THE GAME HAS CHANGED

Introducing Infoblox Universal DDI ManagementTM

Watch the launch to discover the new era of management for critical network services. Watch Now

BloxOne Threat Defense and Threat Intelligence

Reply

Threat insight stops DNS exfiltration but part of the document goes through, can this be stopped?
BounniW
Authority
Posts: 19

‎08-16-2022 06:40 AM

3217     0

Hi;

 

When I use Threat Insight to test DNS Exfiltration prevention, a small part of the document goes through "Exfiltrates". Now this part could be two raws including two client's credit card numbers. Yes, the list of credit cards was not completely exfiltrated, but part of it did leak, which is still an issue.

 

Is there a way to prevent this?

 

Kindly

Wasfi

Reply
0 Kudos

Re: Threat insight stops DNS exfiltration but part of the document goes through, can this be stopped
aralvidra02
Superuser
Posts: 105

‎08-17-2022 01:11 AM

3218     0

Hi,

 

Threat insight works based on behavior analysis. the idea is Infoblox will look into the dns traffic and score the behavior based on:

 

- entropy or randomness

- N-Gram

- volume

- lexical

- frequency

 

so based on that it's expected infoblox will pass the dns query before it block the rest of dns exfiltration.

 

If you are sending data over txt file than you will get some data transfered, but if you try to exfiltrate some other extension like ppt, xls, jpg then you will get corrupted file

 

 

Reply

Re: Threat insight stops DNS exfiltration but part of the document goes through, can this be stopped
BounniW
Authority
Posts: 19

‎08-17-2022 01:51 AM

3218     0

Thank you Aralvidra.

Reply
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Recommended for You

Latest Annoucements