Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3737
Views
10
Helpful
6
Replies

Cisco FTD DNS Exfiltration Detection

Devlin Thornicroft
Level 1
Level 1

‎02-02-2018 09:45 PM - edited ‎02-21-2020 07:17 AM

Hello all

 

Can anyone advise on the FTD’s capability to detect and mitigate DNS exfiltration attempts? Would there be a SNORT rule to detect such activity? 

 

Thank you.

2 people had this problem
Labels:
0 Helpful
6 Replies 6

Marvin Rhoads
Hall of Fame
Hall of Fame

‎02-04-2018 12:28 AM - edited ‎02-04-2018 07:45 AM

I may be mistaken, but I don't believe it currently look s in the DNS payload to ascertain exfiltration attempts. Instead, FTD uses Security Intelligence feeds and lists from TALOS to determine which DNS domains are associated with attackers, CnC, DGAs etc. and allows you to block traffic based on that categorization.

 

Here's an article explaining that feature in more detail:

 

http://www.packetu.com/2016/07/03/understanding-firepower-dns-policies/

 

(Thanks to Paul Stewart @packetu for that.)

0 Helpful

Devlin Thornicroft
Level 1
Level 1
In response to Marvin Rhoads

‎02-04-2018 06:49 AM

Thank you Marvin

 

I’ll need to double check to see what we have implemented. In the absence of the FTD actually checking the contents of the DNS packet, this may be the next best thing.

0 Helpful

ivanradevradev_
Level 1
Level 1

‎02-27-2020 03:27 PM

Hi Devlin,

There is a Snort rule MALWARE-OTHER dns request with long host name segment - possible data exfiltration attempt (3:30881:4) if you enable it in your intrusion policies, will see long DNS queries. It is kind of TALOS property and it is not a rule open to read and edit. In my case generates false positives as we use legitimate names 72 symbols long.
Cheers!
0 Helpful

wdejulio312
Level 1
Level 1
In response to ivanradevradev_

‎07-27-2023 09:40 AM

Is there any way to white list urls that match this?

 

0 Helpful

DannyDulin
Level 1
Level 1

‎02-25-2022 11:54 AM

Hi All,

 

In the same context of Data Exfiltration, what if the Exfiltrator is an internal employee? How can we leverage Firepower to detect and block this?

bcoverstone
Level 1
Level 1

‎01-23-2024 03:59 PM - edited ‎01-23-2024 04:05 PM

I know this is an old topic. Talos blocks URL's and IP addresses, so it might be able to block something trying to send a command to exfiltrate data, but that doesn't detect the exfiltration. The IPS Snort rules have something to potentially detect forms of exfiltration (as mentioned above), so that might help as well.

I like to use an internal DNS server that will in turn run a DNS query to the root DNS servers, then block port 53 tcp/udp outgoing except for my DNS servers. That way noone can exfiltrate DNS data directly to the outside world. I also have the DNS Preprocessor enabled, which inspects DNS packets for malformed data. This preprocessor can also work with Snort, such as enabling rules 131:1, 131:2, and 131:3. Look at all GID 131 rules in case there are others.

Combine all of these techniques, and chances of DNS exfiltration are slim. But that may not save you, there are other ways to exfiltrate data. Skype. HTTPS uploads. Emails. Portable storage devices. Pineapples.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card