Infoblox develops simplified scoring algorithm

News Desk -

Share

Ranking and comparing cyber threats can be difficult, especially given the ever-changing cybersecurity landscape. As defenders prioritize their limited resources for securing systems and analyzing traffic and alerts, having a robust, quantifiable, and repeatable process for scoring large amounts of data can be invaluable.

While there have been a number of attempts to develop such an algorithm, most fall short of producing scores that can be interpreted by a wide range of audiences and easily used to provide meaningful comparisons. In response to this need, Infoblox’s Threat Intelligence Group researchers created a new, generic scoring algorithm that can be applied to data like top-level domains and nameservers.

“Classifying the reputation or risk of internet infrastructure is essential to the effective defense of an organization’s network. Defenders have limited resources and must focus on threats that pose the highest risk to their organization. Although there have been many attempts to develop algorithms that can produce classification scores, most produce scores that are challenging to interpret and use for comparison purposes. Infoblox

researchers have developed a new scoring algorithm that addresses both of these challenges. Infoblox is a large company with a very substantial global installed base. Where permitted, we use the anonymized cloud data to identify emerging trends used by threat actors , and this is the basis for our new algorithm,” says Mohammed Al-Moneer, Regional Sr. Director, META at Infoblox.

To introduce and demonstrate the algorithm’s utility, Infoblox researchers used it on the previous six months of anonymized DNS data from the company’s resolvers to determine the reputation, or risk, associated with com, net, and other top-level domains (TLDs) that appeared in the traffic. The researchers classified ten TLDs as high-risk, which means they were more likely to contain malicious domains than other TLDs: bid, cam, cfd, click, icu, ml, quest, rest, top, and ws.

The new reputation-scoring algorithm only considers two factors: the total number of observations and the number of observations that meet a specific set of criteria. The total number of observed domains in the TLD and the number of observed malicious domains in the TLD are the values when the algorithm is applied to TLDs to generate risk scores. Using these two values, the algorithm generates a score ranging from 0 to 10: [0:10]. A score of 5 is considered normal and expected, and it is classified as “moderate risk.” Scores of 4 and 6 are close enough to be classified as “moderate risk.” Scores less than 5 represent a lower-than-average score (i.e., a lower-than-average percentage of malicious domains), whereas scores greater than 5 represent a higher-than-average score (i.e., a higher-than-average percentage of malicious domains).

Given the ever-changing web landscape, TLD scores are calculated based on the observations used and will change over time as new observations are made. Infoblox evaluated TLDs for consistency before selecting them for further analysis to increase confidence in scoring and risk classification. Given the highly variable nature of the internet, sensing capabilities, and threat actor infrastructure, a TLD’s risk score can fluctuate from month to month. TLD scores are calculated based on the observations used and will change over time as new observations are made in the ever-changing web landscape. To increase confidence in scoring and risk classification, Infoblox evaluated TLDs for consistency before selecting them for further analysis. A TLD’s risk score can fluctuate from month to month due to the highly variable nature of the internet, sensing capabilities, and threat actor infrastructure.

The application of this algorithm to classify the risk of TLDs is only the first step. The company will demonstrate how it can be used to classify internet infrastructure elements such as nameservers and domain registrars in due course. In the future, Infoblox will investigate how the findings of these investigations can be used by customers to evaluate and prioritize potential network threats.

The new reputation scoring algorithm from Infoblox has already proven to be effective. Its application to determining TLD reputation has yielded data that Infoblox has used to strengthen its customers’ defenses via Dossier and other products.