/
Viewing Active Threat Feeds and Threat Insight

Viewing Active Threat Feeds and Threat Insight

The Infoblox Threat Intelligence Feeds categorize and address various malicious and suspicious activities, providing advanced protection for your network. These feeds offer protection against malicious domains and IP addresses by assessing threat levels and confidence scores, tailored to your subscription level. By mitigating known and suspicious threats, these feeds help ensure robust network security.

Subscription Details:

  • Infoblox Threat Defense Essentials: Provides essential threat feeds for baseline protection.

  • Infoblox Threat Defense Business On-Premises and Infoblox Threat Defense Business Cloud: Offer additional feeds beyond the Essentials subscription.

  • Infoblox Threat Defense Advanced: Includes the most comprehensive set of feeds, offering more coverage than the Business On-Premises and Business Cloud subscriptions.

Reporting Incorrect Data: To report incorrect feed data, submit the Dossier Threat Research Feedback from. For information, see Dossier Threat Research Feedback

Additional Information

For more details, refer to the following:

Supported Threat Intelligence Feeds

The following is a list of all supported threat intelligence feeds and their descriptions. The Threat Feeds page displays only the supported feeds that your subscription offers.

Infoblox Base 
Infoblox Base feed enables protection against known malicious or compromised domains. This includes known Malware, Ransomware, APTs, exploit kits, malicious Name Servers, sinkholes etc. Infoblox recommends blocking these threats for all users.

Infoblox Base IP
Infoblox Base IP feed enables protection against known malicious or compromised IP addresses. These IPs are known infrastructure to host threats that can act on or control a system by way of C&C malware downloads and active phishing sites. We recommend blocking these threats for all users.

Infoblox High Risk
Infoblox High Risk feed includes domains that are not confirmed yet but are highly suspicious. It's very likely to be used in a malicious act at some point. These domains though unconfirmed carry high threat and high confidence, so we recommend blocking them for most users. It includes Suspicious domains, Suspicious Lookalikes and Suspicous NOED (Newly Observed Emergent Domains) with high combined score of threat and confidence levels. 

Infoblox Medium Risk
Infoblox Medium Risk feed includes domains that are not confirmed yet but still pose medium risk. They are suspicious domains with lower combined score of Threat and Confidence level than High Risk feed but higher than Low Risk feed. It's still could likely be used in a malicious act, so we recommend blocking them for most users. It includes Suspicious domains, Suspicious Lookalikes and Suspicious NOED (Newly Observed Emergent Domains) with medium combined score of threat and confidence levels.

Infoblox Low Risk
Infoblox Low Risk feed includes domains that are not confirmed yet but are still suspicious. It's possible it can be used in a malicious act. These domains carry a lower combined score of threat and confidence levels. Its recommended to monitor with Allow-WithLog option for most users and have it in block mode for sensitive environments. It includes Suspicious domains, Suspicious Lookalikes and Suspicious NOED (Newly Observed Emergent Domains) with lower combined score of threat and low levels.

Infoblox Informational
Infoblox Informational feed includes domains with low threat and confidence levels. These are for informational use per policy and sensitivity of the environment. This feed carries Newly Observed Emergent Domains (NOED). It's recommended to monitor with Allow-WithLog option for most users and have it in block mode for sensitive environments (as new domains are not mission critical for the most part and best to enable them when they are established for a longer time).

Infoblox Cloud Hits
Infoblox Cloud Hits is a custom RPZ feed which contains blocked or redirected domains by Infoblox's threat intelligence feeds in the cloud.

Bogon
Bogons are commonly found as the source addresses of DDoS attacks. “Bogon” is an informal name for an IP packet on the public Internet that claims to be from an area of the IP address space reserved, but not yet allocated or delegated by the Internet Assigned Numbers Authority (IANA) or a delegated Regional Internet Registry (RIR). The areas of unallocated address space are called “bogon space”. Many ISPs and end-user firewalls filter and block bogons, because they have no legitimate use, and usually are the result of accidental or malicious misconfiguration.

Cryptocurrency
The use and mining of cryptocurrency is not inherently benign or malicious, or used exclusively by threat actors or general users. However, over the last several years, it has been increasingly used for illegal and/or fraudulent activities such as human trafficking, black market sales/purchases, and ransomware payments, and others. Cryptocurrency mining can impair system performance and risk end users and businesses to information theft, hijacking, and a plethora of other malware. This feed features threats that allow malicious actors to perform illegal and/or fraudulent activities, coinhives that allows site owners to embed cryptocurrency mining software into their webpages as a replacement to normal advertising, Cryptojacking that allows site owners to mine for cryptocurrency without the owner’s consent, and cryptocurrency mining pools working together to mine cryptocurrency. This feed features indicators of activity which may indicate malicious or unauthorized use of resources including: coinhive which can be embedded into a site owner’s web pages to lie cryptocurrency with the visitor’s permission as an alternative to web banner advertising; cryptojacking where malicious actors use in-browser mining without the victim’s consent; and cryptocurrency mining pools working together to mine cryptocurrency.

Custom
A custom threat feed. This a user-defined threat feed. 

DHS AIS Domains (DHS_AIS_Domain)
Suspicious/malicious as destinations: The Department of Homeland Security's (DHS) Automated Indicator Sharing (AIS) program enables the exchange of cyber threat indicators between the Federal Government and the private sector. AIS is a part of the Department of Homeland Security's effort to create an ecosystem where as soon as a company or federal agency observes an attempted compromise, the indicator is shared with AIS program partners, including Infoblox. Hostname Indicators contained in this feed are not validated by DHS as the emphasis is on velocity and volume. Infoblox does not modify or verify the indicators. However, indicators from the AIS program are classified and normalized by Infoblox to ease consumption. Data included in this feed includes AIS data subject to the U.S. Department of Homeland Security Automated Indicator Sharing Terms of Use available at https://www.us-cert.gov/ais and must be handled in accordance with the Terms of Use. Prior to further distributing the AIS data, you may be required to sign and submit the Terms of Use. Please email ncciccustomerservice@hq.dhs.gov for additional information.

DHS AIS IPs (DHS_AIS_IP)
Suspicious/malicious as destinations: The Department of Homeland Security's (DHS) Automated Indicator Sharing (AIS) program enables the exchange of cyber threat indicators between the Federal Government and the private sector. AIS is a part of the Department of Homeland Security's effort to create an ecosystem where as soon as a company or federal agency observes an attempted compromise, the indicator is shared with AIS program partners, including Infoblox. Hostname Indicators contained in this feed are not validated by DHS as the emphasis is on velocity and volume. Infoblox does not modify or verify the indicators. However, indicators from the AIS program are classified and normalized by Infoblox to ease consumption. Data included in this feed includes AIS data subject to the U.S. Department of Homeland Security Automated Indicator Sharing Terms of Use available at https://www.us-cert.gov/ais and must be handled in accordance with the Terms of Use. Prior to further distributing the AIS data, you may be required to sign and submit the Terms of Use. Please email ncciccustomerservice@hq.dhs.gov for additional information.

DOH Public Hostnames (Public_DOH) 
The Public DOH feed provides a list of known public DNS services that tunnel their traffic over HTTP. This may be from a browser (such as Mozilla Firefox), a piece of malware, or a user attempting to bypass your organization's DNS policies. This feed contains “canary” domains. It is very important that when you protect your network on the DNS level that you block communications to any 3rd party DNS server your applications or devices may use. We recommend all organizations enable this blocking rule.

DOH Public IPs (Public_DOH_IP)
The Public DOH IP feed provides a list of known public DNS services that tunnel their traffic over HTTP. This may be from a browser (such as Mozilla Firefox), a piece of malware, or a user attempting to bypass your organization's DNS policies. This feed contains “canary” addresses. We recommend all organizations enable this blocking rule.

EECN IP (EECN_IP)
May choose to block based on company policy. Contains IPs assigned to China and Eastern European countries that are not part of the European Union. These countries are often found in cyber-attacks seeking intellectual property or other sensitive or classified data and stealing credit card or financial information. Countries include Belarus, China, Moldova, Russian Federation, and Turkey. 

TOR Exit Node IPs (TOR_Exit_Node_IP)
Tor Exit Nodes are the gateways where encrypted Tor traffic hits the Internet. This means an exit node can be used to monitor Tor traffic (after it leaves the onion network). It is in the design of the Tor network that locating the source of that traffic through the network should be difficult to determine.

US OFAC Sanctions IP Embargoed IPs  (US_OFAC_Sanctions_IP_Embargoed)
The US OFAC Sanctions IP feed can be blocked based on company policy. The feed blocks nations that are embargoed (Cuba, Iran, Myanmar, North Korea, Syria, and Venezuela). More information can be found by visiting the “Sanctions Programs and Country Information” page found here: https://www.treasury.gov/resource-center/sanctions/Programs/Pages/Programs.aspx

US OFAC Sanctions High IPs (US_OFAC_Sanctions_High)
The US OFAC Sanctions High IP feed can be blocked based on company policy. This feed blocks all of the nations in the embargoed list, plus the following: Belarus, Cambodia, Central African Republic, China, Democratic Republic of Congo, Iraq, Libya, Macao, Russia, and Yemen. Contains IP's assigned to United States high-risk sanctioned countries listed by US Treasury Office of Foreign Assets Control (OFAC). The Treasury Department's Office of Foreign Asset Control (OFAC) administers and enforces economic sanctions imposed by the United States against foreign countries. More information can be found by visiting the "Sanctions Programs and Country Information" page found here: https://www.treasury.gov/resource-center/sanctions/Programs/Pages/Programs.aspx

US OFAC Sanctions Med IPs (US_OFAC_Sanctions_IP_Med)
The US OFAC Sanctions Med IP feed contains IPs assigned to United States sanctioned countries listed by US Treasury Office of Foreign Assets Control (OFAC).The Sanctions Med IP feed is dynamic and is determined by what countries currently comprise the OFAC's list of sanctioned countries. Organizations may choose to block based on company policy. The Treasury Department’s Office of Foreign Asset Control (OFAC) administers and enforces economic sanctions imposed by the United States against foreign countries. More information can be found by visiting the “Sanctions Programs and Country Information” page found here: https://www.treasury.gov/resource-center/sanctions/Programs/Pages/Programs.aspx