Infoblox Threat Intelligence (ITI) with Dave Mitchell

Dave Mitchell will introduce the Infoblox Threat Intelligence (ITI) team, highlighting its specialized focus and unique capabilities in DNS-based security. He’ll explore the evolving threat landscape, sharing insights into emerging attack vectors and adversary tactics. The session will demonstrate how Infoblox’s deep expertise in DNS enables superior threat detection and protection. Attendees will gain a clear understanding of what sets Infoblox apart in the cybersecurity ecosystem. As a “recovering operator,” Mitchell explained that his team’s sole focus is DNS, a namespace so vast that it offers attackers near-infinite room to operate. He emphasized that Infoblox’s intelligence is entirely original and not repackaged from other sources. Their process involves a reputation system where algorithms analyze newly registered domains, clustering suspicious ones based on shared attributes like registration patterns and name server behavior. Human researchers then investigate these clusters to identify, name, and track threat actors, building robust signatures that can follow adversaries even as they adapt their tactics. This proactive approach results in a “low regret” security posture, blocking domains that users have no legitimate reason to visit.

This DNS-centric intelligence allows Infoblox to provide “protection before impact.” Mitchell shared that over a recent 90-day period, their system already contained 75% of malicious domains before a single customer query was ever made to them. This is possible because the team observes threat actor infrastructure as it’s being built. A significant portion of the presentation focused on the growing threat of malicious advertising technology (“malvertising”). He detailed how threat actors operate sophisticated Traffic Distribution Systems (TDS) that function like legitimate ad-tech platforms but serve malicious content. These systems use cloaking techniques to profile visitors, redirecting them to scams, info-stealers, or fake software updates only if they match specific criteria, while sending researchers or bots to harmless decoy sites like Google or Alibaba.

Mitchell provided a deep dive into the malvertising ecosystem, illustrating how criminal affiliate networks push everything from cryptocurrency and dating scams to dangerous malware like the SocGholish info-stealer. He highlighted a major threat actor his team has been tracking called Vextrio (also known as “Los Pollos”), a sophisticated cartel that runs a massive TDS operation. Beyond malvertising, he also touched on the persistent problem of lookalike domains, which are impossible for brands to proactively register across all 1,300+ top-level domains, and an advanced command-and-control technique where compromised websites use DNS text records to covertly fetch and decode malicious redirect URLs. These examples underscore the complexity of modern threats and the critical role of specialized, protective DNS in disrupting the attack chain.