2808 - Investigating Domains using Dossier and TIDE Active Indicators

Scenario

You're tasked to investigate domains that have recently been connected to abnormal behaviour by your SOC team, Threat Defense security policies were able to identify and block the risk. Your task is to use Dossier and TIDE active indicators to collect as much information about these malicious domains as possible and to report back your findings.

Estimated Completion Time

• 15 to 20 Minutes

Prerequisites

• Administrative access to the Infoblox Portal

Tasks

• Investigate threats with Dossier.

• Classify threats with TIDE active Indicators

Task 1: Investigating threats with Dossier

• Log into your lab’s jump-desktop, with the credentials training / infoblox, use your Education Infoblox Portal Credentials to log into the Infoblox Portal.

• Investigate the domains: eicar.co, primarkegyptstore.com and adobekr.com

• Gather as much information about each domain to answer the following questions:

  • What is the risk level for each domain?

  • What is the threat property for each domain?

  • Were any of the domains Detected by Feeds? if so list the feeds.

  • Are any of the listed domains still active?

  • Are there any impacted devices in your organization?

  • Is there any Intel or publications about any of the listed domains?

  • Are there any related IPs or domains to any of the suspicious domains?

  • Where are these domains Registered and hosted?

  • Are any of the listed domains connected to domain impersonation?

• Generate a report from Dossier with all your findings.

Task 2: Classifying threats with TIDE active Indicators

• Log into your lab’s jump-desktop, launch a web browser and use your Education Infoblox Portal Credentials to log into the Infoblox Portal.

• Investigate the domains: eicar.co, primarkegyptstore.com and adobekr.com

• Answer the following question about each domain:

  • What is the threat level of each domain?

  • What Threat Class and Property does each domain belong to?

  • When was each domain detected?

  • Which data provider stated this information?

Solutions

Task 1 Solution: Investigating threats with Dossier

1. Log into your lab’s jump-desktop, with the credentials training / infoblox.

2. use your Education Infoblox Portal Credentials to log into the Infoblox Portal.

3. Navigate to Monitor → Research → Dossier.

   • We will be investigating 3 domains:

     1. eicar.co

     2. primarkegyptstore.com

     3. adobekr.com

4. In the Search bar type the name of each domain then hit enter.

5. Gather as much information about each domain to answer the following questions:

   • What is the threat level for each domain if available?

     • We can find this information under the Detection History Timeline section for each domain in the summary report.

     • eicar.co → unavailable, primarkegyptstore.com → 100/100, adobekr.com → 80/100.

       

   • What is the threat property for each domain?

     • We can find this information under the Infoblox Threat Intel section for each domain in the summary report.

     • eicar.co → MaliciousNameserver_Generic, primarkegyptstore.com → Phishing_lookalike , adobekr.com → APT_MalwareC2.

       

   • Were any of the domains Detected by Feeds? if so list the feeds.

     • We can find this information under the Active Threat Feeds and Status section for each domain in the summary report.

     • Yes, all three were detected, the feeds are Infoblox-Base, Infoblox Malicious Detections and Suspicious-lookalikes.

       

   • Are any of the listed domains still active?

     • We can find this information at the top banner next to the domain name and last detection date.

     • Yes, all three are still active.

       

   • Are there any impacted devices in your organization?

     • We can find this information under the Impacted Devices report and by investigating security policy configurations, under Configure → Security → Policies → Security Policies.

     • No, multiple devices sent queries but your organization’s threat policy using the recommended feeds blocked those attempts.

       

   • Are there any related IPs or domains to any of the suspicious domains?

     • This information is available under the Related IPs and Related Domains reports.

     • Yes, all three domains had either Liked IPs or Domains

       

   • Where are these domains Registered and hosted?

     • This information is available under the Registered Owner section on the summary report and the WHOIS Record report.

     • eicar.co → Iceland, primarkegyptstore.com → Registered in France but Hosted in Canada, adobe.kr→ USA.

       

       

   • Are any of the listed domains connected to domain impersonation?

     • This information will be available under the Lookalike Detection section in the summary report.

     • Yes, adobekr.com.

       

6. Click on the Export Dossier Report Button on the top left corner, and choose which reports to include, then click Generate to create a PDF report.
   

   

   
   

   

Task 2 Solution: Classifying threats with TIDE active Indicators

1. In Infoblox Portal, navigate to Monitor → Research → Active Indicators.

   • We will be investigating 3 domains:

     1. eicar.co

     2. primarkegyptstore.com

     3. adobekr.com

2. Answer the following question about each domain:

   • What is the threat level of each domain?

     • eicar.co → 100, primarkegyptstore.com → 100 and adobekr.com → 80

   • What Threat Class and Property does each domain belong to?

     • eicar.co: MalicuousNameServer, MalicuousNameServer_Generic.

     • adobe.kr: APT, APT_MalwareC2

     • primarkegyptstore.com: Phishing, Phishing_lookalike

   • Which data provider stated this information?

     • eicar.co → Infoblox, adobekr.com → Infoblox and primarkegyprstore.com → Infoblox