infoblox deployment guide - threat insight...troubleshooting & faq threat insight..... 55 unable...

DEPLOYMENT GUIDE Threat Insight

© 2019 Infoblox Inc. All rights reserved. Infoblox Threat Insight Deployment Guide. March 2019

2

TABLE OF CONTENTS Introduction ........................................................................................................................................ 4 Prerequisites ...................................................................................................................................... 5 Best Practices .................................................................................................................................... 5 Supported Appliances ....................................................................................................................... 6 Deploying Threat Insight ................................................................................................................... 6 Create a local RPZ as the Mitigation Blacklist Feed .......................................................................... 6 Creating Local RPZ ............................................................................................................................ 6 Designate Local RPZ as Mitigation blacklist feed ............................................................................ 11 Configuring Update Policy ............................................................................................................... 13 Automatic Update ............................................................................................................................ 13 Manual Update ................................................................................................................................. 15 Starting Threat Analytics Service ..................................................................................................... 15 Viewing the Analytics Whitelist ........................................................................................................ 17 Disable Whitelist Domains ............................................................................................................... 18 Add Custom Whitelist Domains ....................................................................................................... 18 View Blacklist Domains .................................................................................................................... 19 Moving a blacklisted domain to analytics whitelist ........................................................................... 20 Deploying Threat Insight in the Cloud ........................................................................................... 21 Use TIitC by Forwarding Traffic ....................................................................................................... 21 Add NIOS appliance to the Cloud .................................................................................................... 21 Give Access to Forward Traffic to the Cloud ................................................................................... 22 Use TIitC with Data Connector ........................................................................................................ 25 Pull Threat Indicators from TIitC to On-Premise ........................................................................... 33 Create Local RPZ ............................................................................................................................ 33 Designate a TIitC On-Premise RPZ Feed ........................................................................................ 36 Block Threat Indicators from TIitC in the Cloud ........................................................................... 38 Review Threat Insight On-Premise Reporting ............................................................................... 40 Security Dashboard ......................................................................................................................... 40 Security Status for Grid .................................................................................................................... 40 Security Status for All Members ....................................................................................................... 40 Threat Analytics Status for Grid ....................................................................................................... 41 Threat Analytics Status for Member ................................................................................................. 42 Auto Refresh .................................................................................................................................... 44 Viewing the Reports On-Premise ..................................................................................................... 45 DNS Top Tunneling Activity ............................................................................................................. 45 DNS Tunneling Traffic by Category ................................................................................................. 46 Top Malware and DNS Tunneling Events by Client ......................................................................... 47


3

DNS RPZ Hits Trend by Mitigation Action ....................................................................................... 48 Threat Insight Logging .................................................................................................................... 49 DNS Tunneling Logs ........................................................................................................................ 49 Review Threat Insight in the Cloud Reporting .............................................................................. 51 Threat Insight Data Exfiltration Report ............................................................................................. 51 Threat Insight Malware Report ......................................................................................................... 53 Threat Insight Command & Control Report ...................................................................................... 54 Troubleshooting & FAQ Threat Insight .......................................................................................... 55 Unable to download Threat Analytics Module and Whitelist Set ...................................................... 55 Threat Analytics service not starting ................................................................................................ 55 Threat Analytics service stopped after removing RPZ license ......................................................... 56 What is the time spent by the data connector to send the queries from on-premise to the cloud? . 56 Why can’t I see the update of the Whitelist between on-premise and the cloud? ........................... 56 How often are the module algorithms updated for Threat Insight? .................................................. 56 In the logs messages I see something that looks like 0.99967. ....................................................... 56 How can I find the relevant queries for DNS tunneling? .................................................................. 56 How do I report a false positive or questionable detection? ............................................................ 56 Summary ........................................................................................................................................... 56


4

Introduction This guide provides deployment instructions for Infoblox Threat Insight (TI) and Threat Insight in the Cloud (TIitC). TI and TIitC protects mission-critical DNS infrastructure from being used for data exfiltration, data infiltration and DNS tunneling. A major differentiator between Threat Insight and TI in the Cloud is that TI in the Cloud, although slower due to the time spent transporting data to the cloud, blocking of malicious DNS traffic is more advanced and has a greater processing capability to deal with a wider range of threats. For example, it can protect against DGA and Fast Flux activity and deal with “lower and slower” exfiltration attempts, while Threat Insight on-premise is faster it can’t protect against DGA and Fast Flux. Hackers exploit the DNS protocol as a pathway for data exfiltration through DNS tunneling attacks. DNS tunneling involves tunneling another protocol through port 53 by means of malware-infected devices. This malicious DNS tunneling activity mostly gets unnoticed even by the next-generation firewalls. The purpose of these attacks is to steal sensitive information such as credit card numbers and company financials. This is achieved either by establishing a DNS tunnel from within the network or by encrypting and embedding chunks of that data in DNS queries/responses. Data is decrypted at the other end and put back together so valuable information can be stolen and misused by malicious attackers. DNS tunneling is a two-way protocol exchange occurring over DNS. Data exfiltration/infiltration via DNS does not necessary imply DNS tunneling even though some methods may be similar. In this document when we specify any of these data transfers over DNS methods, all are applicable. How Threat Insight Analytics Defends Against Threat Actors. Threat Analytics is a zero-day approach where the threat is unknown by blacklists beforehand and through the use of sophisticated algorithms new threats are caught and stopped in their tracks. These algorithms leverage AI via machine learning and neural networks. Multiple benchmarks are taken into account across a sequence of requests to determine malicious activity; anomaly scoring is used to ensure maximum accuracy. Once Infoblox starts forwarding its traffic to the cloud or sends its traffic via Infoblox’s data connector, the TIitC starts analyzing incoming DNS data and applying the algorithms to detect security threats that have the same or similar behavior as the known data. Once security threats are detected, the appliance blacklists the domains and transfers them to the designated mitigation response policy zone and traffic from the offending domains are blocked preventing DNS lookups for these domains. Infoblox Threat Insight also includes a whitelist that contains trusted domains for which DNS traffic is allowed. These are known good domains that carry legitimate DNS tunneling traffic such as Akamai, Amazon AWS, Sophos, McAfee, Spotify and various others. The whitelist is extensible, so new whitelisted domains can be added and rolled out accordingly. You can also add custom whitelisted domains or move blacklisted domains to the whitelist.


5

Prerequisites Following Prerequisites are needed before using Threat Insight:

• Required: o Response Policy Zone(RPZ) License o For on-premise Threat Insight License (one of the following licenses)

§ BloxOne Threat Defense Advanced § BloxOne Threat Defense Business - On Premise § BloxOne Threat Defense - Essentials

o For cloud Threat Insight License (one of the following licenses) § BloxOne Threat Defense Advanced § BloxOne Threat Defense Business - Cloud § BloxOne Threat Defense Business – On Premise

o Threat o DNS License o Grid master should be able to access https://ts.infoblox.com (resolve and reach) for

the Threat Analytics module sets; • Recommended:

o Reporting member to view reports on DNS tunneling activity; Following Prerequisites are needed before using Threat Insight in the Cloud:

• BloxOne Threat Defense with Business-Cloud or Advanced licensing; • Infoblox BloxOne Threat Defense Endpoint, DNS Forwarding Proxy (DFP), Infoblox NIOS to

forward query data to the cloud or Infoblox NIOS with Data Connector to push query data to the cloud;

• NIOS On-Premise (If using Infoblox NIOS with TIitC): o DNS, Grid and NIOS License;

• NIOS Data Connector VM (If DNS traffic isn’t forwarded); • RPZ License on a NIOS appliance to push threat indicators (optional if not using the Data

Connector); • Recommended if using Infoblox NIOS:

o Reporting member to view reports on DNS tunneling activity;

Best Practices Threat Insight (TI):

• The DNS and Threat Analytics license should be installed on the member servicing Threat Analytics;

• An RPZ Grid wide license should be installed and Threat Insight member should be used as a DNS server for the mitigation RPZ;

• Due to memory and capacity required to perform analytics, ensure to run Threat Insight and RPZ on supported appliances with adequate resources.

• Use Threat Insight in log only mode (RPZ action PASSTHRU) for a while (minimum one or two weeks);

• Create a local RPZ which will include local whitelisted zones and it should be before mitigation RPZ;

Threat Insight in the Cloud (TIitC):


6

• When not using the Data Connector you should pull the threat insight blacklist down to the on-premise system for efficiency;

• Due to memory and capacity required to perform analytics, ensure to run RPZ on supported appliances with adequate resources. In most deployments, Threat Insight should not run on a Grid Master or Master Candidate;

• Use log only mode for a while (minimum one or two weeks) to prevent accidental network outages;

• For on-Premise NIOS Create a local RPZ which will include local whitelisted zones and it should be before blocking RPZ;

Supported Appliances TI: Following are the supported appliance models on which you can enable Threat Analytics service:

• IB-4010, IB-4020, IB-4030 • PT-1405, PT-2200, PT-2205, PT-4000 • TE-1415, TE-1425, TE-2210, TE-2215, TE-2220, TE-2225 (Virtual and Physical)

TIitC: • For NIOS appliances using TIitC with Infoblox Data Connector refer to Data Connector Users

Guide;

Deploying Threat Insight

Create a local RPZ as the Mitigation Blacklist Feed For the threat analytics service to function properly and for NIOS to properly report detected blacklisted domains, you must create and designate a local RPZ as the mitigation blacklist feed for the appropriate name servers. The following steps are needed to accomplish this:

Creating Local RPZ • To create local RPZ: 1. Navigate to “Data Management à DNS à Response Policy Zones”;

2. From “Toolbar” click “Add à Zone à Response Policy Zone”;


7

3. In the “Add Response Policy Zone Wizard” select “Add Local Response Policy Zone”;

4. Click “Next”; 5. In the “Name” field, enter the appropriate name for the local RPZ; 6. In our example we entered local-rpz. Select appropriate value in Policy Override drop-down

menu. Please refer to Best Practices section for initial deployment. In our example we selected Block (No data);

7. Select appropriate value from Severity drop-down menu. In our example we selected the default Major;


8

8. Click “Next” to associate the local RPZ with appropriate primary name servers, one of which

must be the Threat Insight member;

9. Choose appropriate option based on your DNS configuration. In this guide we are using option “Use this set of name servers”;

10. Click “+ à Grid Primary”;

11. Click “Select” under “Add Grid Primary” section;

12. Then select an appropriate name server from the list;


9


10

13. In our example we selected Threat Insight member (minimum requirement) as the name server

for local RPZ;

14. Click “Add”;

15. Click “Save & Close” and click “Restart”;

16. The local RPZ is now configured, please put it in the appropriate order given the number and type and contents of the RPZs;


11

Note: it is recommended to put the RPZ which Threat Insight is populating ahead of other RPZ’s.

Designate Local RPZ as Mitigation blacklist feed To designate a local RPZ as the Grid-wide mitigation blacklist feed:

1. Go to “Data Management à Threat Analytics à Whitelist” tab;

2. Click the “Grid Threat Analytics Properties” from the “Toolbar”;


12

3. Click “Add” under “DNS Threat Analytics” tab. If there is one local RPZ feed present, it is

going to be selected automatically without presenting a list of Local RPZs. In our example we have one local RPZ feed named local-rpz;

4. Click “Updates” in the “Infoblox (Grid Threat Analytics Properties)”;

5. The “Updates” tab displays “Current Whitelist Version”(version number of threat analytics whitelist set active on the Grid) and “Active Module Set Version” (version number of the threat analytics module set that is currently active on the Grid);


13

Configuring Update Policy To configure how you want to obtain the latest threat analytics updates, you have two options:

• Automatic Update; • Manual Update;

In the “Updates” tab under “Grid Threat Analytics Properties”.

Review version listed under “Latest Available Module Set”. If the version does not match with the version listed under “Active Module Set Version” then the updates can be received depending upon the method you choose, Automatic or Manual and based on the schedule you configure.

Automatic Update 1. Before opting for automatic updates, test the connection by clicking on “Test Connection” in

the “Module Set Updates” section;

2. Wait for a message to appear at the top of Grid Threat Analytics Properties window that confirms a successful connection to the portal responsible for providing updates;


14

3. To receive updates automatically, select “Automatic” from “Module Set Update Policy” drop

down menu and select option “Enable Automatic Module Set Updates” to enable the automatic upload feature;

4. If you select “Default Schedule” then the appliance will download the updates between midnight and 6am. To override current update policy, click on “Download Module Set Now” to force an immediate download of “Module Set” and “Whitelist version”;

5. To choose a custom schedule, click the calendar icon;

6. From “Automatic Module Set Updates Scheduler”, you can select Hourly, Daily, Weekly or Monthly based on how often you want to update the module set and whitelist set;

7. Click “OK” once the desired schedule is configured;


15

Manual Update If you select Manual as the update policy, the appliance displays a banner message in Grid Manager to notify you when new updates are available. You must then decide whether to apply the updates to the Grid or not. To set policy for Manual updates:

1. Go to “Data Management à Threat Analytics à Whitelist à Updates”;

2. Select Manual from “Module Set Update Policy” drop down menu in “Module Set Updates” section;

3. Click “Save & Close”;

Starting Threat Analytics Service To start Threat Analytics Service:

1. Go to the “Grid à Grid Manager à Threat Analytics” tab;


16

2. Select the appropriate member for which Threat Analytics service needs to be started;

3. Click “Start” from Toolbar;

4. Click on checkbox “I have read and acknowledged the notice” when prompted for “Start Member Threat Analytics Service” then click “Yes”;


17

5. Restart services; 6. To verify if the Threat Analytics service started, check the “Services Status” column. It will

report “Threat Analytics Service is working” once it has finished starting. Click on the Refresh button as necessary (the page does not automatically refresh);

Viewing the Analytics Whitelist The trusted domains on which Infoblox allows DNS traffic by default can be viewed under “Data Management à Threat Analytics à Whitelist” tab.

These are known good domains that carry non-malicious traffic such as Avast, Sophos, McAfee, Boingo, Barracuda, and others. They are marked as “System” types, and you cannot delete them, but you can disable them so as to not treat them as trusted domains.


18

Disable Whitelist Domains 1. Click on gear icon next to a domain and select “Edit”;

2. Select checkbox labeled as “Disable”;


Add Custom Whitelist Domains To add domains that you deem trustworthy to the whitelist:

1. Navigate to “Data Management à Threat Analytics à Whitelist tab”;

2. Click “Add Custom Whitelist” from the “Toolbar”;


19

3. In the “Add Custom Whitelist” wizard, complete the following: a. Domain Name: Enter the name of the domain that needs to be added to the analytics

whitelist; b. Comment: Optional field to add additional information about the domain;

4. Click “Save & Close”; Note: When you add a custom domain, it is marked as “Custom” in the whitelist

View Blacklist Domains To review the list of blacklisted domains:

1. Go to “Data Management à DNS à Response Policy Zones” tab;


20

2. Click the mitigation blacklist RPZ name. In our example it is local-rpz; 3. The Grid Manager displays the list of all blacklisted domains;

Any entry that is added through detection of DNS tunneling activity has keywords DNS Tunneling in the Comment column. This can be exfiltration or infiltration. The alternate path to view blacklisted domains: Navigate to “Data Management à Threat Analytics à Whitelist à Response Policy Zones Home”;

Moving a blacklisted domain to analytics whitelist If you want to move a blacklisted domain to the analytics whitelist so it becomes a trusted domain:

1. Select the gear icon next to the domain;

2. Click “Move to Whitelist”; 3. Read the message and click “Yes”;

4. The selected domain is now moved to the Whitelist;


21

5. Click on “Go to Threat Analytics Whitelist view” link to view the whitelist domains

Search for the domain name you just moved by typing its name in the “Go to” field. In our example it is maybe-goosite.com The comment Moved from blacklist RPZ is automatically added upon move and confirms that domain was initially a blacklist domain.

Deploying Threat Insight in the Cloud The following steps are the required and recommended steps to enable TIitC on applicable Infoblox appliances through forwarding traffic and via Infoblox’s Data Connector:

To use TIitC with NIOS, traffic needs to be forwarded to the cloud or data connector needs to push data to the cloud

Use TIitC by Forwarding Traffic Add NIOS appliance to the Cloud

1. In CSP navigate to “Manage” à “On-Prem Hosts” and select the “Create On-Prem Host” button;


22

2. Enter any name that does not already exist for the “DNS Forwarder Name” field;

3. Click the “Application & Services” drop down and click to enable “DNS Forwarding Proxy”;

4. Click the “Save & Close” button;

Give Access to Forward Traffic to the Cloud 1. Navigate to “Manage” à “On-Prem Hosts” and insert the name of the DFP created in the

“Add NIOS appliance to the Cloud” steps above into the search box;


23

2. Select the DFP and select the “Copy” button to copy the “API Access Key” into your clip board.

3. Navigate to “Grid” à “Grid Manager” à “DNS” tab and select the DNS appliance to forward traffic to the cloud and then under the “Toolbar” click “Edit” à “Member DNS Properties”;

4. Navigate to the “Forwarders” tab;

5. check the “Enable Recursive Queries Forwarding to ActiveTrust Cloud” box;


24

6. Insert the “Access Key” that was copied from the CSP portal; 7. (optional) Select the “Fallback to the default resolution process if ActiveTrust Cloud does

not respond” check box;

8. If this is your first time starting to forward traffic to the cloud, you may need click “Yes” on the Warning pop up to continue

9. Wait a few minutes and restart relevant services;

Note: May take several minutes for the NIOS appliance to start forwarding to the Cloud.


25

Use TIitC with Data Connector 1. Provision your Data Connector server to send data to Infoblox Cloud destinations:

a. Using your web browser, log into your account on the Cloud Services Portal (https://csp.infoblox.com/);

b. Navigate to “Administration” à “Data Connectors”;

c. Click the “Add” button to add a new entry; d. Enter a (unique) name and select the Region; e. Click “Save”;

Take note of the Name, URL and API Access Key as these will be required later in these steps.


26

2. Go to the data connector command line and type “data destination cloud registration” on the > prompt:

a. Type “set url <URL>”, enter the URL obtained from the Cloud Services Portal (CSP) which was generated above in step 1;

b. Type “set api_key <api id>”, enter the API ID obtained from the Cloud Services Portal (CSP) which was generated above in step 1;

c. Type “set agent_id <name>”, enter the Name obtained from the Cloud Services Portal (CSP) which was generated above in step 1;

d. Verify that the information entered is correct by typing “info”;

3. For setups where data output cloud registration settings have been configured (as detailed above) navigate to “data destination cloud”:

a. Enter the output cloud mode by typing “set mode <mode>”. The acceptable values are:

i. disabled: data isn’t processed in the data connector and not pushed to the BloxOne Threat Defense Cloud portal. This is the default;

ii. hold: data is processed from the Grid members and is held on the Data Connector. This is a good way to get statistics on the amount of data being sent to the Data Connector;

iii. forward: data is processed and forwarded to the BloxOne Threat Defense Cloud portal;

Note: As a best practice, it is best to hold the data when initially enabling this feature to determine the amount of data generated over time however you will need to forward the data in order to use TIitC


27

4. type “info to confirm”;

5. Configure Infoblox Grid as source of IPAM, User, and lease data and also for time synchronization. Type in “data source grid” from the > prompt;

6. Type “set username <admin username>”. This command is used for setting the admin username for the Data Connector to login to the Grid;

7. Type “set address <IP address of Grid Master or Grid Master Candidate>”; 8. Type “password” to enter the admin password for the Grid master; 9. Type “sync all” to synchronize the connection between the Data Connector and Grid;


28

10. You will be using the “set query” command to configure the Grid as the source of the IP metadata:

a. Type “set query userinfo enabled”; b. Type “set query ipam enabled”; c. Type “set query lease enabled”;

11. On the Grid side, you must configure syslog server to send DNS RPZ information to the Data Connector. Navigate to “Grid” à “Grid Manager” à “Members” à “Toolbar” à “Grid Properties” à “Edit”;


29

12. Click on the “Monitoring” button;

13. Enable “Log to External Syslog Servers”. Click on the “+” button to add a syslog server;


30

14. In the screen above, type in the IP address of the Data Connector and set the Transport to TCP. Click the “Add” button to add. TCP is the only transport that is supported at this time;

15. Click “Save & Close” and restart service; 16. If your grid is running a NIOS version below 8.0, skip to step 21; 17. Click “Toggle Advanced Mode”;

18. Click on the “General” button and the Advanced tab. Click on “Enable Network Users Feature”;

19. Click on the “Object Change Tracking button”. Click on the “Enable Object Tracking Change”;


31

20. Click “Save & Close”; 21. On the Data Connector side, enter “data source syslog” from the > prompt. Enter “set mode

unencrypted”. This command enables the receiving of unencrypted syslog messages from the Grid via TCP;

22. From the prompt > navigate to “data source scp”. These settings will be used to configure the connection between the Grid and the Data Connector;

a. Type “set user <user>”;

23. Navigate to “data source grid”. These settings allow the Data Connector to login to the Grid Master;

a. Type “set address <ip address>”, enter the IP of the NIOS sending information; b. Type “set username <username>”, enter the username of the NIOS sending

information; c. Type “password”, then enter the password of the NIOS sending information; d. Type “info” to confirm information;


32

24. Now that we have fully configured the Data Connector, switch to the Infoblox NIOS GUI to perform further configurations. After logging into the Infoblox NIOS GUI, navigate to “Grid” à “Grid Manager” à “DNS” à “Toolbar” à “Edit” à “Grid DNS Properties” à “Logging” à “Advanced”:

a. Enable “Capture DNS Queries” and/or “Capture DNS Responses” (best practice is to enable only one option at a time as this can have a performance impact on your server);

b. Enable “Capture queries/response for all domains”; c. Set the “Export to” menu to “SCP”; d. Set the “Directory Path” to “~” (which represents “home directory”); e. Set the “Server Address” to the IP address for your Data Connector server; f. Set the “Username” that was configured on the Data Connector on step 22; g. Set the “Password” that was configured on the Data Connector on step 22;



33

Pull Threat Indicators from TIitC to On-Premise

Create Local RPZ This step is optional as the threat indicators found from TIitC can be blocked by the cloud however this step is suggested for performance (see “Block Threat Indicators from TIitC in the Cloud” to block the threat indicators discovered by TIitC from the cloud). To create local RPZ:

1. Navigate to “Data Management” à “DNS” à “Response Policy Zones” tab;

2. From Toolbar click “Add” à “Zone” à “Response Policy Zone”;

3. In the “Add Response Policy Zone Wizard” select “Add Local Response Policy Zone”;

4. Click “Next”; 5. In the “Name” text field, Enter the appropriate name for the local RPZ. In our example we

entered ti.cloud;


34

6. Select appropriate value in “Policy Override” drop-down menu. Please refer to Best Practices section for initial deployment. In our example we selected “Block (No Data)”;

7. Select appropriate value from “Severity” drop-down menu. In our example we selected default of Major;

8. Click “Next” to associate the local RPZ with appropriate primary name servers;

9. Choose appropriate option based on your DNS configuration. In this guide we are using option “Use this set of name servers”;

10. Click “+” à “Grid Primary”;

11. Click “Select” under “Add Grid Primary” section;


35

12. Select appropriate name server from the list then click “Add”;

13. Click “Save & Close”; 14. Navigate to “Data Management” à “DNS” à “Response Policy Zones” à “Toolbar” à

“Order Response Policy Zones” and organize RPZ order appropriately given the number and type and contents of the RPZs;


36

Designate a TIitC On-Premise RPZ Feed 1. Navigate to “Grid” à “Grid Manager” à “DNS” à “Toolbar” à “Edit” à “Grid DNS

Properties”;

2. Select the “Queries” tab inside the “Infoblox (Grid DNS Properties)” window;

3. Check the “Allow Recursion Allow recursive queries from” checkbox;

4. Click “Save & Close”; 5. Navigate to “Grid” à “Grid Manager” à “Members” à “Toolbar” à “Grid Properties” à

“Edit”;


37

6. Click “Toggle Advanced Mode”;

7. Select “ActiveTrust Cloud Integration” tab;

8. Enter your email and password to access the CSP portal;

9. Check that a connection was made by clicking “Test Connection”;

10. Navigate to “Data Management” à “DNS” à “Response Policy Zones” tab;

11. Click “Threat Insight in the Cloud Client” from the Toolbar;

12. Select the checkbox to “Enable Cloud Client” and set the interval for how often threat


38

indicators are pulled down from TIitC;

13. Click the “+” button and select the RPZ feed you want to fill with threat indicators from TIitC;


Block Threat Indicators from TIitC in the Cloud 1. Navigate to “Manage” à “Security Policies” and select the Add” button or click to “Edit” a

policy already created;

2. Under “Network Scope” add the “Network Locations”, “DNS Forwarders” and “ActiveTrust Endpoint Groups” that you want to protect with the threat indicators discovered by Threat Insight in the Cloud;


39

Note: for more information about each item under the “Network Scope” refer to the BloxOne Threat Defense Admin Guide.

3. Under “Policy Rules as per Precedence” à “Feeds and Threat Insight” select the Threat Insight Feeds and click the drop-down box and choose “Block”;

4. Click “Save”;


40

Review Threat Insight On-Premise Reporting The Security Dashboard is appropriately populated whenever Threat Protection, RPZ, and Threat Analytics services are enabled. The dashboard shows data for last thirty minutes. If data more than 30 minutes is required then go to Reports for that. To review, and explore this dashboard: Go to “Dashboards à Status à Security”;

Security Dashboard Security Status for Grid This widget displays the overall security status for the Grid. The Security Status for Grid widget shows the Critical, Major, Warning and Informational events for different security services enabled in the Grid, such as Threat Protection, RPZ and Threat Analytics. Grid manager displays this widget only when at least one member in the Grid has the Threat Protection, RPZ or Threat Analytics license installed.

Security Status for All Members The widget Security Status for All Members shows the information about the status of all the Grid members that support ADP, Threat Analytics and RPZ. At least one member in the Grid must have Threat Protection, RPZ or Threat Analytics licenses for this widget to be present. The green status means no security incident occurred for last 30 minutes. Overall Status columns shows current overall Status of the members. The status can be OK, Warning, Critical or Unknown.


41

Threat Analytics Status for Grid All DNS tunneling events detected by different members running threat Insight service are consolidated in this security widget and displayed as a Grid Wide data for last thirty minutes. The tab Detection Over Time shows the DNS tunneling events for last thirty minutes seen across the Grid

Top 10 Grid Members tab speaks for itself and shows the members who have seen the most DNS tunneling activity in the last thirty minutes.


42

The Detection tab lists DNS tunneling events detected across the Grid.

Threat Analytics Status for Member Threat Analytics Status for Member widget displays the DNS tunneling events detected by a specific member running Threat Analytics service. By default, it is turned off. To turn it on, Click on Configure Icon.

Click on Select Member

If there is only one member then it is selected without you being presented with a list of members, otherwise select a member from the list. The tab Detection Over Time shows the DNS tunneling events for last thirty minutes seen by the selected member.


43

If you mouse over a dot, it shows the time and number of events detected during that particular time.

Click on Detections tab to view the list of DNS tunneling events detected by a particular member. For


44

each DNS tunnel activity, the list shows Client IP, Domain, and time.

Auto Refresh All widgets mentioned above support auto-refresh. Click the configure icon and select the Auto Refresh Period check box. There you can specify the refresh period in seconds. The default auto refresh period is 30 seconds, the minimum is 5. Click the Configure icon again to hide the configuration panel.


45

Viewing the Reports On-Premise There are reports through which DNS tunneling activities can be monitored. The following reports can be generated that include DNS tunneling data:

DNS Top Tunneling Activity The report lists the clients that have the greatest number of DNS tunneling activities in a given time frame. The data is shown as a horizontal bar chart by default and can be displayed in table format upon configuration. The default dashboard displays top 10 clients within the last week.

Upon clicking a client IP address in the table or clicking the bar chart, rule hits the client IP is displayed.

Upon clicking View events, all events are listed specific to the client IP.


46

DNS Tunneling Traffic by Category This report provides information about DNS tunneling activities by specific categories and the percentage of events by the category of DNS tunneling events in a given time period. By default, the report is displayed as pie chart that lists the categories of DNS tunneling events. You can mouse over the pie in the chart to view the DNS tunneling category, event count, and their percentages.

Clicking on a bar chart takes you to a list of Events.


47

Top Malware and DNS Tunneling Events by Client The clients with the greatest number of outbound malicious queries (RPZ hits) and DNS tunneling events during a given time frame can be viewed through this report. The report lists the IP address of the client, total number of outbound malicious queries, total number of DNS tunneling events, and the timestamp when the client was last active. The report is in table format.

A sub-report can be viewed upon clicking a client IP in the table that displays client’s IP, client queries, DNS tunneling events, latest time and last seen.


48

DNS RPZ Hits Trend by Mitigation Action DNS RPZ Hits Trend by Mitigation Action dashboard provides trends for the total number of RPZ hits for each mitigation action along with the total client hits in a given time frame. The report can be viewed either in a line chart, a stacked chart, or in table format.

Clicking on one of the stacked charts shows the list of RPZ events.

Click on Mitigation Action under Interesting Fields.


49

Threat Insight Logging All DNS tunneling activities are logged to the syslog. You can view this log to identify specific activities related to DNS tunneling.

DNS Tunneling Logs To view DNS tunneling activity:

1. Navigate to “Administration à Logs à Syslog”;

2. Select member running Threat Insight service from “Member” drop-down menu;\

3. Select “DNS Tunneling Events” from “Quick Filter” drop-down menu;

4. You can now view the logs that show DNS tunneling activity detected by the member running Threat Analytics service;


50

5. Once DNS tunneling is detected, the suspicious site is added to the RPZ Mitigation zone. To view the log message, pertaining to addition of RPZ entry to the RPZ mitigation zone after detection of DNS tunneling activity;

6. Select “Threat Analytics Module Update Events Logs” from the “Quick Filter” drop-down menu;

7. You can now view the logs that show the Threat Analytics updates;

8. Select “RPZ Incident Logs” from the “Quick Filter” drop-down menu;

9. You can now view the logs that show RPZ hits;


51

Review Threat Insight in the Cloud Reporting Inside the CSP portal navigate to “Analyze” and here you can find the reports for TIitC.

Threat Insight Data Exfiltration Report The Data Exfiltration Report lists the DNS clients that experience DNS tunneling activities in a given time frame. DNS tunneling involves tunneling another protocol through port 53—often not inspected by firewalls (even the next-generation firewalls)—by malware-infected devices or malicious insiders. This report shows you the clients that have the most DNS tunneling activities, so you can examine the data and take appropriate actions to secure your networks.


52

By clicking the target domain, you are able to see the devices triggered the report including information about the device.


53

Threat Insight Malware Report The Malware Report lists the devices that experience DNS tunneling activities through a malware called DNSMessenger in a given time frame. DNSMessenger is a Remote Access Trojan (RAT) that attackers use to conduct malicious PowerShell commands on compromised devices. This report shows you the devices that have the most malware activities, so you can examine the data and take appropriate actions to secure your networks. By default, the report is filtered by all networks/scopes, all users, all security policies, and all devices over a 24-hour time frame. You can change the defaults by selecting applicable filters for each category.

By clicking on the device, you are able to see the queries that the device made revolving around malware.


54

Threat Insight Command & Control Report The Command & Control Report lists the devices that experience malicious activities instigated by Fast Flux and Domain Generation Algorithm (DGA) in a given time frame. Fast Flux is a DNS technique used by botnets to hide phishing and malware delivery sites behind a network of compromised hosts acting as proxies. This report shows you the devices that have the most Fast Flux and DGA activities, so you can examine the data and take appropriate actions to secure your networks.

-


55

By clicking the target domain, you are able to see the devices triggered the report including information about the device.

Troubleshooting & FAQ Threat Insight

Unable to download Threat Analytics Module and Whitelist Set You may encounter a situation where the Threat Insight appliance is not able to download Threat Analytics Module and Whitelist set from ts.infoblox.com. The troubleshooting steps are as follows

• Make sure the Grid can resolve the hostname ts.infoblox.com. o A Resolver must be configured for the Grid so that any member involved can

resolve the hostname. (Please see Enabling DNS resolver section) • Make sure the Grid can reach the server ts.infoblox.com.

o Check to see if any firewall rule is blocking the path to https. o Check the proxy setting if applicable.

Threat Analytics service not starting Make sure to have configured Mitigation RPZ as explained in the deployment section of this guide.


56

Threat Analytics service stopped after removing RPZ license This is expected behavior. Removing a Grid-Wide RPZ license will disable the Threat Analytics service. Note: For help regarding troubleshooting, please consult Infoblox support available at the following link: https://support.infoblox.com

What is the time spent by the data connector to send the queries from on-premise to the cloud? This is a configurable value that can be found on the Data Connector Admin Guide

Why can’t I see the update of the Whitelist between on-premise and the cloud? There is an effort to update both the cloud and on-premise whitelists there will be changes to configure the cloud whitelist however currently they are static and can’t be changed.

How often are the module algorithms updated for Threat Insight? Modules are updated on a “as needed bases” and as improvements are made. Cloud modules are updated more frequently due to on-premise relying on hardware, different architectures and changing an on-premise algorithm module has a larger impact.

In the logs messages I see something that looks like 0.99967. This is the confidence out of “1” that the query is some sort of data exfiltration, infiltration or tunneling.

How can I find the relevant queries for DNS tunneling? On-Premise: you may use the Splunk reporter to see the users who made the malicious queries and other useful information. Cloud: simply clicking on the threat you will see who triggered the event and how many times they tried.

How do I report a false positive or questionable detection? Open a support ticket on the infoblox support site and Infoblox will help resolve the issue.

Summary Hackers exploit the DNS protocol as a pathway for data exfiltration through DNS tunneling attacks. DNS tunneling involves tunneling another protocol through port 53 by means of malware-infected devices. This malicious DNS tunneling activity mostly gets unnoticed even by the next-generation firewalls. The purpose of these attacks is to steal sensitive information such as credit card numbers and company financials. This is achieved either by establishing a DNS tunnel from within the network or by encrypting and embedding chunks of that data in DNS queries/responses. Data is decrypted at the other end and put back together so valuable information can be stolen and misused by malicious attackers. Infoblox Threat Insight and Threat Insight in the Cloud detects and prevents DNS based Exfiltration infiltration and tunneling. With the DNS Firewall Threat Insight and Threat Insight in the Cloud block DNS based exfiltration in real time and helps accelerate remediation. TI and TIitC is a zero-day approach where the threat is unknown by blacklists beforehand and through the use of sophisticated algorithms new threats are caught and stopped in their tracks. These algorithms leverage AI via machine learning and neural networks. Multiple benchmarks are taken into account across a sequence


57

of requests to determine malicious activity; anomaly scoring is used to ensure maximum accuracy. Once Infoblox starts forwarding its traffic to the cloud or sends its traffic via Infoblox’s data connector, the TIitC starts analyzing incoming DNS data and applying the algorithms to detect security threats that have the same or similar behavior as the known data. Once security threats are detected, the appliance blacklists the domains and transfers them to the designated mitigation Response policy zone and traffic from the offending domains are blocked preventing DNS lookups for these domains.

Infoblox is leading the way to next-level DDI with its Secure Cloud-Managed Network Services. Infoblox brings next-level security, reliability and automation to on-premises, cloud and hybrid networks, setting customers on a path to a single pane of glass for network management. Infoblox is a recognized leader with 50 percent market share comprised of 8,000 customers, including 350 of the Fortune 500.

Corporate Headquarters | 3111 Coronado Dr. | Santa Clara, CA | 95054

+1.408.986.4000 | 1.866.463.6256 (toll-free, U.S. and Canada) | [email protected] | www.infoblox.com

© 2018 Infoblox, Inc. All rights reserved. Infoblox logo, and other marks appearing herein are property of Infoblox, Inc. All other marks are the property of their respective owner(s).

infoblox deployment guide - threat insight...troubleshooting & faq threat insight..... 55 unable...

Documents