“The rules of cybersecurity have changed. Customers want more than just another security solution or tool – they have dozens, if not hundreds, already. What they want is to drive more value from their current environment by making it more effective. That’s where Infoblox comes in,” explains Chris? Millerick, ?Vice President, Worldwide Partner Sales at Infoblox.

Infoblox BloxOne is the first cloud-native platform delivering DDI (DNS, DHCP, and IPAM) and DNS data-enabled threat detections, and offers partners predictable, reliable renewal margins year after year. A Forrester Economic Impact Report found that BloxOne Threat Defense can deliver a staggering 243% return on investment.

Integrated into the security ecosystem, BloxOne enables DNS data to be used to address blind spots in enterprise threat defense and security systems. Internal and external threats can be identified, prioritized, and remediated in a fraction of the time without significant additional investment in new solutions.

In the new program, partners will be assigned levels based on their acquisition of the competencies required to deliver BloxOne and maximize its value for customers.

The Skilled to Secure program is built around three tracks designed to deliver support across the channel: Value-added Reseller and Systems Integrator, Service Provider, and Value-added distributor. Based on their track record and meeting the defined competency requirements, partners’ awarded level will be announced in May 2023.

“We’re excited about the evolution of our partnership with Infoblox, and the opportunity provided by their new professional service certifications,” says Denis Ferrand-Ajchenbaum, SVP Global Business Development & Ecosystems at Exclusive Networks.

Zero Trust Helps Secure Enterprise Networks and Sensitive Data

The Zero Trust security model can help cybersecurity professionals to secure enterprise networks and sensitive data. By continuously assuming that a breach is inevitable or has already occurred, the model eliminates trust in any single element. Zero Trust is a data-centric model that seeks to limit access while trying to identify anomalous or malicious activity.

The Zero Trust mindset brings substantial benefits. System administrators can better control devices, processes, and users that engage with data in any way. When adhered to, the basic principles of Zero Trust can reduce the risks associated with insider threats, a malicious activity that targets the supply chain, the compromise of user credentials, remote exploitation, and many other types of cyberattacks.

There are two things that can be done to enable Zero Trust: migrate to IPv6 and combine it with DNS security.

Zero Trust through IPv6

In the last few years, the momentum of implementing IPv6 has grown significantly as its superior features have become compelling. This momentum has been sustained by reducing cost, decreasing complexity, improving security stack and eliminating barriers to innovation in networked information systems.

One of the important characteristics of IPv6 is the abundance of global IPv6 addresses it offers, and this abundance obsoletes the need for network address translation (NAT) in the quest of solving the problem of depleting public IPv4 addresses. Without NATs in the middle of client-server communications, the application server receives the unmodified connection from the source IPv6 address of the client.

Due to the constraints of IPv4 addresses, the use of NATs has become ubiquitous; this obfuscates client IPv4 addresses and provides anonymity to attackers. As a result, servers cannot always validate the identity of client connections, so other forms of authenticating end users have to be used. This creates problems with reputation filtering and with the use of client IPv4 addresses for authentication and for detecting and blocking fraudulent transactions.

Among the possibilities provided by an IPv6-based network, is taking much more advantage of secure DNS management, with a view to reinforcing the security of the entire network. In an IPv6 network, DNS can become an absolute “Zero Trust” control point, where every Internet address can be scanned for potentially malicious behavior and identified by built-in threat intelligence.

Building a Resilient Zero Trust Architecture with DNS Security

One strategy that can significantly strengthen the security posture of the network is to integrate the valuable metadata residing in DDI (DNS, DHCP and IPAM) with the security stack. This information makes it possible to identify the connected device responsible for a set of network traffic, which enables IT teams to detect a potential threat and share that information with the security ecosystem. Using DNS security and leveraging DNS-related information within a Zero Trust architecture can reduce risk in all environments from the core of the on-premises network to its farthest cloud-enabled edge.

Visibility and automation capabilities are essential when deploying a Zero Trust architecture

Mohammed Al-Moneer, Regional Director, META

. DNS-based security with network device discovery – whether in on-prem virtualized or in hybrid multi-cloud environments – reduces IT silos through shared access to the integrated, authoritative database of protocol, IP address, network infrastructure devices, end hosts, connectivity and port data. These capabilities reduce security and service disruptions through the detection of rogue devices, errors, unmanaged devices, and networks that go unseen in standard IPAM tools.

DNS has a key role to play in a Zero Trust architecture, because it provides more-centralized visibility and control of all computing resources, including users and servers in a micro-segment, all the way to individual IP addresses. Because most traffic, including malicious, goes through DNS resolution first, DNS is an important source of telemetry that provides detailed client information and helps detect anomalous behavior and protect east-west traffic between micro-segments. DNS security can also continuously check for, detect and block C&C connections and attempts to access websites that host malware. For all of these reasons, DNS security is now a core enabler of the Zero Trust strategy.

DNS security provides a single point of control for administering and managing all environments, including cloud, on-premise, WFA and mobile devices. This provides one DNS security administration point for all security stacks, and this point can easily be integrated with SOAR and other critical cybersecurity ecosystem controls. Organizations must always be in control of and have complete visibility into DNS traffic. It is best practice that all DNS traffic be resolved by servers controlled by the organization, not by external resolvers over which the IT team has no control.

Smishing: A strategy that combines SMS and phishing

Smishing messages are sent by bad actors to get victims to reveal private information, including passwords, identity, and financial data.

Prevention and Mitigation

Smishing messages are a common method for sending phishing links. Infoblox recommends the following precautions for avoiding smishing attacks:

• Always be suspicious of unexpected text messages, especially those that appear to contain financial or delivery correspondences, documents, or links.
• Never click URLs in text messages from unknown sources.

VexTrio DDGA Domains Spread Adware, Spyware and Scam Web Forms

Mohammed Al-Moneer, Regional Director- Infoblox

Since February 2022, Infoblox’s Threat Intelligence Group (TIG) has been tracking malicious campaigns that use domains generated by a dictionary domain generation algorithm (DDGA) to run scams and spread riskware, spyware, adware, potentially unwanted programs, and pornographic content. This attack is widespread and impacts targets across many industries.

VexTrio actors heavily use domains and the DNS protocol to operate their campaigns. To avoid detection, the actors have integrated several features into their JavaScript and require the following conditions from the user to trigger the redirect:

• The user must visit the WordPress website from a search engine.
• Cookies are enabled in the user’s web browser.
• The user has not visited a VexTrio compromised web page in the past 24 hours.

Prevention and mitigation

Infoblox recommends the following actions for protection from this kind of attack:

• Disabling JavaScript on web browsers completely or enabling it only for trusted sites.
• Consider using an adblocker program to block certain malware activated by popup ads.

Mohammed Al-Moneer, Regional Director, META at Infoblox says, “Our report shares research on many dangerous malware threats. Security effectiveness depends on timely, up-to-date threat intelligence. Using tools included in Infoblox BloxOne threat defense, security teams can collect, normalize and distribute highly accurate, multi-sourced threat intelligence to strengthen the entire security stack. Additional capabilities can help SecOps to accelerate threat investigation and response by up to two-thirds.”

Today’s cybersecurity challenges are not much different from past years’, with one slight twist – the attack surface has dramatically shifted. The pandemic forced us to rethink our IT environment as most users had no choice but to work remotely, relying on their residential internet services. This dramatic shift did not give us any time to plan connectivity or security. The result is that every user’s device can become a potential threat. But this blog is not another discussion about the perils of working from home. It is about understanding how this new paradigm affects the security thought process and what organizations have experienced concerning their security posture based on this new normal.

Anthony James, VP of Product Marketing at Infoblox

We recently commissioned a survey to understand the global state of security, including the impact of remote workers, which was completed with over 1,100 IT and cybersecurity decision-makers and influencers participants, covering 11 countries.

The participants also shed some insight into current threats and anticipated investments designed to prevent ransomware and other serious security concerns. Unsurprisingly, the report highlights that moving to a remote work environment contributed to an increase in security incidents, including data loss, ransomware, and other types of attacks via cloud services. The result of the survey is a summary of all respondents, as well as multiple regional or country-specific reports.

If you take the time to read all of the reports, you will find a commonality of tools most organizations invest in. VPN took the lion’s share of investments in the past 12 months. However, DDI and DNS technologies are growing in popularity. 41% deployed cloud-managed DDI (DNS, DHCP, and IP management) servers as security controls. When hunting down a threat source, 40% relied on network flow data that DDI provides, 39% used DNS queries, and 39% used outside threat intelligence services.

What I also found interesting is how each country diverged in the types of threats or vulnerabilities they were most concerned about in the next 12 months. Here are some examples that bring to life the fact that every region or country may face a common set of cyber threats; they may differ in the order of importance:

• Data leakage – this was the top concern amongst almost all countries surveyed, with an outlier being the US, where “ransomware” made it to the first spot.
• Ransomware – this was the second concern amongst almost all countries surveyed, with an outlier being the US, where “Data leakage” made it to the second spot.
• Attack via remote worker connections made it to third for almost all countries surveyed, with an outlier in the EMEA roll-up, where “Direct attack through cloud services” made it to third.

Another interesting finding by comparing each region or country was concerning, where organizations identified the source of a breach. The following is another sample comparing some of these reports:

• WiFi access point – this was the first source of breaches for almost all countries
• Cloud infrastructure or application – was the second source of breaches for almost all countries
• 43% of respondents pegged the cost of a breach to $1 million or more.

There are many great examples of how organizations respond to the new workforce environment, with many similarities between regions or countries.

2022 Networking Trends from Infoblox by Cricket Liu, EVP and Chief Evangelist

• There shall be increased use of DNS-over-HTTPS (DoH) by malware because DoH provides an encrypted channel to the DoH server. DoH adoption is increasing and malware developers are more aware of it as a means to bypass security controls
• ISPs and enterprises will deploy DoH defensively on their own DNS infrastructure (to prevent fallback to third-party DoH servers). Why now? DoH is a newer technology, relatively speaking. Being able to run your own DNS servers that support DoH is even newer
• More iOS app developers will be running DoH servers to capture DNS telemetry from clients

2022 Security Trends from Infoblox by Ed Hunter, CISO

• The move back to the office in 2022 will be a slow one, even as offices continue to re-open in 2022, with many employees preferring to work from home. So, making your security “location independent” is key. If you haven’t done this already, do it now
• Enabling flexible workspaces and smaller offices rather than large campuses may become the trend. More focus on endpoint security controls
• Mobile and personal devices continue to be a hot area of debate. How secure is your employee’s home network?
• Ransomware is not going away, though the government will increasingly be getting involved. Prepare for it

Several reports conflated the two outbreaks based on the evidence at hand and the common use of ransomware. Subsequent investigation revealed that they were separate attacks utilizing different distribution capabilities and malware. It is important to understand the difference between the two attacks because each one requires slightly different remediation measures.

The first attack, WannaCry, is a self-propagating worm, which leverages a known and patched vulnerability in Microsoft Server Message Block (SMB). It leverages an exploit called ETERNALBLUE and goes on to establish a backdoor known as DOUBLEPULSAR to allow for future access to the infected systems. WannaCry spreads by connecting to SMB services on local and Internet-facing systems with the vulnerability or running the backdoor. The malware then spreads laterally by attempting connections to all systems on the local network.

During its initial infection WannaCry checks whether an external domain (killswitch domain) is available. If the killswitch domain can be contacted, the encryption function does not run. The killswitch domains are not a command-and-control server for the malware and should be monitored but not blocked. Before May 12, the domains were not registered. Shortly after the attack started, a malware researcher registered and sinkholed the first domain. This helped prevent a lot of later infections since the malware was able to resolve the domain. If left to run normally, WannaCry will encrypt most files on a machine. Once the files are encrypted, users will be prompted to pay $300 in Bitcoin to get their files back. The cost goes up to $600 if a user takes too long to pay, and eventually the user will be unable to pay to have files returned. Note that Microsoft had issued a patch for the SMB vulnerability that was being exploited in March 2017. That patch was not universally implemented.

While the world was preoccupied with WannaCry, there was another ransomware attack in progress called Jaff. The Jaff ransomware was launched by Necurs, one of the largest botnets in the world, notorious for spreading threats such as the Locky ransomware and the Dridex banking Trojan. It sends misleading emails to its victims encouraging them to open an attached PDF document. This document asks for additional permissions when opened and if approved, allows the delivery and execution of the ransomware payload. The emails used to deliver Jaff employ standard spam techniques, but the exact details vary between each of the concurrent campaigns.

Once Jaff has been downloaded and executed by the malicious document it connects to its C2 servers to communicate that encryption of the victim’s files has begun. Jaff then proceeds to encrypt the victim’s files, instructs the victim to install Tor Browser, and directs the users to a specific web site that displays a ransom note and payment instructions. The exact amount demanded by the ransom varies over time, but currently averages around 2 Bitcoin (roughly $3,500 dollars).

Best Practice Recommendations:
In the face of these attacks, organizations in the Middle East are asking what they can do.
• Implementing patches in a timely manner: WannaCry’s reliance on a known vulnerability and network scanning indicates that some traditional defenses may be effective. Ensuring timely software updates and keeping systems patched would eliminate the vulnerability and the worm’s ability to spread through that exploit.
• Sinkholing: Unlike the typical command-and-control domains, which should be blocked, WannaCry used a killswitch domain which had to be resolved in order to avoid activating the ransomware’s encryption function. One best practice is for an enterprise to redirect its internal request for those domains to an internal sinkhole. Permitting the infected client to successfully connect to the killswitch domain will prevent the encryption function from completing. It will also enable the enterprise to identify its internal hosts that have been impacted by the malware.
• DNS Response Policy Zone (RPZ) capability: Using RPZ capability on the DNS server to monitor any hits to the killswitch domain helps identify infected clients.
• Using up-to-date threat intelligence: organizations should leverage up-to-date and curated threat intelligence across their entire security and DNS infrastructures to protect against malicious activity and DNS

“The EMEA region is of strategic importance to Infoblox, so finding the right leadership is critical to our ongoing success,” said McCarthy. “Cherif has done a terrific job in leading the Middle East and Africa team over the past two years. During his tenure, he helped significantly grow the regional business while developing a strong partnership model. Under his leadership and given his expertise in security and cloud solutions, I am confident that Infoblox will flourish in the EMEA region.”

“With the rising number of DDoS attacks and data breaches, DNS Security has become mandatory to ensure safe computing in service provider and enterprise networks,” said Sleiman. “Organizations must realize that ignoring DNS as a threat vector can result in damaging consequences. The recent European Union General Data Protection Regulation (GDPR) aims to strengthen data protection and will hold institutions responsible for any data privacy breaches. Infoblox is uniquely positioned to help organizations comply with GDPR and other data privacy regulations by delivering DNS based security measures.”

Sleiman has more than 22 years of sales, technical and business experience with some of the world’s leading networking and telecommunications technology companies including Cisco Systems and Nortel Networks. He is a subject matter expert and well versed in the areas of security, compliance, cloud, and technology trends

“We are excited to be a part of the Infoblox ecosystem. Our mission is to improve the quality and security of communications in Africa. Network landscapes are rapidly evolving, driven by trends in security, virtualization, cloud, SDN, IPv6 adoption, and the Internet of Things (IoT). These demands require advanced solutions for managing DNS, DHCP, and IP address management, critical network services collectively known as DDI. By partnering with Infoblox, we will provide our customers with exactly that – the most advanced and secure DDI solution on the market and an improved end-customer experience,” said Mr. Tim Courtenay, Managing Director of ATIO telecoms. “Infoblox products deliver mission-critical network services, which includes automating complex network control functions to reduce costs, increasing overall security, maximizing uptime and much more. With the prolific growth of device technology and the greater need for compliance, organisations have found it imperative to invest in robust network and security infrastructures. With Infoblox now part of our portfolio, we are well placed to cater to this need,” he continued.

Mr. Rene Bosman, Manager, Infoblox Africa says, “We are very proud to be working with ATIO and have them as a valuable channel partner in Sub-Saharan Africa. The company brings tremendous value to Infoblox in different verticals, but especially in the service provider (SP) segment. In a service provider’s network, it’s all about the subscribers’ quality of experience. A poor experience leads to customers moving to competition. ATIO’s knowledge and expertise in the SP industry as well as capabilities of conducting assurance and performance benchmarking assessments on networks, adds real value to Infoblox solutions.”

“In nearly half of today’s enterprise and service provider networks there is evidence of DNS Tunneling, a significant security threat that indicates active malware or ongoing data exfiltration within those networks. In partnering with ATIO, we believe we have a partner that can not only identify those threats, but also mitigate and stop them,” says Mr. Bosman.

The “first-connection impression” is that important moment when a subscriber first connects into the network and instantly judges its safety, reliability, and speed. Suspicious application activity, an inaccessible favorite web site, or slow response results in calls into customer care or subscribers questioning loyalty to their current service provider.

Infoblox technology enables the crucial IP connection between the subscriber and his digital world. Infoblox solutions provide actionable network intelligence, carrier-grade security, high availability, and ultra-low latency that helps create a better first-connection impression for subscribers and greater cost efficiency, visibility, insight, and manageability for service providers, while supporting a smooth transition to NFV.