exchanges, name servers, and related information.



The Indicator Information section provides details of the indicator such as first and last reported, data provider, status and feed name.



The Timeline section provides view adversary, indicator and infrastructure timelines and offers a historical accounting of the indicator’s track record.


The Related Domains/Subdomains section provides an aggregated view on domains/subdomains related to the indicator across multiple sources of data.



The Related URLs section provides an aggregated view of URLs related to the threat indicator across multiple sources of data.


The Related IP’s section provides an aggregated view on IP’s related to the indicator across multiple sources of data.


The File Samples section provides file samples/hashes associated with the indicator, which is taken from malware Analysis sources and reveals the file samples/hashes which may be potential malware.


The Related Contacts section provides contact Information such as Name, email, organization, Role, phone, and location is taken from the WhoIs record provided by DomainTools as shown below:



The Domain information section provides an aggregated view of reputation information related to the indicator pulled from various sources including Webutation, Web of Trust, Alexa, Secured Domain Foundation, and others.


The Reports section provides Google Custom Search report results from anti-virus analysis pages, malware analysis blogs and other related malware websites.


These sections make it easy for customers to find more context for threat identification, which enables faster threat hunting. More details about New Dossier UI is covered in more detail in a separate blog here:


Please follow the link below to receive 30-day free trial for ActiveTrust:



Dossier User’s Guide -


Showing results for 
Search instead for 
Did you mean: 

Recommended for You

AI Powered DNS FIrewall - A Webinar Presentation by Dr. Bin Yu, Chief Data Scientist, Infoblox