DNS Early Detection – Breaking the Coral Raider Kill Chain

Detailed Analysis And Methodology:

This blog section delves into our detailed data analysis process and methodology. OSINT publication sources released disclosures on Coral Raider in February 2024, providing a comprehensive list of malicious domains.

Infoblox then extracted malicious domains identified within these OSINT sources. The Infoblox team then analyzed the identified malicious domains to determine whether they had been identified earlier by our suspicious domain feeds.

Infoblox identified 94.12% of the Coral Raider MALICIOUS domains as SUSPICIOUS, an average of 76.8 days earlier than OSINT availability. Similarly, Infoblox identified many malicious domains within 2 to 3 days of their WHOIS registration. This enabled our customers to stop the execution of the intended Cyber Kill Chain1 by automatically blocking access to these dangerous domains.

Our team researched each malicious domain identified in OSINT in the Infoblox Dossier portal. We reviewed our timeline feature to extract the earliest dates associated with Infoblox's suspicious designation. We also extracted the WHOIS information for additional context.

The Coral Raider threat was active before the OSINT data was released. Our early identification of these domains has provided compelling timeline data. Our team found that, in many cases, the threat actors were already ramping up activity shortly after our suspicious designations and long before visibility to the public at large via OSINT availability.

Several dangerous domains in our data cloud were queried and blocked within a few days to a few weeks after our initial SUSPICIOUS designation. So, the threat actors were active and likely successful many months before the availability of OSINT information unless you were using Infoblox Threat Intel SUSPICIOUS domain feeds.

The conclusions of our analysis illustrate the potential benefits of suspicious domain feeds:

• 94.12% of the Coral Raider domains were identified as suspicious by Infoblox an average of 76.8 days (2.52 months) before the OSINT designation as malicious became available. This same domain group was identified within 2 to 3 days after the WHOIS domain registration date.
• Our DNS early detection program identifies suspicious domains weeks to months, as in this case, ahead of OSINT identification as malicious.
• There is often an extended period of time from availability via OSINT to utilization by your cybersecurity ecosystem and defense-in-depth strategy. Infoblox Threat Intel designation of suspicious domains can link to automation to block them immediately.

OSINT publication dates may sometimes be unclear or lack precision. The dates of published articles by reputable 3rd parties may not always accurately reflect the OSINT availability of each domain. The critical point is that even if you have the OSINT data, it must propagate through the threat feeds you use and your cybersecurity ecosystem to support actionable policies. All of that is automated with Infoblox DNS Detection and Response (DNSDR) and our suspicious domain data.

Comparison To Whois Data

WHOIS data draws a line in the sand and gets you as close as possible to hard data. A comparison with WHOIS data tells you how your threat intelligence systems work. To provide context on the performance of our suspicious threat intel feeds, we extracted WHOIS dates and found that all of the Coral Raider domains were blocked as suspicious within 2 to 3 days after the WHOIS domain registration date. The WHOIS dates are relatively precise and provide another perspective on the high value and relative performance of suspicious DNS threat intel feed content.

The threat actors behind most campaigns have learned to continually create and change the domains they use to camouflage their malicious activities. New domains are issued every day. Any of the key domains used in perpetuating the Coral Raider campaigns may be shut down at any time and replaced with new infrastructure. Infoblox DNS Early Threat Detection gives your cyber defenders an important advantage.

Infoblox Threat Intel's DNS Early Detection Program

Infoblox Threat Intel's DNS Early Detection Program uses proprietary techniques to identify potentially MALICIOUS domains much faster than other technologies. Infoblox flags these domains as SUSPICIOUS so your defenders can automatically block them, often weeks to months before OSINT designates them as malicious.

Infoblox Threat Intel can detect these malicious domains early, long before they are available in Open Source Intelligence (OSINT) or commercial feeds as malicious. We flag these domains as SUSPICIOUS at the earliest stage and make them available for immediate blocking. By taking this proactive approach, defenders can stop attacks days, weeks, or even months before they appear in OSINT or threat intelligence feeds.

Threat actors continually adjust their techniques and often use malicious domains to launch damaging and dangerous attacks quickly. Once that link to a malicious domain is clicked, the Kill Chain can rapidly unfold to the detriment of the defenders. These malicious domains are often detected and shared too late by OSINT and threat intel feeds.

Go Faster With Infoblox

Infoblox DNS Early Detection using our suspicious feeds can help your SOC quickly identify and block potentially dangerous threats such as Coral Raider. Infoblox Threat Intel proprietary technology can detect suspicious domains faster than the industry's current methods.

Infoblox SUSPICIOUS domain data helps your SOC team make better and faster decisions and can help protect your organization from a disastrous data breach.

Suspicious domain feeds provide a significant advantage in developing and using DNS threat intelligence information. With Infoblox's suspicious domain data, security operations teams can get the timely information they need to prevent and counter new threats before they do any damage.

For Additional Information

The Infoblox Threat Intel Group provides fast access to accurate, contextual threat alerts and reports from our real-time research teams. Suspicious Domains feeds were introduced as an Infoblox proprietary product on November 10, 2022, and, since then, have successfully provided many thousands of customers with the advanced information to block domains that ultimately become malicious long before most other threat intelligence sources identify them as malicious. Infoblox allows your team to leverage the high value of suspicious domain threat intelligence while ensuring a unified security policy across your entire security infrastructure. Infoblox threat data minimizes false positives, so you can be confident in what you are blocking.

Infoblox SUSPICIOUS domain data is HIGH VALUE, can be used with relatively LOW EFFORT, and can SHRINK THE TIME TO VALUE and INCREASE THE RETURN ON INVESTMENT for your threat intelligence program.

To learn more about suspicious domains and DNS early detection:
https://www.infoblox.com/threat-intel/

To learn more about BloxOne Threat Defense:
https://www.infoblox.com/products/bloxone-threat-defense/

To learn more about Advanced DNS Protection:
https://www.infoblox.com/products/advanced-dns-protection/

To learn more about the National Security Agency (NSA) and Cybersecurity & Infrastructure Security Agency (CISA) guidance on Protective DNS:
https://media.defense.gov/2021/Mar/03/2002593055/-1/-1/0/CSI_PROTECTIVE%20DNS_UOO117652-21.PDF

OSINT sources on CORAL RAIDER included, but were not limited to:
https://www.bleepingcomputer.com/news/security/coralraider-attacks-use-cdn-cache-to-push-info-stealer-malware/ published on 4.23.2024.

Footnotes

1. https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html Cyber Kill Chain is a registered trademark of Lockheed Martin.

Public link

Please use the above public link if you want to share this noodl on another website.