Neustar's Real-Time Threat Service Uses AI to Identify Risks

Neustar, an information services company with a focus on identity, this week announced a new service it says will harden a company's attack surface from emerging threats.

The UltraThreat Feeds service combines Neustar's own proprietary data derived from its Security Portfolio & OneID identity resolution platform with data from hundreds of billions of Domain Name System (DNS) requests and responses from 30 globally distributed nodes every day. All of the data passes through Neustar's 11-terabit-per-second distributed denial-of-service (DDoS) mitigation network.

The goal, said Neustar Security CTO Rodney Joffe, is to provide the company's customers with access to real-time threat data, which can help them better identify cyberthreats as they evolve at the network and application layer. More specifically, it will allow customers to identify and block both inbound and outbound malicious traffic, including suspicious DNS tunneling attempts; malicious domain generation algorithms; newly observed, published or recently deactivated domains; domain updates; and anonymous proxies.

"Traditional malware researchers rely on having to capture malware, detonate it successfully in a sandbox, successfully decrypt and disassemble it, successfully identify the algorithm, generate the domains and feed them to some kind of device to filter with. This takes hours," Joffe said.

Instead, Neustar uses a proprietary set of artificial intelligence and machine learning technology on its multiyear historical database of DNS queries and answers to identify suspicious patterns of behavior. Once identified, they can be blocked long before the malware itself is even identified, he added.

Michael Kaczmarek, Neustar's vice president for products, said the real-time threat service aims to improve monitoring and alerting by delivering more true positives and reducing the amount of time security teams spend researching false positives. The UltraThreat Feeds service also helps users limit dwell time on infiltrations, reducing the mean time to detection (MTTD) and mean time to remediation (MTTR) over time, he said.

Access to this type of contextualized, actionable intelligence can help organizations identify indicators of compromise or malicious activity more quickly and prevent them from infiltrating the boundaries of the company. For example, if the real-time threat service notifies an organization that a certain domain is a spam domain, that domain can be blocked.

It can also help protect domains that have been hijacked and identify proxies that could be obscuring their true IP addresses and geolocation information for malicious activities.

"If you run a streaming service and a connection comes into you through an anonymous but legitimate looking proxy, that could be someone illegally rebroadcasting your content," Kaczmarek said.

The service also enables forensic and threat-hunting activities, such as understanding linkages between domains and hosts to determine the scope of intrusion events and identify clients requesting DNS responses for suspicious domains.