Skip to main content
Skip table of contents

Intercepting Exfiltration with Threat Insight (2814)

Scenario

As part of your organization’s enhancement of its infrastructure security, Threat Insight lists have been added as security policy rules to block data exfiltration, Zero Day DNS, and more. You’ve been tasked with testing Threat Insight’s data exfiltration detection and prevention abilities. You will review the feeds required for Data Exfiltration to be detected, then observe Threat Insight’s behavior in detecting Data Exfiltration using a script imitating an exfiltration attack.

Estimate Completion Time

  • 20 - 25 minutes

Prerequisites

Tasks

  • Reviewing Threat Insight Data Exfiltration rules and their actions

  • Observing Data Exfiltration Attacks with Threat Insight

  • Changing Threat Insight Data Exfiltration Rule Actions

  • Observing and verifying that Exfiltration attempts are blocked

Task 1: Reviewing Threat Insight Data Exfiltration rules and their actions

Using your lab’s jump-desktop, log in to the Infoblox Portal using the Education Infoblox Portal credentials. Review the created rules and the actions assigned to the data exfiltration threat insight rules in Techblue Sec Policy Security Policy.

Task 2: Observing Data Exfiltration Attacks with Threat Insight

NIOS-X servers must be connected to Threat Defense, and the DFP service must run on them. Please review the prerequisites section.

  • Start an exfiltration attack against 10.100.0.110 and investigate Threat Insight behaviour.

    • Use the command exfiltration-client 10.100.0.110 to start the attack.

      • NOTE: 10.100.0.110 is the IP address for the NIOS-X server NX-1 running the DFP service DFP-OPH1.

Task 3: Changing Threat Insight Data Exfiltration Rule Actions

  • Log in to the Infoblox Portal using the Education Infoblox Portal credentials. Change the Data Exfiltration rule actions in the Default Global Policy to Block—No Redirect.

    • NOTE: Please allow 3-5 minutes for the rule changes to be synced with the NIOS-X server.

Task 4: Observing and Verifying that Exfiltration attempts are Blocked

The script output should indicate that exfiltrated data has been received for the first 30 to 50 requests, but should stop getting responses after that.

  • Start an exfiltration attack against 10.100.0.110 to test Threat Insight’s behaviour against the attack.

    • Use the command exfiltration-client 10.100.0.110 to start the attack.

      • NOTE: 10.100.0.110 is the IP address for the NIOS-X server NX-1 running the DFP service DFP-OPH1.

Solutions

Task 1 Solution: Reviewing Threat Insight Data Exfiltration rules and their actions

In this task, we investigate if data exfiltration threat insight rules are added to the Techblue Sec Policy Security Policy and what action is assigned to them.

  1. Log in to your lab’s jump-desktop.

  2. Use your Education Infoblox Portal Credentials to log into the Infoblox Portal.

  3. Navigate to Configure → Security → Policies → Security Policies

  4. Select Techblue Sec Policy and click Edit.

    1. Click on Policy Rules.

    2. Verify that the Threat Insight—Data Exfiltration and Threat Insight—Notational Data Exfiltration rules exist and that their action is Allow—With Log.

    3. Click Finish, then Save&Close.

      image-20250626-140720.png

Task 2 Solution: Observing Data Exfiltration Attacks with Threat Insight

NIOS-X servers must be connected to Threat Defense, and the DFP service must run on them. Please review the prerequisites section.

In this task, we aim to start an exfiltration attack against OPH1 (10.100.0.110) and observe Threat Insight behavior. Based on our investigation in the previous step, we know that the rules will allow traffic while keeping logs. So, when running the exfiltration script, we should be able to verify this behavior through the script’s output and security logs.

  1. Open a terminal window and enter the command exfiltration-client 10.100.0.110.

    • NOTE: 10.100.0.110 is the IP address for the NIOS-X server NX-1 running the DFP service DFP-OPH1.

  2. The output of the script should indicate that exfiltrated data has been received.

    image-20250124-142801.png

  3. Leave the script to run for 4-5 minutes to allow for security reports to be generated.

  4. In the Infoblox Portal, Navigate to Monitor → Reports → Security → Security Activity.

    • Under the Threat Insight tab, you should be able to see logs from a subdomain of shopping.ddi.ninja.

      • NOTE: The output might look different than the screenshot. We are looking for at least one sub-domain of shopping.ddi.ninja

        image-20250626-135209.png

    • Under the Security Events tab, enter query = shopping.ddi.ninja in the search bar.

      • You should be able to see some of the data exfiltration attempts listed, including the action taken and the traffic source.

        image-20250626-135807.png

Task 3 Solution: Changing Threat Insight Data Exfiltration Rule Actions

In this task, we will change the action for both data exfiltration rules to Block—No redirect. This will stop the exfiltration attempts from completing.

  1. Log in to your lab’s jump-desktop.

  2. Use your Education Infoblox Portal Credentials to log into the Infoblox Portal.

  3. Navigate to Configure → Security → Policies → Security Policies

  4. Select Techblue Sec Policy and click Edit.

    1. Click on Policy Rules.

    2. Verify that the Threat Insight—Data Exfiltration and Threat Insight—Notational Data Exfiltration rules exist and that their action is Block - No Redirect.

      • These rules were created in a previous lab with the action Allow - With Log.

      • As part of this lab, we are modifying the action to Block - No Redirect.

        image-20250507-113601.png

    3. Click Finish, then Save & Close.

Task 4 Solution: Observing and verifying that Exfiltration attempts are blocked

In this task, we will start an exfiltration attack against OPH1 (10.100.0.110) and observe how Threat Insight will behave. In a previous lab, rules were configured to block exfiltration attempts and keep logs. So, when running the exfiltration script, we should be able to verify this behavior through the script’s output and security logs.

  1. Open a terminal window and enter the command exfiltration-client 10.100.0.110.

    • NOTE: 10.100.0.110 is the IP address for the NIOS-X server NX-1 running the DFP service DFP-OPH1.

  2. Using the response “Data Received,” the script's output should indicate that exfiltrated data has been received for the first 30 to 50 requests. However, the response messages should stop after verifying that Threat Insight has detected the exfiltration attempts and flagged the malicious domain to be blocked.

    image-20250124-142201.png

  3. In the Infoblox Portal, Navigate to Monitor → Reports → Security → Security Activity.

    • Under the Threat Insight tab, you should be able to see logs from a new subdomain of shopping.ddi.ninja.

      image-20250124-143303.png

    • Under the Security Events tab, enter query = shopping.ddi.ninja in the search bar.

      • You should be able to see some of the data exfiltration attempts listed, including the action taken and the traffic source.

      • To view the most recent events first, sort the table by the Detected column in descending order.

      image-20250507-114029.png

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close