To mitigate DNS data exfiltration, Infoblox Threat Insight (also referred to as Threat Analytics in the Infoblox GUI or Grid Manager) employs analytics algorithms to detect DNS tunneling traffic by analyzing incoming DNS queries and responses. These algorithms are developed through an extensive study and analysis of sample DNS statistics within which DNS tunneling data is identified by algorithms that cannot be detected by normal rules and signatures. For more information about DNS data exfiltration, see About Data Exfiltration.
Infoblox Threat Insight identifies data exfiltration tunnels that bypass typical firewall systems. Some popular tunneling tools are OyzmanDNS, SplitBrain, Iodine, DNS2TCP, TCP-Over-DNS, and others. This type of DNS threats are identified as having high activities by using the TXT records in DNS queries. Infoblox Threat Insight also identifies tunnels that are used for C&C. These threats typically do not exhibit high activities or payloads. In general, NXDOMAIN responses fall into this category of threats.
You must have at least one RPZ license installed in your Grid (it can be installed on any Grid member) and the Threat Analytics license installed on the Grid member on which you want to start the threat analytics service. To download updates for threat analytics module and whitelist sets, you must have at least one Threat Analytics license installed in the Grid. When you enable the threat analytics service, NIOS starts analyzing incoming DNS data and applying these algorithms to detect security threats that have the same or similar behavior as the known data. Once security threats are detected, NIOS blacklists the domains and transfers them to the designated mitigation RPZ (Response Policy Zone), and traffic from the offending domains is blocked and no DNS lookups are allowed for these domains from NIOS members on which RPZ are assigned to them. The appliance also sends an SNMP trap each time it detects a new blacklisted domain.
Infoblox Threat Insight also includes a whitelist that contains trusted domains on which NIOS allows DNS traffic. These are known good domains that carry legitimate DNS tunneling traffic such as Avast, Sophos, McAfee, Boingo, Barracuda, and others. The whitelist is extensible so new whitelisted domains can be added and rolled out accordingly.
You can also add custom whitelisted domains or move blacklisted domains to the whitelist. For more information about how to configure Infoblox Threat Insight, see Configuring Infoblox Threat Insight. Before you utilize Infoblox Threat Insight, there are a few guidelines you might need to consider. For more information, see Guidelines for Using Infoblox Threat Insight.
Infoblox Threat Insight came installed with a module set and a whitelist set. To receive subsequent module set and whitelist set updates, you can configure the appliance to automatically download and apply the updates for you, or you can manually upload the updates when the appliance displays a banner message notifying about available updates. For information about how to configure the update policy, see Defining the Threat Analytics Update Policy.
...
- Obtain and install valid RPZ and Threat Analytics licenses on the appliance that is used to support analytics. For more information about licenses, see About Infoblox Threat Insight. Note that you must have the threat analytics service running on the member serving recursive DNS queries or have recursive DNS queries forwarded to another DNS server. To generate reports that contain statistics about DNS tunneling, you must also configure a reporting appliance in the Grid.
- Configure admin permissions so admin users can manage the threat analytics service and analytics related tasks. For information about how to configure admin permission, see Managing Permissions.
- Start the threat analytics service on the appliance that has the Create and add a new RPZ and use it as the designated mitigation blacklist feed so the appliance can transfer all blacklisted domains to this feed. For more information, see Configuring a Local RPZ as the Mitigation Blacklist Feed. Ensure that you configure an appropriate policy for this RPZ. To monitor the threat analytics service before actually blocking domains, set Policy Override to Log Only (Disabled). When you are ready to block offending domains, set Policy Override to None (Given).
- Configure admin permissions so admin users can manage the threat analytics service and analytics related tasks. For information about how to configure admin permission, see Managing Permissions.
- Start the threat analytics service on the appliance that has the Threat Analytics license installed, as described in Starting and Stopping the Threat Analytics Service.
...
Note: The analytics functionality only works on recursive servers and forwarding servers that use BIND as the DNS resolver; it does not function on authoritative servers or servers that use Unbound as the DNS resolver.
4. Create a new RPZ and use it as the designated mitigation blacklist feed so the appliance can transfer all blacklisted domains to this feed. For more information, see Configuring a Local RPZ as the Mitigation Blacklist Feed. Ensure that you configure an appropriate policy for this RPZ. To monitor the threat analytics service before actually blocking domains, set Policy Override to Log Only (Disabled). When you are ready to block offending domains, set Policy Override to None (Given).
After you set up Infoblox Threat Insight to mitigate DNS data exfiltration, you can do the following to manage it:
...
After you set up Infoblox Threat Insight to mitigate DNS data exfiltration, you can do the following to manage it:
- View supported whitelisted domains for analytics, as described in Viewing the Analytics Whitelist. Note that these domains are specific to analytics only. They are not used in the anti-DNS tunneling threat protection rules.
- Manually add a custom domain to the analytics whitelist, as described in Adding Custom Whitelisted Domains.
- Review the blacklisted domains and make decisions about whether to move them to the analytics whitelist so future DNS activities will not be blocked. For more information, see Viewing Blacklisted Domains.
- Move a blacklisted domain to the analytics whitelist, as described in Moving Blacklisted Domains to the Whitelist.
- Monitor DNS tunneling activities and events using pre-defined reports and the syslog, as described in Monitoring DNS Tunneling Activities.
...
Note: You cannot delete an RPZ that is used as the mitigation blacklist feed until you remove or clear it from the Grid Threat Analytics Properties editor.
...
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
...
in the Cloud
...
If your network configuration includes ActiveTrust Plus or ActiveTrust Advanced Cloud, you can configure a cloud integration client to collect malicious domains detected by the Threat Insight in the cloud. NIOS then applies the detected domains to RPZs that were configured for the on-premises Grid. This feature ensures that all malicious domains detected in the cloud are also captured for on-premises members.
You can use this feature when you have ActiveTrust Plus or ActiveTrust Advanced license. Note that you can configure only one cloud client per on-premises Grid and you must first request an API key through the Cloud Services Portal, so that the cloud client is authorized to retrieve data from Threat Insight in the Cloud.
To configure Threat Insight for the cloud client:cloud client per on-premises Grid and you must first request an API key through the Cloud Services Portal, so that the cloud client is authorized to retrieve data from Threat Insight in the Cloud.
To configure Threat Insight for the cloud client:
- From the DataManagement tab, select the DNS tab -> Response Policy Zones tab. Expand the Toolbar and click Threat insight in the Cloud Client.
- In the Threat insight in the Cloud Client editor, complete the following:
- Enable Cloud Client: Select this check box to enable Threat Insight results in the cloud client.
- API Key: You must request an API key to establish an authorized connection with the cloud client. Click Request API Key to request an API key. Do the following in the Request API Key from the Cloud Services Portal dialog box:
- Email: Enter the email address that is registered in the Infoblox Cloud Services Portal.
- Password: Enter the password that is registered in the Infoblox Cloud Services Portal.
An API key is generated in the API Key text box only when you enter the correct email address and password. An error message is displayed for an invalid email address and password.
Interval: You can specify how often to request Threat Insight results detected in the cloud client in seconds or minutes. The default is 10 minutes.
The list of Response Policy Zones to use for blacklisted domains: Click the Add icon to add an RPZ to the list. When there are multiple zones, Grid Manager displays the Zone Selector dialog box from which you can select one. You can add an RPZs from different network and DNS views. Whenever a new RPZ is added and the cloud client requests data, Grid Manager displays a Warning dialog box to confirm that you wish to request all detected domains by Threat Insight in the cloud client. Even if you have clicked No in the Warning dialog box, you can use the set
cloud_services_portal_force_refreshCLI command in maintenance mode and set the flag to request all domains detected in the cloud client.
- Click Save & Close.
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor |
|---|
...
|
...
|
To review the list of blacklisted domains, complete the following:
...