On this episode of the Six Five in the Booth, Will Townsend of Moor Insights & Strategy is joined by Infoblox’s Dr. Renée Burton, Vice President, Threat Intelligence, for a deep dive into the world of DNS-based threat intelligence and how Infoblox is leading the charge in protecting businesses from an array of cyber threats.
Their discussion covers:
- The pivotal role of DNS in the cybersecurity landscape and Infoblox’s approach to unmasking threat actors.
- The intriguing story behind the names of threats like seahorses, pumas, vipers, dogs, and meerkats, and the significance of DNS in safeguarding against them.
- An exploration of Zero Day DNS and its importance in the battle against cyber threats.
- Infoblox’s strategic shift from threat aggregator to creator and the reasoning behind this transition.
- The necessity of introducing new security products in a market flooded with solutions.
Learn more at Infoblox.
Watch the video below, and be sure to subscribe to our YouTube channel, so you never miss an episode.
Or listen to the audio here:
Disclaimer: The Six Five Webcast is for information and entertainment purposes only. Over the course of this webcast, we may talk about companies that are publicly traded and we may even reference that fact and their equity share price, but please do not take anything that we say as a recommendation about what you should do with your investment dollars. We are not investment advisors and we ask that you do not treat us as such.
Transcript:
Will Townsend: Hi, this is Six Five Media On The Road at RSA Conference 2024, and we’re continuing the conversation with Infoblox. I’m joined by Renée Burton. Dr. Renée Barton, you lead threat intelligence for Infoblox.
Dr. Renée Burton: Yeah, thanks. Thanks for having me.
Will Townsend: Yeah, it’s going to be a great conversation. I want to start out with the fact that through DNS, Infoblox is discovering threat actors of all kinds, shapes, and forms. Can you explain how you’re doing that? I mean, I know personally as a mathematician you have several patents that have been issued in this area, but how’s Infoblox doing this?
Dr. Renée Burton: The main way we’re doing it is by using a combination of expertise in data science, which you can get; threat intelligence, which you can get; and DNS, which is a lot harder to get. Bringing those three pieces together into a large platform that can absorb tens of billions of records every day and have lots of different specific algorithms to come out and identify suspicious domains and malicious domains is our secret sauce into it. It’s that combination of the world where you actually have the expertise in DNS in particular, as well as these other areas.
Will Townsend: Well, bad actors can use DNS to their advantage as well, so how do you combat that?
Dr. Renée Burton: They do. They actually thrive in DNS, and in part of that, if we think about it, traditionally networking and security are really quite separate. Networking guys are running the DNS, they’re the DNS operators, and the security guys are running the SOC and various other parts of the security stack. They often don’t even have access. There’s no communication between these two groups. And in the schools, we don’t teach DNS. So people learn about malware, they go to university, they learn how to do reverse engineering, they learn about phishing. Where are you going to learn about DNS? It doesn’t happen. We haven’t built that into our industry and into our culture.
Will Townsend: Sure.
Dr. Renée Burton: And then bad actors on the other hand, are taking full advantage of that so they can actually learn it themselves and thrive registering tens of thousands of domains. Or even if it’s just a few, they can run for a very long time with no one detecting them.
Will Townsend: Sure.
Dr. Renée Burton: Because no one’s paying any attention.
Will Townsend: Right. No, I think it’s incredible how the Infoblox technology can determine these, and domains can be set up and they can be weaponized immediately. I want to talk to you about that a little bit more, but then they can remain dormant for years and years. I find it incredible that Infoblox is leveraging DNS to be able to root that sort of thing out, right?
Dr. Renée Burton: Yeah, the spectrum of that domain life cycle is really, it happens at all levels. For a while back, say 2009, 2010, people would register a domain phishing and they’d use it right away. And then people got smart and they were like, “Oh, let’s stop, learn about things that are new registered and stop them.” So then they started strategically aging, and that strategic aging we see typically being say seven to 30 days for most starter crime-
Will Townsend: Not like a fine wine, but.
Dr. Renée Burton: Yeah, not like a fine wine. The SolarWinds attack that was in 2020, they had aged that two and a half years so some actors will age a lot more.
Will Townsend: Sure.
Dr. Renée Burton: But what we’ve seen since maybe summer 2021, 2022, you’ve seen this really large increase in the availability of ransomware and specifically for multi factor authentication lookalikes, the ability to do those kinds of tasks.
Will Townsend: Sure.
Dr. Renée Burton: Since those are lookalikes, now they need to operate really fast. And so they’ll register and use a domain within an hour or two hours so it’s gone even to a more extreme avenue there.
Will Townsend: Wow, that’s crazy. Well, I want to talk about some animals.
Dr. Renée Burton: Oh, yeah, I got animals.
Will Townsend: Like seahorse, a puma, a viper, a dog, and now a meerkat.
Dr. Renée Burton: Yep.
Will Townsend: This is a way that Infoblox is able to label and identify certain threat actors, right? I’d love to talk about how you detect that, how you’re protecting your customers. But maybe before we jump into that, how do you come up with these naming schemes? It sounds like a very eclectic zoo,
Dr. Renée Burton: Right? In some sense, it is.
Will Townsend: Yeah.
Dr. Renée Burton: What we’re trying to do is find a way to create a framework that in some ways can be memorable.
Will Townsend: Sure.
Dr. Renée Burton: Because there are actually, we’ve published, I think six papers in the last year with different animals, but on the other hand, we actually have in the wings hundreds more.
Will Townsend: Right.
Dr. Renée Burton: We want to have that be a way in which if you hear Meerkat, you know that that’s about MX records. And if you hear Viper, you know that that’s about a traffic distribution system that’s fairly complex.
Will Townsend: Right.
Dr. Renée Burton: So there’s a theme to that, but it’s also catchy and interesting and you can remember it.
Will Townsend: It is, and I think it gives you credit as a company for being the first to identify it as well, right?
Dr. Renée Burton: Right, exactly. Exactly, in the DNS arena. We’re really trying to focus on things that are really unique. Nobody else has ever talked about this at all, and those are the ones that we are reserving for that kind of publication level.
Will Townsend: Okay. You identify with the creative naming scheme, and then how do you inform and protect customers?
Dr. Renée Burton: Our product suite includes security, which you can think of in a lot of different ways. There was a DNS detection and a response. Some people talk about it as protective DNS, some people might think of it as a DNS firewall. There’s a lot of ways in which you can think about it. Some people might just think of it as block lists. We have very simplistic way of doing it, but we act as the recursive resolver, whether that be on-prem from a mobile device, laptop, or in the cloud. And then during the recursive resolution process, we’re able to consult, do we think this is suspicious? Do we think this is malicious? And then block or redirect those queries, so that’s how the customers are protected.
Will Townsend: Okay. Is there any sort of nomenclature around severity and impact as well within each of the categories?
Dr. Renée Burton: Yeah, we’re actually releasing new versions of this, but we have ways in which we calculate everything as being malicious. That’s going to be our confirmed malicious. And then within suspicious, which we’ve actually found to be, it’s like that razor edge of protection for our customers. Over the last year, we’ve been measuring that a lot, and you’re able to see that in the news afterwards. Particularly related to ransomware frankly, Cobalt Strike and various other exfil. We had those domains in our suspicious feeds already so we’ve been able to see that customers were protected from the very first DNS query. There was no Cobalt Strike, there was no data exfiltration. You couldn’t have detected data exfiltration because even the first packet was blocked, even the first query was blocked.
Will Townsend: Which is awesome. I mean, being proactive versus reactive.
Dr. Renée Burton: Right, exactly.
Will Townsend: Those types of threats. I like to circle back on the whole notion of zero-day DNS, and it sounds pretty ominous, but what’s critical to exposing these bad actors? Because I mean, it’s mind-blowing for me that your platform can sense this within a matter of minutes and be able to block it. You talked about the secret sauce earlier, what’s the architecture behind all that?
Dr. Renée Burton: Yeah, so zero-day DNS is a direct response to this increased threat, and we see that in a couple of different ways, but specifically with multi factor authentication lookalike attacks, those have been the source of just about every single major breach in the last year and a half or two years. What we saw from different cases, and they do come out of customer cases, was we had identified that a domain was suspicious, but we were several hours too late. It was like, “This is really cool, you identified it, but I needed to know six hours earlier.” We were finding that they were registering and using this domain within one or two hours, and that’s before any newly observed domain feed or anything like that is going to be able to see them. So we ended up building special purpose technology behind it that is not just URLs, this is all DNS that we’ve seen that we’re able to say, “Have we ever seen this before? Is this registered?” And make a very fast decision on that.
Will Townsend: Sure.
Dr. Renée Burton: And if we haven’t, be able to block that for our customers.
Will Townsend: Okay.
Dr. Renée Burton: Going forward.
Will Townsend: Okay. Awesome. This sounds like a paradox, but I know that Infoblox has been on a migration path to move from being a threat aggregator to actually being a creator, right? Can you provide a little bit of context on that and the journey?
Dr. Renée Burton: Yeah. Infoblox started in the security business around 2015, and they took two angles. One was they were the first company to release a streaming detection for data exfiltration in DGAs. We still do that. We have advanced those algorithms, that’s that where’s your zero-day DNS is living. But then for their main firewall blocks, let’s say, those block lists, they were using data aggregation, which means I’m getting my sources. Essentially almost every single person on the floor at RSA or Black Hat or anywhere, they’re either selling data for data aggregation, or their intel is coming from data aggregation. They buy it from different sources, primarily from incident response or from-
Will Townsend: That phrase of telemetry and the fidelity of all of that, right?
Dr. Renée Burton: Exactly. But that sounds great, right? More is more.
Will Townsend: Right.
Dr. Renée Burton: It sounds really good.
Will Townsend: More is good.
Dr. Renée Burton: But in DNS, it’s the worst possible thing that you can do. So the reason that we moved from being an aggregation curation to creator, the reason that we moved is because curated data from the sources, especially that are available on the market, will fail you 100% of the time. And what happens, we’re going back to that networking guy and the security guy, is you’ve bought someone else’s intel, you’ve put it into your product, and now you’ve blocked a GitHub or you’ve blocked Google or you’ve blocked Microsoft.
Will Townsend: And you’re killing your productivity internally.
Dr. Renée Burton: And that networking guy is going to say, “Uh-oh, just going to turn that product off.”
Will Townsend: Right.
Dr. Renée Burton: It’s a very visceral response because it ruins their life. Our real reason for changing was because curation, no matter how good we did, it was negatively impacting our customers and those intel sources weren’t actually finding the real threats. So by creation, it’s 100% DNS, that’s all we do. We do it every day, it’s very specific, and we’re getting a broad spectrum of threats and being able to protect those customers earlier with almost no false positives. It’s ridiculously low.
Will Townsend: Wow. It’s impressive. As we wind up our conversation, I want to talk a little bit about this whole notion of consolidation. I’m seeing this as a trend as an analyst, and I talk to a lot of customers and I talk to a lot of infrastructure providers like Infoblox. There’s this whole notion of point solution sprawl, got to consolidate that. I’m wondering, there are a lot of security products out there, so why should customers consider Infoblox? I mean, is it going to be additive? Is it going to create more complexity from a SecOps perspective? What’s your take on that?
Dr. Renée Burton: The reason that you should consider it is because the fact that nobody’s paying attention to DNS, and we’re seeing over and over again, we released last week Muddling Meerkat. This is a Chinese nation state operation, has been going on for three and a half, four and a half years without detection. There’s so much going on in DNS, the most valuable thing you can do as an enterprise, particularly one who has proprietary information, customer information, is to control your DNS. Don’t allow that DNS to go elsewhere. You need to be able to do that, and then you need to be able to protect it, right? First is control it. Second is protect it.
Infoblox has been in the DNS business longer than anyone else, 25 year old company that is the leader in that so we are the experts there. At the same time, from the protection perspective, we’re the only ones who specialize in DNS. Intel, absolutely the only ones in the market. I think what ends up happening, you were asking about the impact on the SOC and the SecOps perspective. I come out of a perspective where I want to reduce that load on the SOC, and I don’t want to reduce the load by refining all the data for them. I’m going to reduce the load because it never happened. We blocked it in the first place and you don’t actually need to worry about it. And if you talk to a SOC guy, that’s actually what they’re interested, right? Don’t give me more alerts. It just didn’t happen.
Will Townsend: Because I’m fatigued already with all those alerts.
Dr. Renée Burton: Exactly. We’re even seeing in, we’re getting reports from customers that when they start protecting their DNS and when they turn on the aggressive intel that we’re offering them, they’re reducing the load on their firewalls. I saw a report a week or two ago from a customer saying they reduced the load on their firewall by over 50%.
Will Townsend: That’s huge. Eliminating 50% of the overhead.
Dr. Renée Burton: Yeah, exactly.
Will Townsend: They already know that all out. From my perspective, it just provides another layer of protection for enterprises. It doesn’t add any overhead in that scenario. And to your point, Infoblox is one of the only companies, if not the only company, that’s really leaning into DNS to provide improved security resiliency and networking capabilities as well.
Dr. Renée Burton: Right, exactly. We are seeing people start to move more, following us into that area, and particularly as governments are pushing the protective DNS so you can see people coming more into that, but DNS is really hard. It is really, really hard. It’s very sketchy, it’s very arcane, and so you have to build up the expertise in order to do it well.
Will Townsend: Yeah. Well, hey Renée, thanks for taking the time. It’s been a fascinating discussion just hearing your perspective leading threat intel for the company, and have a great rest of your conference.
Dr. Renée Burton: Thank you. Thanks for hosting, I appreciate it.
Author Information
Six Five Media is a joint venture of two top-ranked analyst firms, The Futurum Group and Moor Insights & Strategy. Six Five provides high-quality, insightful, and credible analyses of the tech landscape in video format. Our team of analysts sit with the world’s most respected leaders and professionals to discuss all things technology with a focus on digital transformation and innovation.
