05 May 2025

Craig Sanderson, Principal Cyber Security Strategist, Infoblox

For decades, cybersecurity strategies have been locked in an endless cycle of reactivity – identifying, containing, and mitigating threats only after they’ve breached an organisation’s defences. This reactive posture often results in the dreaded ‘patient zero’ scenario, where the first victim serves as the canary in the coal mine – an early warning that comes at the cost of operational disruption, financial losses, and reputational harm.

If it was a country, cybercrime would now be the world’s third largest economy behind the US and China, with an estimated value exceeding £6 trillion. This ‘success’ isn’t due to individual attackers breaching business networks, but co-ordinated attacker infrastructure that is leveraged and exploited at scale. The cybersecurity community must shift its focus from detecting individual threats to disrupting the systems that enable them. Malicious campaigns don’t operate in isolation – they depend on a vast malware supply chain with an ecosystem of Traffic Distribution Systems (TDS), botnets, and compromised DNS domains to function.

The anatomy of attacker infrastructure

Cybercriminals don’t bet the house on a single attack – they amplify their chances of success by operating or leveraging vast, scalable infrastructures designed to automate and sustain malicious campaigns. At the core of this infrastructure is TDS, networks of compromised and malicious domains that dynamically route victims to harmful content. TDS platforms allow attackers to distribute malware, phishing pages, and exploit kits while evading detection by rapidly shifting between different domains. Traditional security measures that block a single malicious domain fail to disrupt these networks because attackers can instantly reroute traffic to an alternative site within their infrastructure. This agility makes TDS a cornerstone of modern cybercrime, enabling everything from credential theft to ransomware delivery at an industrial scale.

Another critical component of this infrastructure is the misuse of DNS as a control mechanism. Every online interaction begins with a DNS request, and adversaries exploit this by using malicious domains, DNS tunnelling, and domain-generated algorithms (DGAs) to control infected machines, exfiltrate stolen data, and deploy additional payloads. DNS tunnelling, for example, allows attackers to covertly send data through DNS queries, bypassing traditional security filters. Meanwhile, DGAs generate vast numbers of domains in real time, making it nearly impossible to blacklist them all manually. Without visibility into DNS-layer activity, organisations are blind to these tactics, allowing attackers to maintain persistence within networks and evade detection for extended periods. Disrupting these foundational elements – TDS networks and DNS-based command-and-control (C2) mechanisms – is the key to breaking the attacker supply chain before threats can escalate.

Threat intelligence can identify the underlying infrastructure that the malware supply chain is built upon. By utilising access to passive DNS data, threat intelligence researchers can apply data science techniques like ML/AI to identify these infrastructures as they are deployed and, in many cases, before it is used in cybercrime campaigns. By identifying and blocking the supply chain that underpins industrial scale malware, organisations can reduce risks and maximise the return on their cybersecurity investments.

The power of DNS

While attackers exploit DNS to scale their operations, defenders can turn the tables by leveraging it as a universal security control point. Because every device, user, and application rely on DNS to connect to the internet, it provides the perfect vantage point for monitoring and blocking malicious activity in real-time. Protective DNS (PDNS) can intercept threats at the earliest possible stage. This prevents not only the initial infection but also disrupts command-and-control communications, cutting off an attacker’s ability to issue commands to compromised machines. Instead of being blind, organisations can blind the attackers.

Beyond preventing direct threats, DNS-layer protection also addresses visibility. DNS operates at the perimeter, providing security teams with real-time insights into every outbound connection. This allows organisations to identify suspicious activity earlier – whether it’s an infected endpoint attempting to reach a known malware domain or an unusual volume of DNS queries signalling data exfiltration. By treating DNS as a proactive security layer rather than a passive networking function, organisations can disrupt cyber threats before they gain a foothold.

Beyond security

There are also tangible business benefits to this approach beyond security. By blocking threats at the source, organisations can reduce the financial and reputational risks associated with data breaches, ransomware, and operational downtime. Security teams also gain efficiency, as stopping threats earlier in the kill chain means fewer alerts, investigations, and incident response efforts. According to IDC, Security Operations Center teams are experiencing ‘alert fatigue’, with 56% of organisations receiving more than 1,000 alerts per day. This approach directly addresses the emerging challenge of SOC analyst burnout, allowing them to focus more on proactive security than reactive alert-monitoring.

The reality of 2025’s cybersecurity landscape is that attackers move fast, and defenders need to move faster. A proactive, infrastructure-focused security framework is the only way to break the cycle of reactivity that leaves businesses perpetually exposed. By leveraging PDNS as a frontline defence, organisations can disrupt cyber threats before they take root, neutralise entire attack campaigns before they scale, and maximise the value of their existing security investments.