Document toolboxDocument toolbox

Threat Intel

Owned by Gary Leicht
Last updated: Sept 06, 2024
4 min read

Threat Intel includes the latest analysis, alerts, advisories, and reports from the Infoblox Threat Intel team focusing on threat actors persisting in DNS. Infoblox automatically detects and tracks clusters of newly registered and deployed domains likely controlled by the same threat actor. Connections between these clusters assist in consistently monitoring a threat actor. We use our animal taxonomy to formally name actors when we can oversee their infrastructure and have conducted thorough research. The results include both automatically generated and specifically named actors identified within your network.

To view Threat Intel from within the Cloud Services Portal, do the following:

  1. Click Monitor > Research > Threat Intel.

  2. Select the type of threat intel to view. Choices include the following:

    • Threat Actors In Your Environment

    • All Infoblox Publications

    • Zero Day DNS

For information on the naming conventions and taxonomies used by Infoblox when naming and classifying threats, see Infoblox Threat Naming Conventions.

Threat Actors In Your Environment

Under Threat Actors in Your Environment tab is displayed a list of threat actors observed in your environment. Each reported threat actor in your environment includes detailed information about the specific threat actor.

With the release of the “Threat Actors In Your Environment” reports, the Threat Labs reports have been deprecated.

The Threat Actors In Your Environment report.
Image: The Threat Actors In Your Environment report.


This page highlights the threat actors discovered in your network along with other details about the threat actor, including:

  • Description: A concise overview of the threat actor from Infoblox Threat Intel.

  • Total Domain Count: The total number of occurrences of the threat actor on domains identified by Infoblox Threat Intel.

  • Domains in Your Network: The domains in your network your where the threat actor has been identitifed . Click the link to view information about the threat domain on the Infoblox blog.

  • Domains Not in Your Network: The occurrences of the threat actor on domains not within your network as identified by Infoblox Threat Intel.

  • Active Threat Domains Discovered by infoblox: This section highlights the threat actors discovered in your network. This section also displays how early Infoblox discovered a threat actor in your network. Additionally, this section provides the following information:

    • The name of the domain in your network and its associated threat.

    • A dropdown list of domains within your network associated with the threat. Click on a listed threat domain to view detection details on the Infoblox Threat Intel Blog.

    • A schematic diagram depicting the timeline of detection from intial detection to final outcome, showing:

      • When Infoblox first detected the threat domain (far left side of timeline).

      • Date when other vendors discovered the domain.

      • Duration during which Infoblox protected your network from this threat domain.

      • Last seen date for the threat domain based on DNS traffic records.

 

threat_actor_report.PNG
Image: An example of a Threat Actor report providing a summary description of the threat, and also showing Infoblox’s discovery date relative to the discovery dates of other threat detection vendors, in this case Virus Total. Also displayed in the report are the number of days Infoblox has proactively protected your network from the identifed threat.

 

Infoblox Threat Intel Blog

All Infoblox Publications

Under the All Infoblox Publications tab is displayed a list of publications researched and produced by the Infoblox Threat Intel team on new threats; including campaigns, malware, threat actors, and exploitation of new vulnerabilities.

You can do the following on the page:  

  1. View a report’s title and publishing date. 

  2. View a brief description of a report: Click the down-pointoing arrow icon located to the right of the report’s title.  

  3. Search reports by keyword.

  4. Download and view the full report as a PDF: Click the download icon.

Reading through the reports will reveal details on threat behavior, indicators of compromise, and new attackers and their tools or infrastructure.

Zero Day DNS

Zero Day DNS employs a zero-trust approach to newly registered domains within your network. Its purpose is to identify recently registered spearphishing, DGA, and malware domains. Within the "Zero Day DNS" tab, you will find a comprehensive list of detected Zero Day DNS domains in your network along with the count of those flagged as "Suspicious" and/or "Malicious."

For information on how to configure Zero Day DNS, see Zero Day DNS Configuration.