Using Threat Defense Custom Response Policy Zones (RPZ) (2806)

Scenario

You are a security analyst tasked with enhancing your organization’s DNS security posture. While your organization currently relies on Infoblox Threat Intelligence feeds to block malicious and unwanted DNS traffic, your team needs more flexibility in handling specific threat classes/properties within those feeds. Specifically, you’ve been assigned to modify the response to a particular threat class to be redirected instead of blocked, without impacting other indicators in the same Threat Intelligence feeds. To accomplish this, you will create a custom Response Policy Zone (RPZ), populate it with the desired threat class, integrate it into your organization’s DNS security policy, and then test the custom RPZ to ensure it behaves as intended.

Estimate Completion Time

• 180 - 200 mins (~3.5 hours)

Prerequisites

• Administrative access to the CSP

• Deploying NIOS-X Servers (2801)

• Configuring Threat Defense Security Policies (2803)

• Enabling the DNS Forwarding Proxy Service (DFP) on a NIOS-X Server (2802)

• Integrating DNS Forwarding Proxy Service (DFP) into a Security Policy (2816)

Tasks

• Creating a Custom RPZ

• Adding techblue-crpz to Techblue Sec Policy

• Identifying domains for testing using TIDE Active Indicators

• Testing Custom RPZ Policy Rule techblue-crpz

Task 1: Creating a Custom RPZ

It may require up to three hours for the feed to populate with records following its creation.

In the Infoblox Portal, create a Custom RPZ named techblue-crpz and add the Scam Threat Class to it.

Task 2: Adding Techblue-CRPZ to Techblue Sec Policy

• In the Infoblox Portal, add the newly created Custom RPZ techblue-crpz into the Techblue Sec Policy security policy as a new policy rule with the action of Default Redirect.

• Place the new policy rule above the Infoblox_Base rule in the 6th place.

Task 3: Identifying domains for testing using TIDE Active Indicators

In the Infoblox Portal, use the Active Indicators research page to identify and note at least one domain from each Threat Class or Property in techblue-crpz to be used for testing in the next task.

Task 4: Testing Custom RPZ Rule techblue-crpz

Ensure the feed is populated before testing to achieve expected results. An unpopulated feed will have no records, leading to no traffic matching and affecting other rule actions.

• In the lab environment, use the testing-linux VM to perform DNS lookups against the oph1.techblue.net server.

• Use the domains you noted from the previous task to initiate dig queries using the command: dig @10.100.0.110 <DOMAIN NAME>.

Solutions

Task 1 Solution: Creating a Custom RPZ

It may require up to three hours for the feed to populate with records following its creation.

In this task, we will create a custom Response Policy Zone (RPZ) named techblue-crpz. This RPZ will be a dedicated container for a specific threat class from the Infoblox Threat Intelligence data your organization wants to handle differently. Using the Infoblox Portal’s Custom RPZ creation wizard, we will add the Scam threat class to the Custom RPZ. As a rule, we will integrate this custom RPZ into your DNS security policy later.

1. Log into your lab’s VM jump-desktop.

2. While logged in to jump-desktop, use your Education Infoblox Portal Credentials to log into the Infoblox Portal.

3. Navigate to Configure → Security → TIDE → Custom RPZ

4. Click the Add Custom RPZ button

   1. Use the name techblue-crpz

5. Click on the Select Class/Property list

6. Select the Scam threat class

7. Click Save & Close

   

Task 2 Solution: Adding techblue-crpz to Techblue Sec Policy

In this task, we will add the techblue-crpz custom RPZ to the Techblue Sec Policy as a new rule. We will assign the Default-Redirect action to this rule, ensuring that any DNS queries matching the grouped threat classes and properties are redirected rather than blocked. Once the rule is created, we will move it to the 6th position, placing it just above the Infoblox_Base rule. This placement is critical since the threat components in our custom RPZ also exist in the broader Infoblox feeds, so positioning our rule higher in the policy ensures it takes precedence. As a result, our custom action will be applied before the generic feed rules are evaluated, achieving our desired outcome.

1. Navigate to Configure → Security → Policies → Security Policies

2. Click the hamburger icon next to Techblue Sec Policy

3. Click Edit

4. Click on the Policy Rules tab

   1. Click on Add Rule

   2. Select Feeds and Threat Insights

   3. Under the object drop-down list, select techblue-crpz.ff

   4. Change the rule action to Block - Default Redirect

5. Use the arrow icon next to the rule to move it to the 6th position, just on top of the Infoblox_Base rule

   

6. Click Finish, then Save & Close

Task 3 Solution: Identifying domains for testing using TIDE Active Indicators

In this task, we will use the TIDE Active Indicators research page on the Infoblox Portal to identify and note down at least one domain per class/property we added to the custom RPZ we created earlier, so we can use them in the next task to test our new policy rule against them. The Active Indicators table will contain all the domains in any feeds and insights available in our Threat Defense tenant.

1. Navigate to Monitor → Research → Active Indicators

2. In the Filter section, click the clear link under the Threat Class/Property, then click show more

   

3. Under the Threat Class/Property check the Scam box.

4. Click Apply Filter

   

5. Click on the Infoblox Icon on the Application menu of your lab’s VM jump-desktop

6. Open the Geany application

   

7. Save at least three domains from the Scam Threat Class.

   

Task 4 Solution: Testing Custom RPZ Rule Techblue-CRPZ

Ensure the feed is populated before testing to achieve expected results. An unpopulated feed will have no records, leading to no traffic matching and affecting other rule actions.

In this task, we will start by verifying that our custom RPZ feed has been populated with records as it might take between 1 to 3 hours for that to happen when we first create our RPZ. Then, we will use the testing-linux machine’s web browser to surf the web for our previously noted domains. As per our policy configuration, we expect our requests to be redirected to the default Infoblox redirect page.

1. Log into your lab’s VM jump-desktop.

2. While logged in to jump-desktop, use your Education Infoblox Portal Credentials to log into the Infoblox Portal.

3. Navigate to Configure → Security → On-Prem Firewall

4. Select Feed Configuration Values under Step 2

5. Scroll to the botttom of the feed list and verify that techblue-crpz has more than 0 records.

   

6. Log in to the VM testing-linux in your lab environment with the credentials training / infoblox.

7. Open a terminal window and enter the command sudo set-network-static-bloxone. This command sets a static IP address for the testing-linux VM so it can reach the NIOS-X servers.

   

8. Open a browser window and surf for each previously saved domain

   1. All domains should be redirected to the default Infoblox redirect page.

      

9. Log back into your lab’s jump-desktop VM.

10. Navigate to Reports → Security → Security Activities

    1. Use the search bar at the top of the page and use query = <DOMAIN-NAME> to view all the logs for this specific machine.

       1. The <DOMAIN-NAME> parameter should be replaced with the domain names we surfed for in the previous task.