Skip to main content
Skip table of contents

1527 - Using NIOS Threat Insight Monitoring and Reporting

Scenario

As part of the corporate security policy, you are tasked with gathering information about the clients that may be compromised, you use Logs, Security Dashboards, and Reports to view the records and statistics relating to Threat Analytics events.

Estimate Completion Time

  • 30 to 45 minutes

Credentials

Description

Username

Password

URL or IP

Grid Manager UI

admin

infoblox

https://10.100.0.100/

Course References

  • 1021: NIOS Threat Insight Monitoring and Reporting

Lab Initiation

Access jump-desktop

Once the lab is deployed, you can access the virtual machines required to complete this lab activity. To initiate the lab, click on the jump-desktop tile and login to the Linux UI:

Username: training

Password: infoblox

Initiate lab

To initiate the lab, double-click the Launch Lab icon on the Desktop.

Launch Lab

Launch Lab

Choose the lab number from the list and click OK.

After clicking OK, you will see a pop-up message with a brief description of the lab task. If the description looks correct, click Yes to continue lab initiation.

Lab initiation will take a couple of minutes to finish.

Once complete, you will see another pop-up message with the login credentials and the URL for the Grid Manager’s User Interface. Note that the credentials may differ from those from prior labs.

Screenshot 2024-05-06 at 3.16.57 PM.png

Tasks

  • Conditional Task 1: Adding Licenses

  • Conditional Task 2: Setup the reporting server

  • Task 1: Run Data Exfiltration

  • Task 2: View Data Exfiltration attempts in Syslog

  • Task 3: View Data Exfiltration in the NIOS Security Dashboard

  • Task 4: View Threat Analytics Results in Reporting Server Reports

  • Task 5: Create a Search for hits on ta-mitigation.rpz

  • Task 6: Create an Alert to Email the Security team for Mitigation RPZ Hits

Conditional Task 1: Adding Licenses

If either the RPZ or Threat Analytics licenses are missing from grid member ibns2.techblue.net, please execute this step.

  • Apply the RPZ and Threat Analytics license files stored on the Jump-desktop

  • Verify that DNS licenses are enabled and running on the member hosting Threat Analytics.

  • Add the RPZ and Threat Analytics licenses located in the Shared Drive/Licenses folder under the name RPZ.lic and TI.lic.

Conditional Task 2: Setup the reporting server

If the reporting server is not setup, please use the following instructions to set it up

  • If you need to setup the reporting server Enter the following File Server Settings:

Configuration

Value

Username

training

Password

infoblox

Protocol

SCP

Host/ IP Address

10.100.0.205

Port

22

Path

/home/training/Documents/ReportingData

Task 1: Run Data Exfiltration

  • Log into the Data Exfiltration Demo and navigate to the DNS Script Decoder tool. This is the tool you will use to perform Data Exfiltration. This time they will be blocked by Threat Analytics.

  • Generate multiple Data Exfiltration events using these files:

    1. Shared Drive/NIOS-Imports/Data-Exfiltration.csv

    2. Shared Drive/NIOS-Imports/NIOS-Imports/Data-Exfiltration.jpg

  • Use DNS Server 10.200.0.105 for both files.

Task 2: View Data Exfiltration attempts in Syslog

  • View exfiltration attempts logged to syslog. The DEX platform regularly changes domain names. Make sure you know what domain name is used for your exfiltration.

Task 3: View Data Exfiltration in the NIOS Security Dashboard

  • Use the NIOS Security Dashboard to view real-time data exfiltration events.

Task 4: View Threat Analytics Results in Reporting Server Reports

  • Use the Reporting Server to obtain information about exfiltration events.

Task 5: Create a Search for hits on ta-mitigation.rpz

  • Create a Search for hits on the ta-mitigation RPZ. Use the name you gave to your mitigation RPZ. The Search will be used to create a report highlighting exfiltration events.

  • Use this code for the Search: index=ib_dns RPZ_QNAME="*.ta-mitigation.rpz" | timechart count by CLIENT

Task 6: Create an Alert to Email the Security team for Mitigation RPZ Hits

  • Use the Search you created in a previous task to create an Alert. The alert will trigger on exfiltration events and will mail a report to the security team.

  • Delete the Mitigation RPZ Hits alert. If you leave it running, a large number of emails will be generated, which could affect your lab's performance.

Solutions

Conditional Task 1: Adding Licenses

  1. Navigate to Grid → Licenses.

  2. Click Show filter and select feature equals RPZ; if ibns2 is not listed, then please add the RPZ license file.

  3. Click Show filter and select feature equals Threat Analysis. If ibns2 is not listed, please add the TI license file.

  4. Click the plus (+) symbol to add the RPZ license.

  5. Select the Upload License File radio button. Click Select File.

  6. Navigate to shared Drive/Licenses. Click the RPZ.lic file and select Open.

  7. Click Save License(s).

  8. Click Filter On and use a quick filter to search for RPZ licenses.

  9. Repeat the same steps for Threat Insight to install the TI license for ibns2.techblue.net.

Conditional Task 2: Setup the reporting server

  1. Click the very top Reporting tab (in between the Smart Folders and Grid tab).

    1. The app configuration wizard opens – if it doesn’t open immediately, or presents an error, wait 5 minutes and try again, the reporting server might still be starting up

  2. Click Continue to app setup page

  3. Enter the following File Server Settings:

  4. Click Save, you will be taken to the Reporting Home Dashboard
    Note: you can click on the Grid tab to get back to the Grid Manager screen.

Task 1 Solution: Run Data Exfiltration

You can find the Data Exfiltration Demo (DEX) access portal, in the learning portal under MY CATALOG, you can search using [DEX or Data Exfiltration Demo]

Please copy the DEX access URL and run it through Jump-Desktop, NOT THROUGH YOUR OWN BROWSER. This can be done using the lab VM toolbar

  • In this task, you use the Data Exfiltration tools to generate some exfiltration attempts. This time they will be blocked by Threat Analytics.

  1. Log in to the Infoblox Data Exfiltration Demo site using the link in the Learning Portal.

  2. Click the Terms and Conditions tab.

  3. Scroll down and click Accept Terms & Conditions.

  4. Click Accept.

  5. Select Data Exfiltration Tools from the list on the left-hand side.

  6. Select DNS Script Decoder from the Data Exfiltration Tools.

  7. Click Select a file.

    20-20241015-144707.png

  8. Select the /mnt/shared/nios-imports/Data-Exfiltration folder. Choose the Data-Exfiltration.csv file to upload and Click Open.

  9. Type 10.200.0.105 in the DNS Server box. This is the IP Address of ibns2.techblue.net. This step ensures that we know exactly which Grid member to use for traffic capture. Click Generate a script.

    19-20241015-142941.png

  10. Highlight the Unix Shell script. Copy the script and paste into a terminal window on the Jump-Desktop.
    Note: You Need to edit the Script before using it by appending the full path of the Data-Exfiltration file, the full path of the file should be: /mnt/shared/nios-imports/Data-Exfiltration.csv

    6-20241015-143113.png

    7-20241015-143313.png

  11. Press the Enter Key to start exfiltration and wait for the transfer to complete.

    8-20241015-143503.png

  12. Repeat the same steps for the other file:

    1. Shared Drive/NIOS-Imports/Data-Exfiltration.jpg

Please copy the DEX access URL from your LMS

If you wish to repeat the exfiltration for any reason you need to generate a fresh script.

Task 2 Solution: View Data Exfiltration attempts in Syslog

In this task, you view exfiltration attempts logged to syslog. The DEX platform regularly changes domain names. In the examples given in this lab, the domain used by the DEX Platform has changed to gwuuw0.scr. Make sure you know what domain name is used for your exfiltration.

  1. Navigate to Administration → Logs → Syslog.

  2. Click Toggle multi-line view.

  3. Select ibns2.techblue.net from the Member list.

  4. Select RPZ Incident Logs in the Quick Filter.

    14-20241015-144018.png

  5. You can see the NXDOMAIN entry for the domain used by DEX. In the example, the domain is gwuuw0.scr. You may see a different domain. This reflects the Block – No Such Domain policy in ta-mitigation.rpz, the Threat Analytics denylist.

    22-20241016-093217.png

Task 3 Solution: View Data Exfiltration in the NIOS Security Dashboard

In this task, you use the NIOS Security Dashboard to view real-time data exfiltration events.

  1. Navigate to Dashboards → Status → Security. The Threat Analytics status shows DNS Tunneling events.

  2. Scroll down to view the Threat Analytics Status for Grid. Refresh the view. Click Detections to view the detected Client IP Address(s).

Task 4 Solution: View Threat Analytics Results in Reporting Server Reports

In this task, you use the Reporting Server to obtain information about exfiltration events.

  1. Navigate to Reporting → Reports.

  2. Type tunnel in the filter box.

    image-20241016-103832.png

  3. Select the Top Malware and DNS Tunneling event by Client report. View the data for the last 1 week.

Task 5 Solution: Create a Search for hits on ta-mitigation.rpz

In this task, you create a Search for hits on the ta-mitigation RPZ. Use the name you gave to your mitigation RPZ. The Search will be used to create a report highlighting exfiltration events.

  1. Use this code for the Search: index=ib_dns RPZ_QNAME="*.ta-mitigation.rpz" | timechart count by CLIENT

  2. Navigate to Reporting → Search.

  3. Type the commands to search for hits on the mitigation RPZ into the search box. Ensure that you use upper-case characters for CLIENT. Initially, you start with a time value of All Time, to ensure you get a complete data set. Once the data set has built up, change the time to a more specific value, which results in a faster search. In this exercise, leave the time value as All time. Click the Search icon.

  4. Click Visualization and view the results in Column format.

  5. Save the search as a report called Threat Analytics Mitigation RPZ Hits

  6. Select Save As from the Save drop-down list.

  7. Enter the details for the report. Use the title Threat Analytics Mitigation RPZ Hits. Select Column and Table for the Content. Select Yes for the Time Range Picker. Click Save.

  8. Click View to see the new report.

Task 6 Solution: Create an Alert to Email the Security team for Mitigation RPZ Hits

In this task, you use the Search you created in a previous task to create an Alert. The alert will trigger on exfiltration events and will mail a report to the security team.

  1. On the same Report page, Click Edit. Select Open in Search for the Threat Analytics Mitigation RPZ Hits report

  2. Click Alert in the Save As list.

  3. Specify a Title for the Alert. Choose Private for Permissions, and Real-Time for Alert Type.

  4. Set the Trigger alert when value to Number of Results is greater than 1 in 15 minutes. Trigger once for each result.

  5. Set the Throttle value to suppress triggering for 10 minutes. This means that a single tunneling event will only create 1 alert in a 10-minute window.

  6. Configure the Trigger Action.

    1. Select Send Email.

    2. Send the email to soc@techblue.net. Set the Priority to Highest. Type a message, and tick the checkboxes to include Search String, Trigger Condition, and Attach PDF. Click Save.

Task 7 Solution: Delete the Mitigation RPZ Hits alert

In this task, you delete the Mitigation RPZ Hits alert. If you leave it running, a large number of emails will be generated, which could affect your lab's performance.

  1. Navigate to Reporting → Alerts.

  2. Click Mitigation RPZ Hits.

  3. Click Delete in the Edit drop-down list.

  4. Click Delete to confirm.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close