Abstract: The present application describes systems and methods for network-based blocking threat intelligence. An access control list (ACL) generator may modify ACLs and provide modified ACLs to provider edge routers based on the capabilities of the provider edge routers. In some cases, an additional provider edge router that is more capable of implementing longer ACLs may be used. In some cases, a collector may identify when threat communications are bypassing provider edge routers with limited ACL lengths and provide the customer an opportunity to buy a better router or access to an additional router that supports longer or additional ACLs. A threat intelligence system may update (e.g., continuously update) the ACL provided to the ACL generator, and the ACL generator may accordingly update the modified ACLs provided to the provider edge routers.

Abstract: The present application describes a system and method for passively collecting DNS traffic data as that data is passed between a recursive DNS resolver and an authoritative DNS server. The information contained in the collected DNS traffic data is used to generate a virtual authoritative DNS server, or a zone associated with the authoritative DNS server, when it is determined that the authoritative DNS server has been compromised.

Abstract: Novel tools and techniques are provided for implementing object-based changes to filter-intent over multicast or publication/subscription (“Pub/Sub”) distribution. In various embodiments, a computing system (e.g., a managed device among a plurality of managed devices and/or its corresponding agent) may receive, from a network filter orchestration conductor, a global filter-intent list including a first filter intent that references a corresponding filter-intent object. The computing system may determine whether the at least one first filter intent applies to the managed device. If so, the computing system may translate the at least one first filter intent into a first filter that is specific to a first configuration of the managed device, in some cases, by building the first filter based at least in part on the at least one first filter intent. The computing system may subsequently apply the first filter to one or more network communications handled by the managed device.

Abstract: Aspects of the present disclosure involve utilizing network threat information to manage one or more security devices or policies of a communication network. The security system may receive threat intelligence data or information associated with potential threats to a communications network and process the threat intelligence data to determine one or more configurations to apply to security devices of a network. The system may then generate a rule or action to respond to the identified attack, such as a firewall rule for a firewall device to block traffic from the source of the attack. The threat intelligence information may include a confidence score indicating a calculated confidence in the identification of the malicious communications, which may be utilized by the system to determine the type of action taken on the security devices of the network in response to the information or data.

Abstract: The present application describes a system and method for passively collecting DNS traffic data as that data is passed between a recursive DNS resolver and an authoritative DNS server. The information contained in the collected DNS traffic data is used to generate a virtual authoritative DNS server, or a zone associated with the authoritative DNS server, when it is determined that the authoritative DNS server has been compromised.

Abstract: Aspects of the present disclosure involve utilizing network threat information to manage one or more security devices or policies of a communication network. The security system may receive threat intelligence data or information associated with potential threats to a communications network and process the threat intelligence data to determine one or more configurations to apply to security devices of a network. The system may then generate a rule or action to respond to the identified attack, such as a firewall rule for a firewall device to block traffic from the source of the attack. The threat intelligence information may include a confidence score indicating a calculated confidence in the identification of the malicious communications, which may be utilized by the system to determine the type of action taken on the security devices of the network in response to the information or data.

Abstract: The present application describes a system and method for passively collecting DNS traffic data as that data is passed between a recursive DNS resolver and an authoritative DNS server. The information contained in the collected DNS traffic data is used to generate a virtual authoritative DNS server, or a zone associated with the authoritative DNS server, when it is determined that the authoritative DNS server has been compromised.

Abstract: The present application describes a system and method for passively collecting DNS traffic data as that data is passed between a recursive DNS resolver and an authoritative DNS server. The information contained in the collected DNS traffic data is used to generate a virtual authoritative DNS server, or a zone associated with the authoritative DNS server, when it is determined that the authoritative DNS server has been compromised.

Abstract: The present application describes systems and methods for populating a DNS cache of a recursive DNS server using information gathered by a threat intelligence system. The threat intelligence system may collect some or all DNS responses from one or more recursive DNS servers as the one or more DNS servers process various received requests. Since the threat intelligence engine has access to this DNS data, the DNS data may be used to seed a DNS cache of a recursive DNS server.

Abstract: The present application describes a system and method for passively collecting DNS traffic data as that data is passed between a recursive DNS resolver and an authoritative DNS server. The information contained in the collected DNS traffic data is used to generate a virtual authoritative DNS server, or a zone associated with the authoritative DNS server, when it is determined that the authoritative DNS server has been compromised.

Abstract: Aspects of the present disclosure involve utilizing network threat information to manage one or more security devices or policies of a communication network. The security system may receive threat intelligence data or information associated with potential threats to a communications network and process the threat intelligence data to determine one or more configurations to apply to security devices of a network. The system may then generate a rule or action to respond to the identified attack, such as a firewall rule for a firewall device to block traffic from the source of the attack. The threat intelligence information may include a confidence score indicating a calculated confidence in the identification of the malicious communications, which may be utilized by the system to determine the type of action taken on the security devices of the network in response to the information or data.