To mitigate DNS data exfiltration, Infoblox Threat Insight (also referred to as Threat Analytics in the Infoblox GUI or Grid Manager) employs analytics algorithms to detect DNS tunneling traffic by analyzing incoming DNS queries and responses. These algorithms are developed through an extensive study and analysis of sample DNS statistics within which DNS tunneling data is identified by algorithms that cannot be detected by normal rules and signatures. For more information about DNS data exfiltration, see About Data Exfiltration.
Infoblox Threat Insight identifies data exfiltration tunnels that bypass typical firewall systems. Some popular tunneling tools are OyzmanDNS, SplitBrain, Iodine, DNS2TCP, TCP-Over-DNS, and others. This type of DNS threats are identified as having high activities by using the TXT records in DNS queries. Infoblox Threat Insight also identifies tunnels that are used for C&C. These threats typically do not exhibit high activities or payloads. In general, NXDOMAIN responses fall into this category of threats.
You must have at least one RPZ license installed in your Grid (it can be installed on any Grid member) and the Threat Analytics license installed on the Grid member on which you want to start the threat analytics service. To download updates for threat analytics module and whitelist sets, you must have at least one Threat Analytics license installed in the Grid. When you enable the threat analytics service, NIOS starts analyzing incoming DNS data and applying these algorithms to detect security threats that have the same or similar behavior as the known data. Once security threats are detected, NIOS blacklists the domains and transfers them to the designated mitigation RPZ (Response Policy Zone), and traffic from the offending domains is blocked and no DNS lookups are allowed for these domains from NIOS members on which RPZ are assigned to them. The appliance also sends an SNMP trap each time it detects a new blacklisted domain.
Infoblox Threat Insight also includes a whitelist that contains trusted domains on which NIOS allows DNS traffic. These are known good domains that carry legitimate DNS tunneling traffic such as Avast, Sophos, McAfee, Boingo, Barracuda, and others. The whitelist is extensible so new whitelisted domains can be added and rolled out accordingly.
You can also add custom whitelisted domains or move blacklisted domains to the whitelist. For more information about how to configure Infoblox Threat Insight, see Configuring Infoblox Threat Insight. Before you utilize Infoblox Threat Insight, there are a few guidelines you might need to consider. For more information, see Guidelines for Using Infoblox Threat Insight.
Infoblox Threat Insight came installed with a module set and a whitelist set. To receive subsequent module set and whitelist set updates, you can configure the appliance to automatically download and apply the updates for you, or you can manually upload the updates when the appliance displays a banner message notifying about available updates. For information about how to configure the update policy, see Defining the Threat Analytics Update Policy.
...
- To start the threat analytics service, you must have at least one RPZ license installed in your Grid (it can be installed on any Grid member) and the Threat Analytics license installed on the Grid member on which you want to start the threat analytics service. To download updates for threat analytics module and whitelist sets, you must have at least one Threat Analytics license installed in the Grid.
- Infoblox recommends that you run the threat analytics service for a limited time to monitor and preview what has been detected before actually blocking blacklisted domains. You can carefully review the list of detected domains and decide which domains you want to continue blocking and which domains you want to add to the analytics whitelist. You should review the blacklisted domains on a regular basis to make sure that no legitimate use of DNS tunneling is blocked. Note that you can update the analytics whitelist by adding new whitelisted domains, moving legitimate domains from the blacklisted domain list, or using CVS import and export. For more information, see Configuring a Local RPZ as the Mitigation Blacklist Feed.
- Analytics whitelisted domains and supported DNS tunneling tools are updated periodically and are bundled with future NIOS releases. To ensure that your appliance is using the most up-to-date whitelist, upgrade to the next NIOS release or configure the appliance to download threat analytics updates. For information about upgrades, see About Upgrades. Note that this process may change in future NIOS releases.
- There are no configurable parameters for Infoblox Threat Insight. Infoblox uses the build-in algorithms to analyze DNS statistics and blocks offending domains based on the analyzed data.
- DNS tunneling detection is not instantaneous. It may take a few seconds to a few minutes for the analytics to determine positive DNS tunneling activities.
- During an HA failover, analytics data that is in progress on the active node might be lost. Only new DNS queries on the new active node after a successful failover are being analyzed. It may take a few minutes for the analytics to reach its normal state. If there is no connection between the Grid Master and Grid member, blacklisted domains detected by the analytics cannot be transferred to the Grid Master as RPZ records for a pre-configured RPZ zone—this zone — this is not applicable to standalone appliances with RPZ license installed. In addition, ensure that the passive node must also have the RPZ license installed and that its hardware model is capable of running the threat analytics service. For information about supported appliance models, see Supported Appliances for Infoblox Threat Insight.
- The threat analytics service only works on recursive DNS servers and forwarding servers that use BIND as the DNS resolver. It does not support Unbound as the DNS resolver.
- The analytics whitelist only applies to Infoblox Threat Insight, it does not apply to signature-based tunneling detection. Anti-DNS tunneling threat protection rules are implemented to address signature-based tunneling analysis. For detailed information about threat protection rules, refer to the InfobloxThreatProtectionRules available on the Support web site.
- Infoblox Threat Insight does not support RESTful APIs.
...
Due to memory and capacity required to perform analytics, ensure that you install the Threat Analytics and RPZ licenses, and enable the threat analytics service on an appliance that has a big enough capacity. Following are the supported Infoblox appliance models on which you can run the threat analytics service: IB-4010, IB-4020
- PT-1405, PT-2200, PT-2205, and PT-4000.
- IB-4010, IB-4030
...
- and IB-4030-10GE
...
- .
- TE-1415
...
- , TE-1425, TE-2210, TE-2215, TE-2220, and TE-2225
...
- .
- TE-V1415, TE-V1425, TE-V2210, TE-V2215, TE-V2220, TE-V2225, TE-V4010 and TE-V4015.
...
Note: Using unsupported appliance models for Infoblox Threat Insight might cause performance issues.
...
- Obtain and install valid RPZ and Threat Analytics licenses on the appliance that is used to support analytics. For more information about licenses, see About Infoblox Threat Insight. Note that you must have the threat analytics service running on the member serving recursive DNS queries or have recursive DNS queries forwarded to another DNS server. To generate reports that contain statistics about DNS tunneling, you must also configure a reporting appliance in the Grid.
- Configure admin permissions so admin users can manage the threat analytics service and analytics related tasks. For information about how to configure admin permission, see Managing Permissions.
- Start the threat analytics service Create and add a new RPZ and use it as the designated mitigation blacklist feed so the appliance can transfer all blacklisted domains to this feed. For more information, see Configuring a Local RPZ as the Mitigation Blacklist Feed. Ensure that you configure an appropriate policy for this RPZ. To monitor the threat analytics service before actually blocking domains, set Policy Override to Log Only (Disabled). When you are ready to block offending domains, set Policy Override to None (Given).
- Configure admin permissions so admin users can manage the threat analytics service and analytics related tasks. For information about how to configure admin permission, see Managing Permissions.
- Start the threat analytics service on the appliance that has the Threat Analytics license installed, as described in Starting and Stopping the Threat Analytics Service.
...
Note: The analytics functionality only works on recursive servers and forwarding servers that use BIND as the DNS resolver; it does not function on authoritative servers or servers that use Unbound as the DNS resolver.
4. Create a new RPZ and use it as the designated mitigation blacklist feed so the appliance can transfer all blacklisted domains to this feed. For more information, see Configuring a Local RPZ as the Mitigation Blacklist Feed . Ensure that you configure an appropriate policy for this RPZ. To monitor the threat analytics service before actually blocking domains, set Policy Override to Log Only (Disabled). When you are ready to block offending domains, set Policy Override to None (Given).
After you set up Infoblox Threat Insight to mitigate DNS data exfiltration, you can do the following to manage it:
...
After you set up Infoblox Threat Insight to mitigate DNS data exfiltration, you can do the following to manage it:
- View supported whitelisted domains for analytics, as described in Viewing the Analytics Whitelist. Note that these domains are specific to analytics only. They are not used in the anti-DNS tunneling threat protection rules.
- Manually add a custom domain to the analytics whitelist, as described in Adding Custom Whitelisted Domains.
- Review the blacklisted domains and make decisions about whether to move them to the analytics whitelist so future DNS activities will not be blocked. For more information, see Viewing Blacklisted Domains.
- Move a blacklisted domain to the analytics whitelist, as described in Moving Blacklisted Domains to the Whitelist.
- Monitor DNS tunneling activities and events using pre-defined reports and the syslog, as described in Monitoring DNS Tunneling Activities.
...
When you stop the threat analytics service, the appliance does not detect or protect against
non-signature-based DNS tunneling. In addition, reports that you generate might not include statistics related to DNS tunneling.
...
- From the Data Management tab, select the Threat Analytics tab -> Whitelist tab.
- The appliance displays the following for each trusted domain:
- Actions: Click the action Action icon
(shown as a gear in each row) next to a domain and select one of the following:- Disable: Click this to disable the domain. When you disable a domain, the appliance does not treat this domain as trusted domain until you enable it.
- Edit: Click this to open the Whitelist editor. For system domains, the only property you can modify is to disable or enable them. For custom domains however, you can also add information to the Comment field.
- Delete: This is only applicable to custom domains. You cannot delete system domains. Select this to delete the custom domain.
- Domain Name: The name of the trusted domain.
- Type: Displays the domain type. This can be System or Custom. A system domain is a trusted domain that carries legitimate DNS tunneling traffic such as Avast, Sophos, McAfee, Boingo, Barracuda, and others. A custom domain is one that you have added to the whitelist or moved from the mitigation blacklist RPZ.
- Disabled: Indicates whether this domain is disabled or not. The appliance does not treat disabled domains as trusted domains. You can disable both system and custom domains.
- Comment: Additional information about the domain.
- Actions: Click the action Action icon
...
For the threat analytics service to function properly and for NIOS to properly report detected backlisted domains, you must create and designate a local RPZ RPZs as the mitigation blacklist feed for the entire Grid. If you assign an existing RPZ that is used for other purposes as the mitigation blacklist Grid. You can add any Response Policy Zones to the list of RPZs from different Network and DNS Views. When a domain is detected as malicious, NIOS will update all RPZs in the list. If you assign an existing RPZ that is used for other purposes as the mitigation blacklist feed, you may experience the following:
...
3. In the Grid Threat Analytics Properties editor, click the DNS Threat Analytics tab, and complete the following:
- Mitigation RPZ: Click Select if you have more than one local RPZ. In the selector, select the RPZ you created specifically for collecting blacklisted domains. If you have only one RPZ in your system, Grid Manager displays it in this field. Click Clear to remove the RPZ as the designated mitigation blacklist feed.
4. Save the configuration.
Note: You cannot delete an RPZ that is used as the mitigation blacklist feed until you remove or clear it from the Grid Threat Analytics Properties editor.
- Click the Add icon to open the Zone Selector dialog box and select the RPZs. You must configure at least one local RPZ. To remove an RPZ, select it from the table and click Delete.
4. Save the configuration.
...
Note: You cannot delete an RPZ that is used as the mitigation blacklist feed until you remove or clear it from the Grid Threat Analytics Properties editor.
...
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
If your network configuration includes ActiveTrust Plus or ActiveTrust Advanced Cloud, you can configure a cloud integration client to collect malicious domains detected by the Threat Insight in the cloud. NIOS then applies the detected domains to RPZs that were configured for the on-premises Grid. This feature ensures that all malicious domains detected in the cloud are also captured for on-premises members.
You can use this feature when you have ActiveTrust Plus or ActiveTrust Advanced license. Note that you can configure only one cloud client per on-premises Grid and you must first request an API key through the Cloud Services Portal, so that the cloud client is authorized to retrieve data from Threat Insight in the Cloud.
To configure Threat Insight for the cloud client:
- From the DataManagement tab, select the DNS tab -> Response Policy Zones tab. Expand the Toolbar and click Threat insight in the Cloud Client.
- In the Threat insight in the Cloud Client editor, complete the following:
- Enable Cloud Client: Select this check box to enable Threat Insight results in the cloud client.
- API Key: You must request an API key to establish an authorized connection with the cloud client. Click Request API Key to request an API key. Do the following in the Request API Key from the Cloud Services Portal dialog box:
- Email: Enter the email address that is registered in the Infoblox Cloud Services Portal.
- Password: Enter the password that is registered in the Infoblox Cloud Services Portal.
An API key is generated in the API Key text box only when you enter the correct email address and password. An error message is displayed for an invalid email address and password.
Interval: You can specify how often to request Threat Insight results detected in the cloud client in seconds or minutes. The default is 10 minutes.
The list of Response Policy Zones to use for blacklisted domains: Click the Add icon to add an RPZ to the list. When there are multiple zones, Grid Manager displays the Zone Selector dialog box from which you can select one. You can add an RPZs from different network and DNS views. Whenever a new RPZ is added and the cloud client requests data, Grid Manager displays a Warning dialog box to confirm that you wish to request all detected domains by Threat Insight in the cloud client. Even if you have clicked No in the Warning dialog box, you can use the set
cloud_services_portal_force_refreshCLI command in maintenance mode and set the flag to request all domains detected in the cloud client.
- Click Save & Close.
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor |
|---|
...
|
...
|
To review the list of blacklisted domains, complete the following:
...
You can also do the following in the blacklisted domain panel:
- Click Go to Analytics Whitelist View to view the analytics whitelist. In the Whitelist panel, you can see all the trusted domains for Infoblox Threat Insight, and DNS activities are allowed on these domains. For more information, see Viewing the Analytics Whitelist.
- If you want to move a blacklisted domain to the analytics whitelist so it becomes a trusted domain, select the domain check box and click the action Action icon (shown as a gear in each row) next to the domain, and then select Move to Whitelist.
- Navigate to the next or last page of the whitelist using the paging buttons at the bottom of the panel.
- Refresh the blacklist feed by clicking the Refresh button.
- Use filters and the Go to function to narrow down the list. With the autocomplete feature, you can just enter the first few characters of an object name in the Goto field and select the object from the possible matches.
- Select a quick filter to search for specific entries.
- Print the blacklist or export it in CSV format.
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
...
- From the Data Management tab, select the Data Management tab -> DNS tab -> Response Policy Zones tab.
- Select a blacklisted domain and click the action Action icon (shown as a gear in each row) next to a domain and select Move to Whitelist.
...
- Pre-defined Reports: If you have a reporting appliance configured in the Grid, you can generate the following reports that include DNS tunneling data:
- Syslog: All DNS tunneling activities are logged to the syslog. You can view this log to identify specific activities related to DNS tunneling. For more information, see Using a Syslog Server.