Drastically Reduce MTTD and Stop Zero Day DNS Attacks Within Minutes

Phishing and spear phishing are not new attack methods. But they continue to be effective despite the use of a myriad of security technologies as part of defense in depth by most organizations. In 2022, 66% of data breaches were due to spear phishing.

81% of organizations experienced at least one phishing attack per 2023 CyberRisk Alliance report (up from 58% in 2022) and 75% of organizations faced smishing (SMS phishing) attacks, according to Proofpoint 2024 State of Phish report. So, the attack technique is not going away any time soon. But they have gotten more creative.

Spear phishing often uses lookalike domains, where threat actors create websites that look very much like a legitimate site such as a banking site or a government site, and trick users into clicking links or going to those websites and entering their credentials. Threat actors create thousands of new domains every day and often use some of these domains almost immediately to launch targeted attacks.

The Role of DNS

DNS is the backbone of the network and holds all online operations together. It spans the entire organization and sees all user and device activity. It connects users and devices to websites and applications. It is also the first point in the attack kill chain. When a user clicks on a phishing link, the request goes to the DNS server, which resolves it and connects the user to the actual website (in this case let's say a lookalike domain). DNS can be used to detect any activity to malicious destinations in near real time, including activity to newly registered lookalike domains as part of a zero day DNS detection.

Reducing MTTD and Stopping Zero Day DNS^TM Attacks Within Minutes

BloxOne Threat Defense from Infoblox includes Threat Insight, a module that uses patented technology and streaming analysis to inspect live DNS traffic from customer networks going to the internet to detect and automatically block threats. Threat Insight now includes a Zero Day DNS™ capability that blocks threats from first-seen domains that are registered by threat actors as part of a spear phishing campaign just minutes to hours before being used in an attack. While newly registered domains are not inherently malicious, our statistics show that when a brand-new domain is seen in a customer network, the likelihood of an active threat goes up.

Figure 1: Timeline showing a phishing campaign domain and when it gets blocked with Zero Day DNS^TM

As soon as Infoblox sees the first query in a customer's network, and it is a new domain or a domain not seen by Infoblox resolvers for an extended period of time, analysis is done to determine if the domain may pose a threat to the customer. If it could be a potential threat, the domain is automatically added to a custom list for blocking.

For example, in a 5-day period, ZeroDay DNS^TM examined over 1 million new domains, and of those flagged 6800 as suspicious, with 1500 being marked as High to Critical within 48 hours by current processes.

Zero Day DNS^TM capability provides the best protection against the rapid-fire attacks that have risen so steeply in the last 18 months with easy access to multi-factor authentication (MFA) spear phishing attacks. These quick register-and-fire attacks have led to countless data breaches and are likely to continue far into the future.

Spear phishing is a highly targeted and effective attack method that exploits personalized information to deceive recipients. When used in conjunction with lookalike domains, it can be even more dangerous. Organizations need robust defenses, including DNS focused solutions, to combat these threats effectively. Infoblox's approach exemplifies how proactive measures can significantly reduce the impact of attacks.

Learn more about Threat Insight here.

Learn more about BloxOne Threat Defense here.

Public link

Please use the above public link if you want to share this noodl on another website.