Ranking and comparing cyber threats can be very complicated, especially given the shifting landscape of cybersecurity from day to day. Therefore, having a robust, quantifiable, and repeatable process for scoring large amounts of data can be invaluable as defenders prioritise their limited resources for securing systems and analysing their traffic and alerts.
In response to this need, researchers from Infoblox’s Threat Intelligence Group developed a new, generic scoring algorithm that can be applied to data such as top-level domains and nameservers.
“Classifying the reputation or risk of internet infrastructure is essential to the effective defense of an organisation’s network. Defenders have limited resources and must focus on threats that pose the highest risk to their organisation. Although there have been many attempts to develop algorithms that can produce classification scores, most produce scores that are challenging to interpret and use for comparison purposes.
Infoblox researchers have developed a new scoring algorithm that addresses both of these challenges. Where permitted, we use the anonymised cloud data to identify emerging trends used by threat actors, and this is the basis for our new algorithm,” says Mohammed Al-Moneer, Regional Sr. Director, META at Infoblox.
To introduce the algorithm and demonstrate its usefulness, Infoblox researchers applied it to the past six months of anonymised DNS data from the company’s resolvers to determine the reputation, or risk, associated with com, net, and other top-level domains (TLDs) that appeared in the traffic. With high confidence, the researchers classified ten as high-risk, meaning that these TLDs were more likely to contain malicious domains than other TLDs were: bid, cam, cfd, click, icu, ml, quest, rest, top, and ws.
The new reputation-scoring algorithm uses only two pieces of information: the total number of observations and the number of observations meeting a specific criteria. When the algorithm is applied to TLDs to generate risk scores, the values are the total number of observed domains in the TLD and the number of observed malicious domains in the TLD. Using these two values, the algorithm produces a score from zero to ten: that is, [0:10]. A score of 5 is interpreted as the normal, expected score and is classified as “moderate risk”. The scores of 4 and 6 are close enough that they are also classified as “moderate risk”. Scores below 5 have a lower-than-average score (i.e., a lower-than-average percentage of malicious domains), while scores above 5 have a higher-than-average score (i.e., a higher-than-average percentage of malicious domains).
To improve confidence in scoring and risk classification, Infoblox assessed TLDs for consistency before selecting them for further analysis. Given the highly variable nature of the internet, sensing capabilities, and threat actor infrastructure, it is not uncommon for a TLD’s risk score to vary from month to month. As a result, a TLD being consistently classified as high risk indicates a long-term risk that warrants action by defenders. While not every domain in these TLDs is malicious, understanding the general risk of the TLD itself can aid defenders in deciding whether there is a business case for blocking the TLD or, at the very least, in carefully monitoring it.
Using this algorithm to classify the risk of TLDs is just the first step. In due course, the company will show how it can be used to classify internet infrastructure elements such as nameservers and domain registrars. In the future, Infoblox will also explore how the results of these investigations can be used by customers to evaluate and prioritise potential threats to their networks.
Infoblox’s new reputation scoring algorithm has already proven successful. Its application to determining TLD reputation has yielded information that Infoblox has used to strengthen the defenses of its customers through Dossier and other products.
