Identifying threat activity - BlueCat Edge - Service Point v4.x.x

BlueCat Edge User Guide

Locale
English
Product name
BlueCat Edge
Version
Service Point v4.x.x

The DNS activity screen displays all DNS queries that goes through a site but also flags suspect DNS queries as possible DGA or tunneling threats, based on certain indicators. Available information includes the date and time of the query, the source and site, the query name and type, threat type and indicator, and policy action (block, allow, monitor, or redirect) that was taken. You can filter the list by time, sites, site groups, threat types and indicators, and other criteria.

To view DNS queries that are flagged as possible threat indicators, click and select the Threat Type and Threat Indicator columns to be added to the DNS activity screen.

When a query comes in through a trusted policy, it may be flagged as Potential threat detected if the service point detects any threat indicators associated with the trusted domain.

Queries that are flagged as Potential threats detected contain additional information under the Threat Type and Threat Indicator columns.

About threat indicators
  • Advanced DGA: DGA (domain generation algorithm) is a technique used by malware to generate large numbers of domain names which can be used as rendezvous points with their (botnet) command and control servers.

    Queries that match the entropy indicator (analysis of the registered domain name indicates the characteristics of a DGA domain) are flagged as a potential DGA threat.

    Note: You must enable the advanced threat service to monitor DNS queries for DGA. For more information, refer to Configuring Advanced Threat Service.
  • Tunneling: DNS tunneling is the ability to encode the data of other programs or protocols in DNS queries and responses.
    Queries that match any of the following indicators will be flagged as a potential tunneling threat:
    • uniqueChar: There are more than 27 unique characters in the host name.
    • uncommonRec: The record type isn't A, AAAA, PTR, CNAME, TXT, SOA, or SRV.
    • hostSize: The host name is more than 70 characters.
    • volTunnel: Volumetric analysis of queries indicating DNS tunneling.

    BlueCat Edge evaluates queries over a one-hour window. When a domain incurs more than 75 distinct queries that meet the tunneling criteria from a single client, BlueCat Edge adds it to a system-maintained domain list. The TTL (time to live) value indicates how long a domain will remain on the list after it's last observed. For each domain on the list, its last-observed date and time is indicated, including its expiry date and time, based on the TTL.

  • Suspected threat indicators: BlueCat Edge flags the following types of queries as suspected threats:
    • Suspect TLD: Queries that match a BlueCat Edge-maintained list of top-level domains known to be subject to abuse.
    • Suspect DNS: Queries that match domains which are known to be suspect.

    To find suspect queries in the DNS Activity list, filter by /threatind susdns or /threatind sustld.

    You can't base a policy on a threat indicator, but if you want to monitor or block suspect TLD or suspect DNS queries, create a domain list that matches the flagged queries, and add that to a policy.