THE GAME HAS CHANGED

Introducing Infoblox Universal DDI ManagementTM

Watch the launch to discover the new era of management for critical network services. Watch Now

BloxOne Threat Defense and Threat Intelligence

Reply

Threat insight stops DNS exfiltration but part of the document goes through, can this be stopped?

Authority
Posts: 19
3460     1

Hi;

 

When I use Threat Insight to test DNS Exfiltration prevention, a small part of the document goes through "Exfiltrates". Now this part could be two raws including two client's credit card numbers. Yes, the list of credit cards was not completely exfiltrated, but part of it did leak, which is still an issue.

 

Is there a way to prevent this?

 

Kindly

Wasfi

Re: Threat insight stops DNS exfiltration but part of the document goes through, can this be stopped

Superuser
Posts: 105
3460     1

Hi,

 

Threat insight works based on behavior analysis. the idea is Infoblox will look into the dns traffic and score the behavior based on:

 

- entropy or randomness

- N-Gram

- volume

- lexical

- frequency

 

so based on that it's expected infoblox will pass the dns query before it block the rest of dns exfiltration.

 

If you are sending data over txt file than you will get some data transfered, but if you try to exfiltrate some other extension like ppt, xls, jpg then you will get corrupted file

 

 

Re: Threat insight stops DNS exfiltration but part of the document goes through, can this be stopped

Authority
Posts: 19
3461     1

Thank you Aralvidra.

Showing results for 
Search instead for 
Did you mean: 

Recommended for You