- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
Threat insight stops DNS exfiltration but part of the document goes through, can this be stopped?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-16-2022 06:40 AM
Hi;
When I use Threat Insight to test DNS Exfiltration prevention, a small part of the document goes through "Exfiltrates". Now this part could be two raws including two client's credit card numbers. Yes, the list of credit cards was not completely exfiltrated, but part of it did leak, which is still an issue.
Is there a way to prevent this?
Kindly
Wasfi
Solved! Go to Solution.
Re: Threat insight stops DNS exfiltration but part of the document goes through, can this be stopped
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-17-2022 01:11 AM
Hi,
Threat insight works based on behavior analysis. the idea is Infoblox will look into the dns traffic and score the behavior based on:
- entropy or randomness
- N-Gram
- volume
- lexical
- frequency
so based on that it's expected infoblox will pass the dns query before it block the rest of dns exfiltration.
If you are sending data over txt file than you will get some data transfered, but if you try to exfiltrate some other extension like ppt, xls, jpg then you will get corrupted file
Re: Threat insight stops DNS exfiltration but part of the document goes through, can this be stopped
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-17-2022 01:51 AM
Thank you Aralvidra.