2545 - Managing NIOS Threat Insight/Analytics

Scenario

You are tasked with deploying Threat Insight within the organization’s security environment. You confirm an RPZ license, then deploy the Threat Analytics license. You confirm the automatic creation of the Threat Analytics Allowlist. After that, you create a Mitigation RPZ. Initially, you use a policy of Passthru for the Mitigation RPZ to test the configuration. You test the configuration using the Infoblox Data Exfiltration Portal (DEX).

Course References

• 2034: Data Exfiltration and NIOS Threat Insight

Estimate Completion Time

• 40 to 45 minutes

Credentials

Requirements

• Administrative access to the Grid

• Access to the Infoblox Data Exfiltration Demo site (DEX)

Lab Initiation

Access jump-desktop

Once the lab is deployed, you can access the virtual machines required to complete this lab activity. To initiate the lab, click on the jump-desktop tile and login to the Linux UI:

Username: training

Password: infoblox

Initiate lab

To initiate the lab, double-click the Launch Lab icon on the Desktop.

Choose the lab number from the list and click OK.

After clicking OK, you will see a pop-up message with a brief description of the lab task. If the description looks correct, click Yes to continue lab initiation.

Lab initiation will take a couple of minutes to finish.

Once complete, you will see another pop-up message with the login credentials and the URL for the Grid Manager’s User Interface. Note that the credentials may differ from those from prior labs.

Tasks

• Task 1: Confirm the RPZ License

• Task 2: Apply Threat Insight License

• Task 3: Confirm Threat Analytics Activation

• Task 4: Configure Mitigation RPZ

• Task 5: Start the Threat Analytics Service

• Task 6: Validate the Threat Analytics Configuration

• Task 7: Change the RPZ policy mode to Block No Such Domain

• Task 8: Configure Threat Analytics Update Policy

• Task 9: Move an entry from the Mitigation RPZ to the Allowlist

Task 1: Confirm the RPZ License

• Ensure there are active Grid members with RPZ licenses. Threat Analytics requires RPZ and uses an RPZ to block exfiltration.

Task 2: Apply Threat Insight License

• Apply the Threat Insight license. The license applies to Grid member ibns2.techblue.net.

Task 3: Confirm Threat Analytics Activation

• Confirm the Threat Analytics service is now available, view the new Threat Analytics tab, and confirm the creation of the Allowlist.

Task 4: Configure Mitigation RPZ

• Create the Mitigation RPZ. Threat Analytics uses this RPZ to deny domains where data exfiltration is detected. You add the RPZ to the Threat Analytics configuration.

Task 5: Start the Threat Analytics Service

• Start the Threat Analytics service. acknowledge the terms and conditions for using the service.

Task 6: Validate the Threat Analytics Configuration

• Check that the Threat Analytics configuration detects Data Exfiltration. The mitigation RPZ policy should be Passthru, so exfiltration won’t be blocked. This is best practice, so you can test Threat Analytics and ensure that legitimate traffic is not blocked.

Task 7: Change the RPZ policy mode to Block No Such Domain

• Now that you have verified the Threat Analytics configuration, you modify the mitigation RPZ to block data exfiltration. You change the Policy Override mode from Passthru to Block (No Such Domain).

Task 8: Configure Threat Analytics Update Policy

• Configure automatic updates for Threat Analytics module sets. Corporate policy specifies that updates should occur at a specific time. In the lab, you set the time for the automatic update to 10 minutes from the current time. In a production environment, you set automatic updates to occur at an off-peak time.

Task 9: Move an entry from the Mitigation RPZ to the Allowlist

• Move an entry from the Mitigation RPZ to the Allowlist. This is to verify how it works and then test out that entry verifying that it is now allowed.

Solutions

Task 1 solution: Confirm the RPZ License

• In this task, you ensure there are active Grid members with RPZ licenses. Threat Analytics requires RPZ and uses an RPZ to block exfiltration.

  1. Navigate to Grid → Licenses → Members.

     

  2. Enable the Quick Filter - click Show Filter.

  3. Set the filter to look for Feature equals RPZ. Click Apply. The RPZ licenses are listed. There are two licenses associated with ibns1.techblue.net because it’s part of an HA pair. The Grid member ibns2.techblue.net also has an RPZ license.

     

Task 2 solution: Apply Threat Insight License

• In this task, you apply the Threat Insight license. The license applies to Grid member ibns2.techblue.net.

  1. Click Reset to clear the license filter.

  2. Click the plus (+) symbol to add a license.

     

  3. Click Select File. Select the shared Drive/Licenses folder. Choose TI.lic and click Open.

     

  4. Click Save License(s).

     

  5. Modify your filter to show just the Threat Analytics license(s).

     

Task 3 solution: Confirm Threat Analytics Activation

• Applying the license activates the Threat Analytics tab. The modules are part of the existing NIOS installation. To confirm the Threat Analytics service is now available, view the new Threat Analytics tab, and confirm the creation of the Allowlist.

  1. Navigate to Data Management. Confirm the Threat Analytics tab is available. Click Allowlist to view the Allowlist.

     

Task 4 solution: Configure Mitigation RPZ

• In this task, you create the Mitigation RPZ. Threat Analytics uses this RPZ to denylist domains where data exfiltration is detected. You add the RPZ to the Threat Analytics configuration.

  1. Navigate to Data Management → DNS → Response Policy Zones. Click the plus (+) symbol to add a new RPZ.

     

  2. Choose  Add Local Response Policy Zone. Click Next.

     

  3. Enter the details for the Mitigation RPZ. In this example, the name used is ta-mitigation.rpz, but you can use any name you prefer. Select Passthru for the Override Policy value. This is done in order to test the configuration. Click Next.

     

  4. Select the Name Server Group RPZ Local NSG. Click Save and Close.

     

  5. Restart the services when prompted.

  6. ta-mitigation.rpz is added to the top of the list.

     

  7. Re-order the RPZ zones to move ta-mitigation.rpz to below walledgarden.rpz.

  8. Restart the services when prompted.

  9. Add the Mitigation RPZ to the Threat Analytics configuration.

     1. Navigate to Data Management → Threat Analytics.

     2. Click on Grid Threat Analytics Properties in the Toolbar.

        

     3. Click + in the DNS Threat Analytics section.

        

     4. Choose the RPZ you created in step 3. In this example, the name of the zone is ta-mitigation.rpz. Click OK. Click Save and Close in the Threat Analytics Properties window.

        

Task 5 solution: Start the Threat Analytics Service

• In this task, you start the Threat Analytics service. You acknowledge the terms and conditions for using the service.

  1. Navigate to Grid → Grid Manager → Threat Analytics.

  2. Select the member licensed for Threat Analytics, ibns2.techblue.net. Click the start button.

     

  3. Check the I have read and acknowledge button and click Yes.

     

  4. Restart services, you may need to refresh the screen to see the service is working.

     

Task 6 solution: Validate the Threat Analytics Configuration

• In this task, you check that the Threat Analytics configuration detects Data Exfiltration. At the moment, the mitigation RPZ policy is Passthru, so exfiltration won’t be blocked. This is best practice, so you can test Threat Analytics and ensure that legitimate traffic is not blocked.

  1. Navigate to Data Management → DNS → Response Policy Zones.

  2. Click the name of the mitigation RPZ. In this example, the name is ta-mitigation.rpz. The RPZ should be empty.

  3. Navigate to Grid → Grid Manager → Members.

  4. Select Traffic capture from the Toolbar

     

  5. Complete the Traffic Capture wizard

     1. Click the add (+) button and select member ibns2.techblue.net from the Member Selector pop-up window.

     2. Click the check box next to ibns2.techblue.net.

     3. Delete the Seconds to Run value.

     4. Select LAN1 for the Interface.

     5. Leave the Transfer To value as My Computer.

        

  6. Click the Start (triangle) button to run Traffic Capture.

  7. Log in to the Infoblox Data Exfiltration Demo site using the link in the Learning Portal.

  8. Click the Terms and Conditions tab.

     

  9. Scroll down and click Accept Terms & Conditions.

  10. Click Accept.

      

  11. Select Data Exfiltration Tools from the list on the left-hand side.

      

  12. Select DNS Script Decoder from the Data Exfiltration Tools.

      

  13. Click select a file.

      

  14. Select the Shared Drive/NIOS Imports folder. Choose the Data-Exfiltration.csv file to upload and Click Open.

      

  15. Type 10.200.0.105 in the DNS Server box. This is the IP Address of ibns2.techblue.net. This step ensures that we know exactly which Grid member to use for traffic capture. Click Generate a script.

      

  16. Highlight the Unix Shell script. Copy the script and paste into a terminal window on the Jump-Desktop.
      Note: You Need to edit the Script before using it by appending the full path of the Data-Exfiltration file, the full path of the file should be: /mnt/shared/nios-imports/Data-Exfiltration

      

      

  17. The file should transfer without problems. The RPZ is currently in Passthru mode. Make a note of the domain name used in the DNS queries. In this example, the domain name is gwuuw0.scr.

      

  18. View the transferred file in DEX to confirm the whole file has been transferred.

      

  19. Stop Traffic Capture when the transfer is complete.

  20. Download the capture file to the Jump-Desktop machine.

      

  21. View the results.The exfiltration records are seen by using a filter – dns.qry.name contains “.gwuuw0.” is used in the example. Replace gwuuw0 with whatever domain name is returned in your DNS responses.

      

  22. Check the mitigation RPZ. Navigate to Data Management → DNS → Response Policy Zones. Click the name of the mitigation RPZ. There should now be a rule in the RPZ to block the gwuuw0.scr domain. Remember the RPZ is currently in Passthru mode, so the Block policy is not applied.

      

The domain names used by dex change frequently. You can see the domain name in the DNS responses when the script runs

Task 7 solution: Change the RPZ policy mode to Block No Such domain

• Now that you have verified the Threat Analytics configuration, you modify the mitigation RPZ to block data exfiltration. You change the Policy Override mode from Passthru to Block (No Such Domain).

  1. Navigate to Data Management → DNS → Response Policy Zones. Select the mitigation RPZ and click Edit.

     

  2. Modify the Override Policy value for the RPZ. Change the value to Block – No Such Domain.

     

  3. Click Save and Close.

  4. Restart the Services when prompted.

  5. Restart Traffic Capture for ibns2.techblue.net.

  6. Repeat the Data Exfiltration test done in the previous task. View the results. In this example, a very small number of packets are received by the destination server.

     

  7. View the Traffic Capture results. After the first few packets, the DNS Server (ibns2) blocks the queries and does not contact the external DNS server.

     

  8. We can also verify this by checking syslog. Navigate to Administration → Logs → Syslog. Select Member ibns2.techblue.net from the drop-down list.

  9. Choose RPZ Incident Logs from the Quick Filter drop-down list.

     

Task 8 solution: Configure Threat Analytics Update Policy

• In this task, you configure automatic updates for Threat Analytics module sets. Corporate policy specifies that updates should occur at a specific time. In the lab, you set the time for the automatic update to 10 minutes from the current time. In a production environment, you set automatic updates to occur at an off-peak time.

  1. Navigate to Data Management → Threat Analytics → Members.

  2. Select Grid Threat Analytics from the Toolbar.

     

  3. Select Updates from the left-hand list.

     

  4. Scroll down to MODULE SET UPDATES. Click Test Connection.

     

  5. Close the test connectivity message. Check Enable Automatic Module Set Updates.

     

  6. Create a Custom Schedule.

     1. Check Custom.

        

     2. Click the Schedule button.

     3. Configure the Automatic Module Set Updates Scheduler.

     4. In this example, the frequency is daily, every day at 5:26pm UTC. The time when the schedule as created was 5:16pm UTC. Set the time to be 10 minutes in the future for your current time and time zone. Click OK to save the new schedule.
        

        

     5. Click Save and Close.

     6. Check to see if the Automatic Update has occurred 10minutes after the time you set.

        

Task 9 solution: Move an entry from the Mitigation RPZ to the Allowlist

• In this task, you move an entry from the Mitigation RPZ to the Allowlist.

  1. Navigate to Data Management → DNS → Response Policy Zones.

  2. Click the link for the mitigation RPZ.

     

  3. Check the box for one of the RPZ Entries. This is an exercise, so any entry will be sufficient.

     

  4. Click the hamburger icon for the entry and select Move To Allowlist.

     

  5. Confirm the Move to Allowlist. Click Yes.

     

  6. View the new entry in the Threat Analytics Allowlist. Navigate to Data Management → Threat Analytics → Allowlist.

  7. Sort the list by Type for the new entry to surface at the top.

     

  8. The new entry is present in the Allowlist. The comment states Moved from denylist RPZ