Document toolboxDocument toolbox

Feed Revamp for Infoblox Threat Defense

Owned by Gary Leicht
Last updated: Sept 11, 2024
7 min read

New Infoblox Feeds

Infoblox offers a set of new feeds designed to replace those feeds approaching end of service and scheduled for deprecation in December 2024.

The following new feeds are available based on your subscription level.  

Feed Availability

Feed Availability

Feed Name

Essentials

Business On-Prem

Business Cloud

Advanced

Infoblox Base

✔

✔

✔

✔

Infoblox Base IP

NA

✔

✔

✔

Infoblox High Risk

NA

NA

NA

✔

Infoblox Medium Risk

NA

NA

NA

✔

Infoblox Low Risk

NA

NA

NA

✔

Infoblox Informational

NA

✔

✔

✔

For information on the new RPZ feed recommendations for NIOS, see Feed Revamp for NIOS.

Infoblox will notify you when the new feeds become available to be used in configuring security policies in Infoblox Portal.

Default Actions of the New Feeds

 

New Feeds

Default Action

Infoblox Base

Block - No Redirect

Infoblox Base IP

Block - No Redirect

Infoblox High Risk

Block - No Redirect

Infoblox Medium Risk

Block - No Redirect

Infoblox Low Risk

Allow - With Log

Infoblox Informational

Allow - With Log

Feeds Scheduled for Deprecation in December 2024

The following feeds are approaching end of service and are being deprecated. In their place, Infoblox offers a set of new feeds designed to replace the deprecated feeds. 

Deprecated Feeds

Description

Deprecated Feeds

Description

Base Hostnames

Enables protection against known hostnames that are dangerous as destinations, such as APT, Bot, Compromised Host/Domains, Exploit Kits, Malicious Name Servers, and Sinkholes.

AntiMalware

Enables protection against known malicious hostname threats that can take action on or control of your system, such as Malware Command & Control, Malware Download, and active Phishing sites.

Ransomware

Enables protection against ransomware taking over your system. Ransomware will encrypt files on your system and require you to pay in order to get them decrypted. This feed prevents ransomware to contact the servers which it needs to encrypt your files.

Malware DGA Hostnames

Domain generation algorithm (DGA) are algorithms seen in various families of malware that are used to periodically generate a large number of domain names that can be used as rendezvous points with their command and control servers. Examples include Ramnit, Conficker, and Banjori.

Antimalware IP

Enables protection against known malicious or compromised IP addresses. These are known to host threats that can take action on or control of your system, such as Malware Command & Control, Malware Download, and active Phishing sites.

Suspicious

The Suspicious Domains feed enables protection against hostnames that have not been directly linked to malicious behavior but behave in a manner that suggests malicious behavior may be imminent.

Suspicious Lookalike

The Suspicious Lookalikes feed includes domains that appear to impersonate other trusted domains, but have demonstrated enough abnormal behavior to warrant concern.

Suspicious NOED

The Suspicious Emergent Domains feed include high risk, new domains. These domains have only recently become active, and share one or more characteristics with other known malicious domains to warrant concern.

Newly Observed Emergent Domains

The NOED feed includes recently created and newly active domain names. These are not necessarily suspicious but some organizations may wish to log traffic going to these domains as there is a low likelihood that these domains would be visited normally.

Infoblox Threat Defense Feed Mapping

Infoblox Threat Defense Feed Mapping

Old Feeds

to

New Feed

Base Hostnames
AntiMalware
Ransomware
Malware DGA hostnames

 

=>

 

Infoblox Base

Infoblox Antimalware IP

=>

Infoblox Base IP

Newly Observed Emergent Domains (NOED)

=>

Infoblox Informational

Suspicious 
Suspicious Lookalikes
Suspicious NOED

 

=>

Infoblox High Risk
Infoblox Medium Risk
Infoblox Low Risk

Deprecation of the Extended Feeds

With the deprecation of the old feeds and the release of the new feeds, infoblox will also be deprecating the extended feeds listed below. In the case of these feeds, they have lately been carrying zero indicators. Earlier when a malicious domain’s TTL expires, the domain was added to the corresponding Extended feeds, extending their lifetime. We updated that logic to verify the validity of the domain, on expiry. The domain is added to the same feed if it's still valid (as opposed to separate Extended feeds). As a result, the extended feeds were carrying zero indicators lately. At this point, we can effectively deprecate the below extended feeds.

Deprecated Extended RPZ Feed

Deprecated Extended RPZ Feed

Extended Base & anti-malware Hostnames

Extended Ransomware

Extended AntiMalware IPs

Spambot IPs DNSNL

Upgrading Policy Rules Using the New Feeds

Upgrading to Improve Policy Rules

Your security policies must be updated to adhere to the latest policy rules using the upgraded feed structure. The deadline for upgrading your security policies is December 31, 2024. Any policy that has not been updated after this date will be automatically upgraded.

To upgrade a policy, perform the following:

  1. Navigate to the Security Policies page in the Cloud Services Platform (Policies > Security Policies).

  2. On the Security Policy tab, click the Upgrade link in the Upgrade Status column. Once the Upgrade link is clicked, a pop-up window will be displayed asking you to confirm your intent to update the security policy for use with the new feeds. Click Confirm to complete the upgrade process, or click Cancel to abort the update process. If you need more information prior to confirming the upgrade, click the link in the pop-up window. The link with take you to this page, were you can review information about the feed upgrade prior to updating your security policy. Note that the updating operation for the security policy cannot be reversed once you click Confirm and the update operation begins.

    Warning pop-up about upgrading the feeds.
    Image: The pop-up window indicates that completing the operation by clicking "Confirm" will upgrade policy in order to use the new feeds. Note that this operation cannot be reversed once it is started.


    Policies that have been upgraded will display a green check along with an Upgrade Complete message. No further action is required with policies already upgraded. Policies requiring upgraded will display an Upgrade link. Clicking on the link will commence the upgrade process for the policy selected.

    Out of respect for our customers, policy upgrades are not being conducted automatically. Instead, we offer our customers some latitude with upgrading their policies to a date and time they see fit, although do keep in mind that customers not having upgraded their policies by December 31st, 2024, will have their policies automatically upgraded on this date.

Only system administrators possess the required permissions to update a security policy.

The Security Policy page displaying the upgrade status (Upgrade and Upgrade Completed).
Image: The Security Policy page displaying the upgrade status (Upgrade and Upgrade Completed).

Viewing Your Current Security Policy Rules

To view your current security policy rules, select a security policy and click on the three horizontal bars icon associated with it. From among the available options, click the Edit option followed by clicking the Policy Rules side menu item of the Edit Policy wizard. The current security policy configuration will be displayed.

The deprecated feeds are being incorporated into the new set of Infoblox feeds.

Viewing Your Upgraded Security Policy Rules

To view your upgraded security policy rules, select a security policy and click on the three horizontal bars icon associated with it. From among the available options, click the Edit option followed by clicking the Policy Rules side menu item of the Edit Policy wizard. The upgraded security policy configuration will be displayed.

Logic for Upgrade Script

Logic for Upgrade Script

Step 1:

Logic Used:
If all feeds in this section have the same action, then the new action retained on the converted new feeds will be the same as it was previously. If there are mixed actions among the feeds in this section, then the newly converted feeds will retain Block as the policy action, as this feed section is Critical Risk. Infoblox aims to ensure the protection of our customers during the conversion.

Case 1A (Best: No mix, all Block)

 

New Action

 

Base Hostnames

Block

 

 

AntiMalware

Block

Infoblox Base

Block

Malware DGA hostnames

Block

 

 

Ransomware

Block

 

 

 

 

 

 

Case 1B (Best: No Mix, all Allow)

 

New Action

 

Base Hostnames

Allow

 

 

AntiMalware

Allow

Infoblox Base

Allow

Malware DGA hostnames

Allow

 

 

Ransomware

Allow

 

 

 

 

 

 

Case 2 (possible: 1-2 mixed)

 

New Action

 

Base Hostnames

Block

 

 

AntiMalware

Block

Infoblox Base

Block

Malware DGA hostnames

Allow

 

 

Ransomware

Block

 

 

 

 

 

 

Case 3 (Worst: Most mixed)

 

New Action

 

Base Hostnames

Allow

 

 

AntiMalware

Block

Infoblox Base

Block

Malware DGA hostnames

Allow

 

 

Ransomware

Allow

 

 

 

 

 

 

Step 2:

Logic Used:
If customers have any of the feeds listed below, Infoblox will add the new feed (with change of name). This new feed will maintain the same policy action as it did previously.

 

 

New Action

Retained as is (in same precedence with same action), no change

Antimalware IP

 

Infoblox Base IP

 

 

 

 

 

Step 3:

Logic Used:
If all feeds in this section have the same action, then the new action will be retained in the converted new feeds. If the feeds have mixed policy actions (i.e., even if one of the feed's action is Block), then in the converted new feeds, the action will be set to Block for High and Medium risks, while Low risk will be set to Allow with logging enabled. This section is NOT considered Critical Risk, and the indicators can fall into any of the three risk categories (High, Medium, and Low). In a mixed-case scenario, Infoblox aims to ensure that our customers are safeguarded against High and Medium risk indicators, while Low risk indicators can simply be logged.

Case 1A: (Best: No mix, all Block)

 

New Action

 

Suspicious

Block

Infoblox High Risk

Block

Suspicious Lookalikes

Block

Infoblox Med Risk

Block

Suspicious NOED

Block

Infoblox Low Risk

Block

 

 

 

 

Case 1B: (Best: No Mix, all Allow)

 

New Action

 

Suspicious

Allow

Infoblox High Risk

Allow

Suspicious Lookalikes

Allow

Infoblox Med Risk

Allow

Suspicious NOED

Allow

Infoblox Low Risk

Allow

 

 

 

 

Case 2: (Possible: 1 mixed)

 

New Action

 

Suspicious

Block

Infoblox High Risk

Block

Suspicious Lookalikes

Allow

Infoblox Med Risk

Block

Suspicious NOED

Allow

Infoblox Low Risk

Allow - with Log

 

 

 

 

Case 3: (Worst: 2 mixed)

 

New Action

 

Suspicious

Block

Infoblox High Risk

Block

Suspicious Lookalikes

Allow

Infoblox Med Risk

Block

Suspicious NOED

Block

Infoblox Low Risk

Allow - with Log

 

 

 

 

Step 4:

Logic Used:
If customers possess any of the feeds mentioned below, Infoblox will introduce the new feed (with change of name) and apply the same policy action to them.

 

 

New Action

Retained as is (in same precedence with same action), no change

NOED

 

Infoblox Informational

 

Note: All other supported rules are not changed and left as is - with the exiting rule action.

 





Â