Use-case: Demonstrating the Capability on TLDs: Baselining Reputation Scores for TLDs in Anonymized Infoblox Customer Traffic
Ranking and comparing cyber threats can be very complicated, especially given the shifting landscape of cybersecurity from day to day. Therefore, having a robust, quantifiable, and repeatable process for scoring large amounts of data can be invaluable as defenders prioritize their limited resources for securing systems and analyzing their traffic and alerts. While there have been a number of attempts at creating such an algorithm, with the most recent notable attempt by Spamhaus, most fall short of producing scores that can be interpreted by a wide variety of audiences and can be easily used to provide meaningful comparisons. In response to this need, researchers from Infoblox’s Threat Intelligence Group developed a new, generic scoring algorithm that can be applied to data such as top-level domains and nameservers.
“Classifying the reputation or risk of internet infrastructure is essential to the effective defense of an organization’s network. Defenders have limited resources and must focus on threats that pose the highest risk to their organization. Although there have been many attempts to develop algorithms that can produce classification scores, most produce scores that are challenging to interpret and use for comparison purposes. Infoblox researchers have developed a new scoring algorithm that addresses both of these challenges. Infoblox is a large company with a very substantial global installed base. Where permitted, we use the anonymized cloud data to identify emerging trends used by threat actors , and this is the basis for our new algorithm,” says Mohammed Al-Moneer, Regional Sr. Director, META at Infoblox.
To introduce the algorithm and demonstrate its usefulness, Infoblox researchers applied it to the past six months of anonymized DNS data from the company’s resolvers to determine the reputation, or risk, associated with com, net, and other top-level domains (TLDs) that appeared in the traffic. With high confidence, the researchers classified ten as high-risk, meaning that these TLDs were more likely to contain malicious domains than other TLDs were: bid, cam, cfd, click, icu, ml, quest, rest, top, and ws.
The new reputation-scoring algorithm uses only two pieces of information: the total number of observations and the number of observations meeting a specific criteria. When the algorithm is applied to TLDs to generate risk scores, the values are the total number of observed domains in the TLD and the number of observed malicious domains in the TLD. Using these two values, the algorithm produces a score from zero to ten: that is, [0:10]. A score of 5 is interpreted as the normal, expected score and is classified as “moderate risk”. The scores of 4 and 6 are close enough that they are also classified as “moderate risk”. Scores below 5 have a lower-than-average score (i.e., a lower-than-average percentage of malicious domains), while scores above 5 have a higher-than-average score (i.e., a higher-than-average percentage of malicious domains).
Given the ever-changing landscape of the web, TLD scores depend on the observations used in calculations and will change over time as new observations are made. To improve confidence in scoring and risk classification, Infoblox assessed TLDs for consistency before selecting them for further analysis. Given the highly variable nature of the internet, sensing capabilities, and threat actor infrastructure, it is not uncommon for a TLD’s risk score to vary from month to month. As a result, a TLD being consistently classified as high risk indicates a long-term risk that warrants action by defenders. While not every domain in these TLDs is malicious, understanding the general risk of the TLD itself can aid defenders in deciding whether there is a business case for blocking the TLD or, at the very least, in carefully monitoring it.
Using this algorithm to classify the risk of TLDs is just the first step. In due course, the company will show how it can be used to classify internet infrastructure elements such as nameservers and domain registrars. In the future, Infoblox will also explore how the results of these investigations can be used by customers to evaluate and prioritize potential threats to their networks.
Infoblox’s new reputation scoring algorithm has already proven successful. Its application to determining TLD reputation has yielded information that Infoblox has used to strengthen the defenses of its customers through Dossier and other products.