Example 4: Analyze identified threat behavior and block suspicious client activity - BlueCat DNS Edge

DNS Edge Deployment Guide

prodname
BlueCat DNS Edge

In this example, we examine the client requests exhibiting DGA or DNS Tunneling characteristics and shown as part of the Threat Activity table. The clients having a high incidence of client requests identified as threats are potentially employed in a DNS-based attack, communicating with the other end of a DNS Tunnel or the C&C bot herder.

After examining the queries identified as DNS Threats and creating an exception list with all domains that though suspicious looking, are used for legitimate purposes, we will block all traffic evaluated as a DNS Threat.

Examine client requests identified as threats

Note: For this test, it's best to wait until there is a significant amount of traffic to the DNS Edge service point.
  1. In DNS Edge, select the DNS Activity view and click the Threat Activity tab.
  2. In the Command bar, type /policyname Monitor IoT Devices, and press Enter. The client requests shown in this table have been evaluated by the Service Point as exhibitting either DNS Tunneling or DGA characteristics and represent only a subset of all DNS requests generated in your environment.
  3. Examine the table and take a note of any domains that despite their character makeup of their looked-up hostnames are used for legitimate purposes (for example, Anti-virus programs). Clicking on any query will bring up a modal with detailed information on the query, including the entire length of the looked-up hostname.
Create a domain list exhibiting markers of a DNS threat
  1. In the top navigation bar, click and select Domain Lists.
  2. Click to create a new domain list.
  3. For Name, enter IoT Allowed, and for Description, enter a brief description for the list. For Type, keep the default User Defined.
  4. In the Domains field, type the list of domains reocurring in the Threat Activity but that represent a legitimate domain. You can press Enter after typing each domain name, or you can type multiple domains on one line separated by commas and press Enter.
  5. Click Save and Close.
Create a domain list representing all traffic
  1. In the top navigation bar, click and select Domain Lists.
  2. Click to create a new domain list.
  3. For Name, enter Non-malicious Domains, and for Description, enter a brief description for the list. For Type, keep the default User Defined.
  4. In the Domains field, type * and press Enter to represent all traffic.
  5. Click Save and Close.
Create a policy to block DNS traffic identified as a DNS threat
  1. In the top navigation bar, click and select Policies.
  2. Click to create a new policy.
  3. For Name, enter Block Threat Activity, and for Description, enter a brief description for the policy.
  4. For Type, select Block, and set the slider to Active.
  5. In the Sites field, start typing the name of a site, and then select the site you want to apply the policy to.
  6. Expand the Threat section, and in the Type drop-down, select Tunneling and then click to add it as a criteria. Repeat this step for DGA.
  7. Expand the Domain List section, and in the Exception List field, start typing Non-malicious Domains, and then select that domain list.
  8. Click Save & Apply.

Review the blocked threat activity

Note: For this test, it's best to wait until there is a significant amount of traffic to the DNS Edge service point.
  1. In DNS Edge, select the DNS Activity view , and then select the Threat Activity tab. Suspicious client requests targeting domains attached as exceptions to the blocking policy went through, all other requests identified as DGA or Tunneling have however been blocked.
  2. If any blocked queries represent legitimate traffic access, add their domain names to the Non-malicious Domains domain list.