DNS Threat Intelligence for SOC: How It Needs to be Built

Extreme diversity and growth of menaces, together with increasing network complexity, is making it very challenging for today’s security managers to identify suspicious activity. They require knowledge of a threat’s capabilities, resources, motives, and goals – a combination commonly referred to as threat intelligence. As confirmed by Gartner, this knowledge helps organizations and SOCs perform a more thorough analysis and make informed decisions on how to respond and react to any particular threat.

So as part of their overall network strategy, companies need to make use of high-quality threat intelligence in order to protect: 1) Global users 2) Enterprise services. Data from global sources helps safeguard against menaces at internet scale, but protecting enterprise services requires complementing this information with behavioral threat detection solutions in the context of the internal network. That’s where DNS can help. With its capability to collect a maximum amount of data related to activity on your network, DNS itself can help you build your own threat intelligence. DNS threat intelligence is the next step for security operations centers to implement a comprehensive network security strategy.

Your existing security components need help

DNS is a critical network foundation, ensuring access to all apps and services, so it should be given high priority when it comes to securing the various components of any network. Many solutions for protecting users and enterprise services already exist (web proxies and next-gen firewalls being common cases), but they do not deeply filter DNS and often have major defense limitations. For example, web proxies regularly come up across IoT devices that don’t support proxy configurations or VoIP applications which bypass completely the web proxy. Fortunately for network managers, they are comforted by the fact that solutions such as proxies can be complemented with specialized DNS Security, to overcome these limitations, whilst at the same time reinforcing existing security levels.

Combine external and internal feeds to enhance your threat intelligence solution

Threat intelligence can be built from both external and internal sources. When it comes to external feeds, their quality depends largely on the refresh frequency of the feed, as well as factors such as worldwide coverage of malicious domains, control of spam and malware, and efficient handling of false positives.

However, threat information relevant for your company can only come from data based on activity on your network (alerts, logs, traffic flow, etc.) in order to recognize behavior associated with threats. For that reason, it’s best that internal feeds be built by the companies themselves, utilizing data and information generated by the DNS. This knowledge brings with it predictive security capability which can be used, for example, for detection of zero-day malicious domains.

A combination of external and internal feed sources is optimal as it provides the most complete coverage in addition to offering a critical choke point. For example, combining an adaptive DNS security solution with web filtering and a high-quality external feed such as SURBL can help your business to proactively implement and manage security controls to thwart advanced attacks, as well as countering and blocking data exfiltration attempts.

Improving the network security ecosystem

Being a key component of any infrastructure, DNS has unique visibility over network traffic. This naturally makes DNS the first line of defense for any network – something which is extremely valuable these days, considering the millions of new domain names being created each year. As is stated frequently by experts, the route for improving the network security ecosystem is through the sharing of information between resources. It goes without saying that to help enhance the detection and mitigation capabilities of any SOC, the near-real-time threat information offered by DNS simply has to be made use of.