Managing NIOS Threat Insight/Analytics (2545)

This lab requires a NIOS 9.0 Lab Environment

This lab guide has been developed using the new NIOS 9.0 Lab Environment (experimental) lab. Please ensure that you deploy a NIOS 9.0 lab environment to complete these lab tasks. If you use a different lab environment, this is untested, and the lab likely will not work.

Scenario

After proving that data exfiltration over DNS can be successfully performed on your existing infrastructure, your team has implemented Infoblox NIOS Threat Insight to detect and stop such attacks. Please configure NIOS to detect and block, then use the same tools from Lab 2561 to perform the same data exfiltration. Collect data to show that this attack is now stopped by the Infoblox DNS server.

Estimate Completion Time

• 20 to 30 Minutes

Prerequisites

• Lab 2544 - Inspecting data exfiltration over DNS with NIOS Threat Insight

Credentials

Course References

• 2034: Data Exfiltration and NIOS Threat Insight

Lab Initiation

Access jump-desktop

Once the lab is deployed, you can access the virtual machines required to complete this lab activity. To initiate the lab, click on the jump-desktop tile and login to the Linux UI:

Username: training

Password: infoblox

Initiate lab

To initiate the lab, double-click the Launch Lab icon on the Desktop.

Choose the lab number from the list and click OK.

After clicking OK, you will see a pop-up message with a brief description of the lab task. If the description looks correct, click Yes to continue lab initiation.

Lab initiation will take a couple of minutes to finish.

Once complete, you will see another pop-up message with the login credentials and the URL for the Grid Manager’s User Interface. Note that the credentials may differ from those from prior labs.

Tasks

1. Load RPZ and Threat Insight licenses on the Grid.

2. Configure RPZ and Start the Threat Insight service.

3. Start the Threat Insight Service.

4. Start traffic capture and clear the DNS Cache before data exfiltration.

5. Perform data exfiltration and Observe Threat Insight behaviour.

6. Analyze traffic capture results.

Task 1: Load Threat Insight Licenses on the Grid

• Load Threat Insight licenses into the grid from the directory: /mnt/shared/licenses/9.0/, and load the file TI.lic.

Task 2: Create Mitigation RPZ and add it to Threat Insight

• Create a local RPZ named mitigation.rpz then add it to the Threat Insight configuration.

Task 3: Start the Threat Insight Service

• Start the Threat Insight service on the Grid.

Task 4: Start Traffic Capture and Clear DNS Cache before Data Exfiltration

• Start traffic capturing on the member ibns2.techblue.net after flushing the DNS cache on ibns2 (10.200.0.105) from the Grid Manager UI.

Task 5: Perform and Verify Data Exfiltration and Observe Threat Insight behaviour

• On jump-desktop, open two terminal windows:

  • The first will be used to remote login to support-server using the command ssh training@10.100.0.20 and enter the command realtime-decode to decode and present the exfiltrated data as they are received in realtime.

  • The second will be used to start exfiltrating data from the victim (jump-desktop) towards the bad actor (dex.example.com) using the command analytics-test 10.200.0.105 .

Task 6: Analyze Data Capture Results

• Stop the traffic capture and download the captured file from ibns2, then open and analyze the capture file with Wireshark.

Solutions

Task 1 Solution: Load Threat Insight Licenses on the Grid

In this task, we will load the Threat Insight license file into the grid.

1. On the jump-desktop machine, open a browser window and surf https://10.100.0.100.

2. Click Grid → Licenses and click the Add (+) icon to add a new license.

3. Navigate to the license folder /mnt/shared/licenses/9.0/ and load the license file TI.lic.

   1. Click Shared Drive on the left of the window to navigate to the licenses directory.

      

   2. After selecting the license file, scroll down to reveal the Verify License(s) button and click it to apply the license file.

      

Task 2 Solution: Create Mitigation RPZ and add it to Threat Insight

In this task, we will create a local RPZ called mitigation.rpz, this RPZ will act as the container for all the malicious domains and bad actors Threat Insight will identify and block. After creating the RPZ we need to link to Threat Insight for the entires to be added into it.

1. Create a local RPZ (Response Policy Zone) named mitigation.rpz.

   1. Navigate to Data Management → DNS → Response Policy Zones, click Add(+).

      

   2. Click next to create a new Local Response Policy Zone.

      

   3. Enter the name mitigation.rpz.

      

   4. Leave everything else at default values and click Next.

   5. Choose the Grid Primary name server ibns2.techblue.net.

      

   6. Click Save & Close.

      • Verify that the newly created RPZ is placed at the very top of the list, before all other policies.

        

   7. Restart Services when prompted

2. Configure the Threat Insight service to use this newly created RPZ.

   1. Navigate to Data Management → Threat Insight.

   2. In the Toolbar, click Grid Threat Analytics Properties.

      

   3. Click Add(+) and choose the RPZ that was created in the previous step.

      

   4. Click Save & Close.

Task 3 Solution: Start the Threat Insight Service

In this task we will start the Threat Insight service on the grid

1. Navigate to Data Management→ Threat Insight → Members

2. Select ibns2.

3. In the Toolbar, click Start.

   • Acknowledge the pop-up notice.

     

4. Restart the service when prompted and wait for 1 to 2 minutes for the service to start.

5. Navigate to Data Management → DNS → Response Policy Zones.

6. Click the entry mitigation.rpz, It should be empty like this:

   

Task 4 Solution: Start Traffic Capture and Clear DNS Cache before Data Exfiltration

In this task, we are starting a packet capture on ibns2.techblue.net to catch the exfiltrated DNS queries heading towards dex.example.com. We will perform a DNS Flush to make sure that the server is not responding to queries using its cache.

1. Navigate to Data Management → DNS → Members.

2. Select the member ibns2.techblue.net.

3. From the toolbar, select Clear → Clear DNS Cache.

   

4. Navigate to Grid → Grid Manager.

5. From the Toolbar, click Traffic Capture.

6. Click the Plus (+) icon to add ibns2.techblue.net in the Members section.

7. Click the Start icon in the Capture Control section to begin data capture.

   

Task 5 Solution: Perform and Verify Data Exfiltration

In this task, we will start a simulated DNS exfiltration attack from the bad actor support server, which we will capture using the packet capture feature on the grid. Threat Insight should be able to identify the attack and block the malicious domain, and this is what we will be observing.

1. Examine the content of the data that we will exfiltrate out, using the command more /mnt/shared/Dex/Short-Analytics-Test-File.csv.

   

2. On the terminal window and login to the support-server using the command ssh training@10.100.0.20 and the password infoblox.

3. Enter in the command realtime-decode.

   

4. Open a second terminal window and issue the data exfiltration command: analytics-test 10.200.0.105.

   • This exfiltrates the sample CSV file by querying the DNS server 10.200.0.105 (ibns2).

     

5. For the first few queries we should see the received response message which means that our bad actor support-server was able to receive our victims queries.

   

6. The communication should be detected and stopped by the Threat Insight service running on the DNS member ibns2.

   • The “Received” message will no longer be present indicating that our bad actor support-server is no longer receiving any queries.

     

7. Switch to the first Terminal window that has the session to the support-server, check the output of the realtime-decode command. It is helpful to have these two Terminal windows side-by-side for easy comparison. You can see only the first few lines of the file that were successfully exfiltrated.

8. We can also verify this by checking the syslog. From the Grid Manager UI, Navigate to Administration → Logs → Syslog.

9. Select Member ibns2.techblue.net from the drop-down list.

10. Choose RPZ Incidents from the Quick Filter drop-down list.

11. Click the Toggle Multi line view link.

12. Type dex.example.com in the search box.

    

Task 6 Solution: Analyze Data Capture Results

You may enter this filter into Wireshark to display only DNS traffic for the domain dex.example.com:

dns and dns.qry.name contains dex.example.com

In this task, we will stop the traffic capture we started earlier on the grid, and try and observe DNS data exfiltration attempt packer by packet, we should be able to pinpoint the packet where threat insight identifies the malicious domains and start blocking queries for it, we will also open the mitigation RPZ we created earlier to verify that the malicious domain was automatically added into it.

1. On the Grid, Tick the checkbox next to ibns2.techblue.net under Members.

2. Click the Download button and save the file.

   

3. Open the capture file with Wireshark and analyze the results.

   • Note the following IP addresses:

     • 10.35.22.10: The DNS client, jump-desktop.

     • 10.200.0.105: The recursive DNS server, ibns2.techblue.net

     • 10.100.0.20: The (malicious) authoritative DNS server for dex.example.com

   • If you performed the capture at the right time, you should be able to see that the DNS exfiltration started, but a few packets later, the communication is disrupted and responses become NXDOMAIN (No such name).

     • The screenshot highlights the first packet where the response changed from NOERROR to NXDOMAIN.

       

4. Navigate to Data Management → DNS → Response Policy Zones.

5. Click the entry mitigation.rpz.

   • it should now have an entry added automatically from the exfiltration attempt.