To mitigate DNS data exfiltration, Infoblox Threat Insight (also referred to as Threat Analytics in the Infoblox GUI or Grid Manager) employs analytics algorithms to detect DNS tunneling traffic by analyzing incoming DNS queries and responses. These algorithms are developed through an extensive study and analysis of sample DNS statistics within which DNS tunneling data is identified by algorithms that cannot be detected by normal rules and signatures. For more information about DNS data exfiltration, see About Data Exfiltration.
Infoblox Threat Insight identifies data exfiltration tunnels that bypass typical firewall systems. Some popular tunneling tools are OyzmanDNS, SplitBrain, Iodine, DNS2TCP, TCP-Over-DNS, and others. This type of DNS threats are identified as having high activities by using the TXT records in DNS queries. Infoblox Threat Insight also identifies tunnels that are used for C&C. These threats typically do not exhibit high activities or payloads. In general, NXDOMAIN responses fall into this category of threats.
You must have at least one RPZ license installed in your Grid (it can be installed on any Grid member) and the Threat Analytics license installed on the Grid member on which you want to start the threat analytics service. To download updates for threat analytics module and whitelist sets, you must have at least one Threat Analytics license installed in the Grid. When you enable the threat analytics service, NIOS starts analyzing incoming DNS data and applying these algorithms to detect security threats that have the same or similar behavior as the known data. Once security threats are detected, NIOS blacklists the domains and transfers them to the designated mitigation RPZ (Response Policy Zone), and traffic from the offending domains is blocked and no DNS lookups are allowed for these domains from NIOS members on which RPZ are assigned to them. The appliance also sends an SNMP trap each time it detects a new blacklisted domain.
Infoblox Threat Insight also includes a whitelist that contains trusted domains on which NIOS allows DNS traffic. These are known good domains that carry legitimate DNS tunneling traffic such as Avast, Sophos, McAfee, Boingo, Barracuda, and others. The whitelist is extensible so new whitelisted domains can be added and rolled out accordingly.
You can also add custom whitelisted domains or move blacklisted domains to the whitelist. For more information about how to configure Infoblox Threat Insight, see Configuring Infoblox Threat Insight. Before you utilize Infoblox Threat Insight, there are a few guidelines you might need to consider. For more information, see Guidelines for Using Infoblox Threat Insight.
Infoblox Threat Insight came installed with a module set and a whitelist set. To receive subsequent module set and whitelist set updates, you can configure the appliance to automatically download and apply the updates for you, or you can manually upload the updates when the appliance displays a banner message notifying about available updates. For information about how to configure the update policy, see Defining the Threat Analytics Update Policy.
...
- From the DataManagement tab, select the DNS tab -> Response Policy Zones tab. Expand the Toolbar and click Threat insight in the Cloud Client.
- In the Threat insight in the Cloud Client editor editor, complete the following:
- Enable Cloud Client: Select this check box to enable Threat Insight results in the cloud client.API Key: You must request an API key to establish an authorized connection with the cloud client. Click Request API Key to request an API key. Do the following in the Request API Key from the Cloud Services Portal dialog box:
- API Key: You must request an API key to establish an authorized connection with the cloud client. Click Request API Key to request an API key. Do the following in the Request API Key from the Cloud Services Portal dialog box:
- Email: Enter the email address that is registered in the Infoblox Cloud Services Portal.
- Password: Enter the password that is registered in the Infoblox Cloud Services Portal.
An API key is generated in the API Key text box only when you enter the correct email address and password. An error message is displayed for an invalid email address and password.
Interval: You can specify how often to request Threat Insight results detected in the cloud client in seconds or minutes. The default is 10 minutes.
The list of Response Policy Zones to use for blacklisted domains: Click the Add icon to add an RPZ to the list. When there are multiple zones, Grid Manager displays the Zone Selector dialog box from which you can select one. You can add an RPZs from different network and DNS views. Whenever a new RPZ is added and the cloud client requests data, Grid Manager displays a Warning dialog box to confirm that you wish to request all detected domains by Threat Insight in the cloud client. Even if you have clicked No in the Warning dialog box, you can use the set
Disable: When you select this, the appliance does not treat this domain as a trusted domain. When you enable the domain again, it is considered as a whitelisted domaincloud_services_portal_force_refreshCLI command in maintenance mode and set the flag to request all domains detected in the cloud client..
- Click Save & Close.
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
...