Intercepting Exfiltration with Threat Insight (2814)
Scenario
As part of your organization’s enhancement of its infrastructure security, Threat Insight lists have been added as security policy rules to block data exfiltration, Zero Day DNS, and more. You’ve been tasked with testing Threat Insight’s data exfiltration detection and prevention abilities. You will review the feeds required for Data Exfiltration to be detected, then observe Threat Insight’s behavior in detecting Data Exfiltration using a script imitating an exfiltration attack.
Estimate Completion Time
20 - 25 minutes
Prerequisites
Administrative access to the Infoblox Portal
Integrating DNS Forwarding Proxy Service (DFP) into a Security Policy (2816)
Tasks
Reviewing Threat Insight Data Exfiltration rules and their actions
Observing Data Exfiltration Attacks with Threat Insight
Changing Threat Insight Data Exfiltration Rule Actions
Observing and verifying that Exfiltration attempts are blocked
Task 1: Reviewing Threat Insight Data Exfiltration rules and their actions
Using your lab’s jump-desktop, log in to the Infoblox Portal using the Education Infoblox Portal credentials. Review the created rules and the actions assigned to the data exfiltration threat insight rules in Techblue Sec Policy Security Policy.
Task 2: Observing Data Exfiltration Attacks with Threat Insight
NIOS-X servers must be connected to Threat Defense, and the DFP service must run on them. Please review the prerequisites section.
Start an exfiltration attack against 10.100.0.110 and investigate Threat Insight behaviour.
Use the command
exfiltration-client 10.100.0.110
to start the attack.NOTE: 10.100.0.110 is the IP address for the NIOS-X server NX-1 running the DFP service DFP-OPH1.
Task 3: Changing Threat Insight Data Exfiltration Rule Actions
Log in to the Infoblox Portal using the Education Infoblox Portal credentials. Change the Data Exfiltration rule actions in the Default Global Policy to Block—No Redirect.
NOTE: Please allow 3-5 minutes for the rule changes to be synced with the NIOS-X server.
Task 4: Observing and Verifying that Exfiltration attempts are Blocked
The script output should indicate that exfiltrated data has been received for the first 30 to 50 requests, but should stop getting responses after that.
Start an exfiltration attack against 10.100.0.110 to test Threat Insight’s behaviour against the attack.
Use the command
exfiltration-client 10.100.0.110
to start the attack.NOTE: 10.100.0.110 is the IP address for the NIOS-X server NX-1 running the DFP service DFP-OPH1.
Solutions
Task 1 Solution: Reviewing Threat Insight Data Exfiltration rules and their actions
In this task, we investigate if data exfiltration threat insight rules are added to the Techblue Sec Policy Security Policy and what action is assigned to them.
Log in to your lab’s jump-desktop.
Use your Education Infoblox Portal Credentials to log into the Infoblox Portal.
Navigate to Configure → Security → Policies → Security Policies
Select Techblue Sec Policy and click Edit.
Click on Policy Rules.
Verify that the Threat Insight—Data Exfiltration and Threat Insight—Notational Data Exfiltration rules exist and that their action is Allow—With Log.
Click Finish, then Save&Close.
Task 2 Solution: Observing Data Exfiltration Attacks with Threat Insight
NIOS-X servers must be connected to Threat Defense, and the DFP service must run on them. Please review the prerequisites section.
In this task, we aim to start an exfiltration attack against OPH1 (10.100.0.110) and observe Threat Insight behavior. Based on our investigation in the previous step, we know that the rules will allow traffic while keeping logs. So, when running the exfiltration script, we should be able to verify this behavior through the script’s output and security logs.
Open a terminal window and enter the command
exfiltration-client 10.100.0.110
.NOTE: 10.100.0.110 is the IP address for the NIOS-X server NX-1 running the DFP service DFP-OPH1.
The output of the script should indicate that exfiltrated data has been received.
Leave the script to run for 4-5 minutes to allow for security reports to be generated.
In the Infoblox Portal, Navigate to Monitor → Reports → Security → Security Activity.
Under the Threat Insight tab, you should be able to see logs from a subdomain of
shopping.ddi.ninja
.NOTE: The output might look different than the screenshot. We are looking for at least one sub-domain of shopping.ddi.ninja
Under the Security Events tab, enter
query = shopping.ddi.ninja
in the search bar.You should be able to see some of the data exfiltration attempts listed, including the action taken and the traffic source.
Task 3 Solution: Changing Threat Insight Data Exfiltration Rule Actions
In this task, we will change the action for both data exfiltration rules to Block—No redirect. This will stop the exfiltration attempts from completing.
Log in to your lab’s jump-desktop.
Use your Education Infoblox Portal Credentials to log into the Infoblox Portal.
Navigate to Configure → Security → Policies → Security Policies
Select Techblue Sec Policy and click Edit.
Click on Policy Rules.
Verify that the Threat Insight—Data Exfiltration and Threat Insight—Notational Data Exfiltration rules exist and that their action is Block - No Redirect.
These rules were created in a previous lab with the action Allow - With Log.
As part of this lab, we are modifying the action to Block - No Redirect.
Click Finish, then Save & Close.
Task 4 Solution: Observing and verifying that Exfiltration attempts are blocked
In this task, we will start an exfiltration attack against OPH1 (10.100.0.110) and observe how Threat Insight will behave. In a previous lab, rules were configured to block exfiltration attempts and keep logs. So, when running the exfiltration script, we should be able to verify this behavior through the script’s output and security logs.
Open a terminal window and enter the command
exfiltration-client 10.100.0.110
.NOTE: 10.100.0.110 is the IP address for the NIOS-X server NX-1 running the DFP service DFP-OPH1.
Using the response “Data Received,” the script's output should indicate that exfiltrated data has been received for the first 30 to 50 requests. However, the response messages should stop after verifying that Threat Insight has detected the exfiltration attempts and flagged the malicious domain to be blocked.
In the Infoblox Portal, Navigate to Monitor → Reports → Security → Security Activity.
Under the Threat Insight tab, you should be able to see logs from a new subdomain of
shopping.ddi.ninja
.Under the Security Events tab, enter
query = shopping.ddi.ninja
in the search bar.You should be able to see some of the data exfiltration attempts listed, including the action taken and the traffic source.
To view the most recent events first, sort the table by the Detected column in descending order.