ActiveTrust Cloud – December 10, 2018
- Inclusion of IP metadata
- The inclusion of IP metadata (MAC address, Source IP, etc.) in ActiveTrust Cloud reports allowing for easier correlation of events.
- The inclusion of IP metadata (MAC address, Source IP, etc.) in ActiveTrust Cloud reports allowing for easier correlation of events.
ActiveTrust Cloud – December 3, 2018
- Public API Expansion for ActiveTrust Cloud
- Three additional public-facing APIs; Hostname, Tagging, and Audit Log are available for ATC. Each of the new API calls can be run via a Swagger page.
This release adds the following enhancements related to the Cloud Services Portal.
Cloud Services Portal login and landing page redesign
The Cloud Service Portal login and landing pages have been completely revamped. The landing page now boasts a new, user-centric design focused on assisting the user in getting started with important tasks such as defining networks, creating custom lists, and configuring security policies. Important tasks are determined based on license entitlement and user role. The landing page also makes it easier for you to explore content and get questions answered on topics such as partner integrations, community resources, and receiving support
Cloud Services Platform navigation updates
- An improved navigation structure utilizing current best practices complementing a new look and feel has been adopted for the Cloud Services Platform. The navigation changes have been implemented to better facilitate user productivity and user experience when interacting within the portal’s ecosystem by reorganizing and optimizing user workflows and categorizing system features into logical groups.
UI changes include the following:
A newly redesigned Welcome page: The landing page now makes it easier for you to get started with important tasks and to explore content and get answers.
Relocation of features into logical work groups and workflows, enhancing productivity and usability and optimizing efficiency. For example, the introduction of the Policies tab to ActiveTrust Cloud and ActiveTrust On-Prem customers for items that were previously located under the Manage and Administration tabs.
The ActiveTrust DNS Forwarding Policy (DFP) Configuration page has been renamed On-Prem Hosts and relocated under the Manage tab.
The Analyze page’s left side panel has been reorganized into two sections, Research and Reports. Under Reports, DNS Requests, Security, Category, Data Exfiltration, Malware, and Command and Control reports can be found. Dossier and Threat Look Up are available in the Research section.
- Under the Administration tab, a new Downloads page has been added. By consolidating all downloads and placing them on their own page, you can easily locate any download needed which greatly enhances the user experience. In the Downloads section, Infoblox ActiveTrust Endpoint Download has been renamed to Endpoint Download, ActiveTrust DNS Forwarding Proxy to On-Prem Hosts, and Download Data Connector VM to Data Connector.
New Cloud Services Portal site navigation:
Many features within the portal’s ecosystem have been organized into logical workflows and workgroups. The following table lists the new navigation schema and the corresponding menu items residing under each tab.
TI Data Exchange
On-Prem DNS Firewall
Command and Control
User Audit Logs
DNS Response Logs Data Connectors
- S3 bucket support for multiple data formats
- With enhanced S3 bucket support, you can now convert file formats from Parquet to CEF, JSON, and CSV based on their own requirements when pulling data directly into their systems
ActiveTrust Cloud – September 5, 2018
- Dossier Bulk API
Dossier Bulk API calls are now supported. Using the Dossier Bulk API call, it is possible to make calls containing multiple indicators at the same time. With this release, up to 100 indicators may be submitted per call. No longer is it necessary to make each indicator call separately. This enhancement is available for Cloud and On-Prem customers.
- Dossier Export to PDF
Dossier reports may now be exported to PDF for download.
- Policy Precedence
As part of ATC’s policy precedence, Custom Lists and Category Filters have been relocated under Security Policies (Manage -> Security Policies), where each is available under its respective tab.
- Threat Insight Reports
Threat Insight reports have been restructured using a tabular format promoting better usability and easier access to information. The three Threat Insight reports; ‘Malware’, ‘Command and Control’, and ‘Data Exfiltration’, are each available under their own separate tabs along with the specific report’s details. This enhancement is available to Cloud and On-Prem customers.
- IP Address Configuration for Infoblox Threat intelligence Feeds
When configuring your Infoblox Threat Intelligence RPZ feeds, IPv6 addresses can now be used when setting up the feeds distribution server and the feeds notification server. This enhancement is available to Cloud and On-Prem customers.
- New Feeds
Four new feeds are available to Cloud and On-Prem customers. depending on your subscription level. The four new feeds are as follows:
- Cryptocurrency Feed
This feed identifies threats allowing malicious actors to perform illegal and/or fraudulent activities allowing cryptocurrency mining to occur without the site user’s consent. This feed identifies malicious or unauthorized use of resources, including coinhive, which can be embedded into a site owner’s web pages to lie cryptocurrency with the visitor’s permission as an alternative to web banner advertising; cryptojacking, where malicious actors use in-browser mining without the victim’s consent; and cryptocurrency mining pools working together to mine cryptocurrency. The Cryptocurrency feed is available at the Plus and Advanced subscription levels.
- Spambot DNSBL IP Feed
In DNSBL format, this feed contains IPs of known spam servers. The Spambot DNSBL IP feed enables protection against computers or bot nodes acting as part of a botnet by sending out spam. This feed can be used to assist in blocking incoming spam and other potentially malicious emails from known spam sources by feeding into your email platform or appliance. The Spambot DNSBL IP feed is available at the Advanced subscription level.
- NCCIC Host & IP Feeds
DHS’s National Cybersecurity and Communications Integration Center (NCCIC) is a 24×7 cyber situational awareness, incident response, and management center that serves as the hub of information sharing activities among public and private sector partners to build awareness of vulnerabilities, incidents, and mitigations. Indicators contained in this feed appear on the watchlist from the National Cybersecurity & Communications Integration Center (NCCIC) and are not verified or validated by DHS or Infoblox. The NCCIC Host & NCCIC IP feeds are available at the Standard, Plus, and Advanced subscription levels.
- Cryptocurrency Feed
ActiveTrust Cloud – July 31, 2018
- ActiveTrust Endpoint Groups
When applying security policies to multiple ActiveTrust Endpoint devices, you can make the process more efficient by organizing the endpoint devices into ActiveTrust Endpoint groups. You can then add the endpoint groups to the network scope when you configure a security policy. Note that ActiveTrust Cloud comes with a default endpoint group called All ActiveTrust Endpoints (default) that is associated with the default global policy.
- Precedence Ranking and Rule Actions for Security Policies
This release of ActiveTrust Cloud gives you the ability to configure precedence ranking and rule actions for your security rules based on your business requirements. When you configure security policies, you can now add any configured ActiveTrust Endpoint groups to the network scope. You can also define the precedence order for the custom lists and category filters you add to the security policy as well as overriding the precedence ranking for the threat intelligence feeds and Threat Insight rules that are inherited from the default global policy. Depending on your business needs, you can also define specific actions for all the rules in your security policy.
ActiveTrust Cloud – June 29, 2018
- DNS over TLS (Transport Layer Security)
ActiveTrust Cloud now runs DNS over TLS for communication between clients (including the latest versions of the ActiveTrust Endpoint and the DNS Forwarding Proxy) and its cloud infrastructure. DNS over TLS is an IETF standard and provides full-stream encryption that makes your DNS service more resistant to certain types of attacks. It also allows ActiveTrust Cloud to use just TCP port 443 for communication, which simplifies your setup and provides you with a better out-of-the-box experience.
ActiveTrust Cloud – June 19, 2018
- Support for CSV Export
This release supports exporting data to CSV format. You can export data to CSV files for the following functions: Security Report, Category Report, Data Connectors, Portal Users, and License Entitlements.
ActiveTrust Cloud – May 23, 2018
- ActiveTrust Dossier 2.0 (early release)
Dossier 2.0 has been redesigned and re-engineered from the ground up to provide a more powerful set of threat research and analysis tools, making the threat research experience faster, easier, and more effective. Dossier 2.0 resides within the Cloud Services Portal, meaning that you are no longer redirected away from the Cloud Services Portal when using Dossier’s threat intelligence tools.
- Detection for Dictionary DGAs
This release adds the detection for Dictionary DGA domains. Dictionary DGA detection uses lexical analysis to detect domains based on wordlists. Dictionary DGA has been used by malware families, including Suppobox and Matsnu.
ActiveTrust Cloud – May 17, 2018
- ActiveTrust Endpoint Deployment through McAfee ePolicy Orchestrator
If you are using McAfee ePO (ePolicy Orchestrator) to manage your endpoint software, you can now integrate ActiveTrust Endpoint and subsequently install it on your endpoint devices to redirect DNS traffic to ActiveTrust Cloud.
ActiveTrust Cloud – May 9, 2018
- Response Log Export
Infoblox ActiveTrust Cloud provides DNS response logs that help you troubleshoot and analyze your network security. You can export these logs to a dedicated Amazon S3 bucket. ActiveTrust Cloud currently supports the following log types: DNS queries and responses, RPZ (Response Policy Zones) hits, and IPAM metadata.
ActiveTrust Cloud – March 28, 2018
- ActiveTrust Cloud API for Custom Lists
In this release, you can use the ActiveTrust Cloud API to perform bulk operations for custom lists, such as viewing, creating, modifying, and deleting custom list objects and custom list items using HTTP methods.
- Category Filters
Category filters are content categorization rules that ActiveTrust Cloud uses to detect and filter internet content. Based on your needs and configuration, you can apply specific actions, such as Allow, Block, Log, and Redirect, to the filtered content.
- Custom Redirect Destinations
You can now create custom redirect destinations to redirect traffic to custom pages or integrate ActiveTrust Cloud with third-party proxies, secure web gateways, blackholes, honeypots or sinkhole solutions. ActiveTrust Cloud allows you to configure up to five custom redirect actions for your security policies.
ActiveTrust Cloud – February 8, 2018
- Dual Stack Support for ActiveTrust Endpoint
ActiveTrust Endpoint supports dual-stack IPv4 and IPv6 DNS configurations, thereby protecting all devices regardless of their network environments. ActiveTrust Endpoint in a dual-stack environment is able to proxy IPv6 DNS queries and forward them to ActiveTrust Cloud over IPv4. Note that ActiveTrust Endpoint does not support an IPv6-only environment.
ActiveTrust Cloud – January 17, 2018
- Security Report
This release introduces a new Security Report that provides a comprehensive filterable and searchable view of threats detected by ActiveTrust Cloud. This report allows you to quickly identify and mitigate malware infection and other malicious activities on your network. The default Hits tab of the report shows a list of all threat hits detected by ActiveTrust Cloud within the selected time period and a graphical view of hit activities over time. The other tabs show views of the threat activities aggregated by devices, users, networks, threat classes, or properties. This allows you to identify the types of threats that are affecting your network and the devices and users that are impacted for rapid investigation and mitigation.
ActiveTrust Cloud – December 19, 2017
- Threats API
This release introduces the Threats API that allows you to make RESTful API calls to gather DNS security data from ActiveTrust Cloud for SIEM (Security Information and Event Management) purposes. Based on your business needs, you can configure a SIEM system in your network to collect the DNS security data so you can filter the data and create custom reports.
ActiveTrust Cloud – September 12, 2017
- Support for Custom Message for Redirect Page
This release adds the support for creating custom messages when ActiveTrust Cloud blocks malicious domains based on your security policies. When blocking users from accessing malicious domains, you can now redirect them to a page that delivers a default message about the action, use a redirect page of your own, or customize the redirect message.
ActiveTrust Cloud – August 07, 2017
- Detection for Domain Generation Algorithm (DGA) Activities
This release adds the detection for DGA activities, a scheme used by malwares for domain fluxing. DGAs are algorithms used to generate variations of a given domain name. They can be used to create a large number of domain names used as rendezvous points with command and control servers, in an attempt to evade detection by signature filters, blacklists, reputation systems, security gateways, intrusion prevention systems, and other security methods. An infected system could create thousands of domain names and would attempt to contact a portion of these to receive updates or commands. ActiveTrust Cloud tracks DGA activities and displays the affected devices in the Command & Control report. You can also add a default custom list to your security policies for detecting DGA activities.
ActiveTrust Cloud – July 19, 2017
- Detection for Fast Flux Activities
This release adds the detection for Fast Flux activities. Fast Flux is a DNS technique used by botnets to hide phishing and malware delivery sites behind a network of compromised hosts acting as proxies. It can also be a combination of peer-to-peer networking, distributed command and control, web-based load balancing and proxy redirection used to make malware networks more resistant to discovery. ActiveTrust Cloud tracks Fast Flux activities and displays the affected devices in the Command & Control report. You can also add a default custom list to your security policies for detecting Fast Flux activities.
ActiveTrust Cloud – July 17, 2017
- DNS Forwarding Proxy
This release enhances the OVA deployment to support using ESXi time synchronization by default. In the event that this option is disabled during OVA deployment, the DNS Forwarding Proxy will use the following NTP servers: ntp.ubuntu.com and ubuntu.pool.ntp.org. You must open the UDP 123 port for the NTP servers.
ActiveTrust Cloud – June 14, 2017
- DNS Forwarding Proxy
Infoblox ActiveTrust Cloud is a SaaS offering designed to provide protection to devices on and off-premises, including roaming, remote, and branch offices. It provides visibility into infected and compromised devices, prevents DNS-based data exfiltration, and automatically stops device communications with command-and-control servers (C&Cs) and botnets, in addition to providing recursive DNS services in the cloud. You can access the services by deploying the ActiveTrust Endpoint agent or the DNS forwarding proxy. For remote office deployments or in cases where installing an endpoint agent is not desirable or possible, you can use the DNS forwarding proxy. It is a software that runs on bare-metal or VM infrastructures and embeds the client IPs in DNS queries before forwarding them to ActiveTrust Cloud. The communications are encrypted and client visibility is maintained. The proxy also provides DNS resolution to local DNS zones when you configure local resolvers. Once you set up a DNS forwarding proxy, it becomes the main DNS server for your remote site. It will also cache responses to speed resolution of future queries. Infoblox provides two installation methods: Docker container and OVA file. You can install the DNS forwarding proxy using either one of the methods.
- Deploying ActiveTrust Endpoint for multiple Users
You can now deploy ActiveTrust Endpoint on multiple users instantaneously and more effectively by using a Group Policy Object (GPO) for Microsoft Windows users or the Apple Remote Desktop (ARD) for Apple users. Once you deploy ActiveTrust Endpoint for your remote users, they no longer need to manually register in order to protect their devices–this applies to single user deployments as well.
- Detection for the DNSMessenger Malware
In addition to other DNS tunneling activities, ActiveTrust Cloud can now detect DNSMessenger malware activities. DNSMessenger is a Remote Access Trojan (RAT) that attackers use to conduct malicious Powershell commands on compromised devices. DNSMessenger uses DNS record queries and responses to create a bidirectional C&C channel that allows the submission of Powershell commands to infected devices and the return of responses back to the attackers. ActiveTrust Cloud tracks these malware activities and displays the malicious devices in the Malware report.
- ActiveTrust Endpoint automatic bypass upon detection of DNS Forwarding Proxy
If a system on which you have installed ActiveTrust Endpoint is connected to a corporate network that is protected by a DNS Forwarding Proxy, ActiveTrust Endpoint will automatically enter bypass mode and all DNS traffic will be sent to the locally configured DNS resolvers. The DNS Forwarding Proxy then sends the requests to ActiveTrust Cloud. This feature ensures DNS queries traverse the corporate DNS infrastructure when the client is on the corporate network but provides protection via the ActiveTrust Endpoint when the client is roaming.
If you have DNS forwarding proxies configured for your ActiveTrust infrastructure, you can filter applicable reports by specific DNS forwarding proxies. The new Malware report lists the devices that have the most malware activities caused by the DNSMessenger malware, so you can examine the data and take appropriate actions to secure your network.
- Security Policies
When configuring security policies, you can now select the “Log” action, which grants the “Allow” action to traffic and logs the queries to all relevant reports.
This page has no comments.