Threat Intel
- Gary Leicht
The Threat Intel provides analysis, alerts, advisories, and reports from the Infoblox Threat Intel team, focusing on threat actors persisting in DNS. Infoblox automatically detects and tracks clusters of newly registered and deployed domains likely controlled by the same threat actor.By monitoring connections between these clusters, Infoblox ensures consistent threat actor tracking.
We use our animal taxonomy to formally name actors when we can oversee their infrastructure and have conducted thorough research. The results include both automatically generated and specifically named actors identified in your network.
Notes
Accessing Threat Intel: Infoblox users can access Threat Intel reports via the Monitor > Research > Threat Intel page.
Classification Methodology: Infoblox employs an animal taxonomy system to classify threat actors.
Threat Actor Tracking: Infoblox automatically detects and tracks clusters of domains linked to the same threat actors.
Zero-Day DNS Protection: Identifies newly registered spearphishing, DGA, and malware domains before they cause harm.
Viewing Threat Intel in the Infoblox Portal
To access Threat Intel, follow these steps:
Log in to the Infoblox Portal.
Navigate to Monitor > Research > Threat Intel.
Select a threat intel category:
Threat Actors In Your Environment
All Infoblox Publications
Zero Day DNS
For information on Infoblox's naming conventions and taxonomies that Infoblox uses to name and classify threats, see Infoblox Threat Naming Conventions.
Threat Actors In Your Environment
The Threat Actors In Your Environment tab provides a list of observed threat actors detected in your network. Each reported threat actor includes detailed intelligence, such as its description, associated domains, and detection history.
With the release of the Threat Actors In Your Environment reports, the Threat Labs reports have been deprecated.
Viewing the Threat Actors Report
The Threat Actors In Your Environment page provides the following details:
Description: A concise overview of the threat actor, curated by the Infoblox Threat Intel team.
Total Domain Count: The total number of domains associated with this threat actor, as detected by Infoblox Threat Intel.
Domains in Your Network: The total number of domains in your network where the threat actor has been observed.
Click the domain link to view detailed information in the Infoblox Threat Intel Blog.
Domains Not in Your Network: A list of domains outside your network associated with this threat actor, as identified by Infoblox Threat Intel.
Active Threat Domains Discovered by Infoblox:
Displays threat actors detected in your network.
Shows how early Infoblox discovered a threat actor in your network, compared to other threat detection vendors.
The detection timeline schematic provides:
The name of the domain in your network, and the threats associated with the domain.
Date of Infoblox’s first detection (far left on the timeline).
Date when other vendors discovered the domain.
Time window during which Infoblox protected your network from the threat domain.
Most recent detection date, based on DNS traffic records.
Threat Actors In Your Environment
The Threat Actors in Your Environment tab shows a list of threat actors observed in your environment. Each reported threat actor on this list provides detailed information about the specific threat actor.
With the release of the Threat Actors In Your Environment reports, the Threat Labs reports have been deprecated.
In addition to listing the threat actors discovered in your network, this page highlights the following details about each threat actor:
Description: A concise overview of the threat actor from Infoblox Threat Intel.
Total Domain Count: The total number of occurrences of the threat actor on domains identified by Infoblox Threat Intel.
Domains in Your Network: The domains in your network where the threat actor has been identified. Click the link to view information about the threat domain in the Infoblox blog.
Domains Not in Your Network: The occurrences of the threat actor on domains not in your network, as identified by Infoblox Threat Intel.
Active Threat Domains Discovered by Infoblox: This section highlights the threat actors discovered in your network. It also displays how early Infoblox discovered a threat actor in your network. Additionally, it provides the following information:
The name of the domain in your network, and the threats associated with the domain.
A schematic diagram depicting the timeline of detection, from initial detection to final outcome, and showing:
When Infoblox first detected the threat domain (far left side of the timeline).
The date other vendors discovered the domain.
The time window during which Infoblox protected your network from this threat domain.
The date the threat domain was seen most recently, based on DNS traffic records.
All Infoblox Publications
The All Infoblox Publications tab displays research reports and advisories produced by the Infoblox Threat Intel team. These reports cover:
New threat campaigns
Malware
Threat actors
Exploitation of new vulnerabilities
Viewing Threat Intelligence Reports
On this page, users can:
View a report’s title and publishing date.
Expand report descriptions by clicking the downward arrow next to the title.
Search reports by keyword.
Download full reports in PDF format.
Threat Intel reports provide insights into:
Threat behaviors
Indicators of compromise (IoCs)
Emerging attackers and their tools/infrastructure
Zero Day DNS
Zero Day DNS employs a zero-trust approach to newly registered domains in your network. It helps identify and flag:
Newly registered spearphishing domains
Domains generated by malware (DGA - Domain Generation Algorithm)
Newly observed domains likely used for attacks
Viewing Zero Day DNS Reports
The Zero Day DNS tab provides:
A list of detected Zero Day DNS domains in your network.
A count of domains flagged as "Suspicious" and/or "Malicious".
For information on how to configure Zero Day DNS, see Zero Day DNS Configuration.