02-02-2018 09:45 PM - edited 02-21-2020 07:17 AM
Hello all
Can anyone advise on the FTD’s capability to detect and mitigate DNS exfiltration attempts? Would there be a SNORT rule to detect such activity?
Thank you.
02-04-2018 12:28 AM - edited 02-04-2018 07:45 AM
I may be mistaken, but I don't believe it currently look s in the DNS payload to ascertain exfiltration attempts. Instead, FTD uses Security Intelligence feeds and lists from TALOS to determine which DNS domains are associated with attackers, CnC, DGAs etc. and allows you to block traffic based on that categorization.
Here's an article explaining that feature in more detail:
http://www.packetu.com/2016/07/03/understanding-firepower-dns-policies/
(Thanks to Paul Stewart @packetu for that.)
02-04-2018 06:49 AM
Thank you Marvin
I’ll need to double check to see what we have implemented. In the absence of the FTD actually checking the contents of the DNS packet, this may be the next best thing.
02-27-2020 03:27 PM
07-27-2023 09:40 AM
Is there any way to white list urls that match this?
02-25-2022 11:54 AM
Hi All,
In the same context of Data Exfiltration, what if the Exfiltrator is an internal employee? How can we leverage Firepower to detect and block this?
01-23-2024 03:59 PM - edited 01-23-2024 04:05 PM
I know this is an old topic. Talos blocks URL's and IP addresses, so it might be able to block something trying to send a command to exfiltrate data, but that doesn't detect the exfiltration. The IPS Snort rules have something to potentially detect forms of exfiltration (as mentioned above), so that might help as well.
I like to use an internal DNS server that will in turn run a DNS query to the root DNS servers, then block port 53 tcp/udp outgoing except for my DNS servers. That way noone can exfiltrate DNS data directly to the outside world. I also have the DNS Preprocessor enabled, which inspects DNS packets for malformed data. This preprocessor can also work with Snort, such as enabling rules 131:1, 131:2, and 131:3. Look at all GID 131 rules in case there are others.
Combine all of these techniques, and chances of DNS exfiltration are slim. But that may not save you, there are other ways to exfiltrate data. Skype. HTTPS uploads. Emails. Portable storage devices. Pineapples.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide