20150928-plnog15___dns-to-zlo-public
-
Upload
marta-pacyga -
Category
Internet
-
view
261 -
download
0
Transcript of 20150928-plnog15___dns-to-zlo-public
![Page 1: 20150928-plnog15___dns-to-zlo-public](https://reader036.fdocuments.net/reader036/viewer/2022062820/58a9ffd61a28abec248b5d3f/html5/thumbnails/1.jpg)
1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
DNS źródłem całego zła w sieci.Czyli jak zostać superbohaterem twoich użytkownikówAdam Obszyński, [email protected]
![Page 2: 20150928-plnog15___dns-to-zlo-public](https://reader036.fdocuments.net/reader036/viewer/2022062820/58a9ffd61a28abec248b5d3f/html5/thumbnails/2.jpg)
2 | © 2013 Infoblox Inc. All Rights Reserved. 2 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
Why Securing DNS is Critical
Unprotected, DNS increases risk to critical infrastructure and data
#1 protocol for volumetric reflection/
amplification attacks
DNS is critical networking
infrastructure
DNS protocol is easy to exploit and
attacks are prevalent
Traditional security is ineffective against
evolving threats
![Page 3: 20150928-plnog15___dns-to-zlo-public](https://reader036.fdocuments.net/reader036/viewer/2022062820/58a9ffd61a28abec248b5d3f/html5/thumbnails/3.jpg)
3 | © 2013 Infoblox Inc. All Rights Reserved. 3 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
• One of the fastest growing attack vectors• Easy-to-exploit protocol• Firewalls and IDS/IPS devices not focused
on DNS threats• Proliferation of BYOD devices and mobile
users, meaning threats may be inside the firewall
• DNS security layer needed to complement existing security solutions
DNS Security Gap
![Page 4: 20150928-plnog15___dns-to-zlo-public](https://reader036.fdocuments.net/reader036/viewer/2022062820/58a9ffd61a28abec248b5d3f/html5/thumbnails/4.jpg)
4 | © 2013 Infoblox Inc. All Rights Reserved. 4 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
DNS Security Challenges
Stopping APTs/malware from using DNS2
Defending against DNS DDoS attacks1
Preventing data exfiltration via DNS3
![Page 5: 20150928-plnog15___dns-to-zlo-public](https://reader036.fdocuments.net/reader036/viewer/2022062820/58a9ffd61a28abec248b5d3f/html5/thumbnails/5.jpg)
5 | © 2013 Infoblox Inc. All Rights Reserved. 5 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
DNS Protection is Not Only About DDoS
Volumetric/DDoS Attacks DNS-specific Exploits
DNS reflection
DNS amplification
TCP/UDP/ICMP floods
NXDOMAIN attack
Phantom domain attack
Random subdomain attack
Domain lockup attack
DNS-based exploits
DNS cache poisoning
DNS tunneling
Protocol anomalies
Reconnaissance
DNS hijacking
Domain lockup attack
![Page 6: 20150928-plnog15___dns-to-zlo-public](https://reader036.fdocuments.net/reader036/viewer/2022062820/58a9ffd61a28abec248b5d3f/html5/thumbnails/6.jpg)
6 | © 2013 Infoblox Inc. All Rights Reserved. 6 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
• Malicious traffic is visible on 100% of corporate networks1
• Every minute a host accesses a malicious website1
• The question isn’t if, but when you will be attacked, and how effectively you can respond
• APTs rely on DNS at various stages of the cyber kill chain to infect devices, propagate malware, and exfiltrate data
APTs: The New Threat Landscape
Source: 1 Cisco 2014 Annual Security Report
Organized and well funded
Profile organizations using public data/social media
Target key POI’s via spear phishing
“Watering hole” target groups on trusted sites
Leverage tried and truetechniques like SQLi, DDoS & XSS
Coordinated attacks, distract big, strike precisely
Operationalsophistication
![Page 7: 20150928-plnog15___dns-to-zlo-public](https://reader036.fdocuments.net/reader036/viewer/2022062820/58a9ffd61a28abec248b5d3f/html5/thumbnails/7.jpg)
7 | © 2013 Infoblox Inc. All Rights Reserved. 7 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
CryptoLocker• Targets Windows-based computers in form of email attachment• Upon infection, encrypts files on local hard drive and mapped
network drives • If ransom isn’t paid, encryption key deleted and data
irretrievable
Gameover Zeus (GOZ)• 500,000 – 1M infections globally and100s of millions of dollars
stolen• Uses P2P communication to control infected devices or botnet• Takes control of private online transactions and diverts funds to
criminal accounts
Malware Examples
![Page 8: 20150928-plnog15___dns-to-zlo-public](https://reader036.fdocuments.net/reader036/viewer/2022062820/58a9ffd61a28abec248b5d3f/html5/thumbnails/8.jpg)
8 | © 2013 Infoblox Inc. All Rights Reserved. 8 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
• Uses DNS as a covert communication channel to bypass firewalls
• Attacker tunnels other protocols like SSH, TCP, or web within DNS
• Enables attackers to easily pass stolen data or tunnel IP traffic without detection
• A DNS tunnel can be used as a full remote-control channel for a compromised internal host
Impact:• Data exfiltration or malware insertion can happen
through the tunnel
DNS Tunneling
Encoded IP in DNS queries
INTERNET
ENTERPRISE
Client-side tunnel program
DNS terminal server
IP traffic
Internet
![Page 9: 20150928-plnog15___dns-to-zlo-public](https://reader036.fdocuments.net/reader036/viewer/2022062820/58a9ffd61a28abec248b5d3f/html5/thumbnails/9.jpg)
9 | © 2013 Infoblox Inc. All Rights Reserved. 9 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
Malware Steals File Containing Sensitive DataData Exfiltration over DNS Queries
• Infected endpoint gets access to file containing sensitive data
• It encrypts and converts info into encoded format
• Text broken into chunks and sent via DNS using hostname.subdomain or TXT records
• Exfiltrated data reconstructed at the other end• Can use spoofed addresses to avoid detection
INTERNET
ENTERPRISE
NameMarySmith.foo.thief.comMRN100045429886.foo.thief.comDOB10191952.foo.thief.com
NameMarySmith.foo.thief.comMRN100045429886.foo.thief.comDOB10191952.foo.thief.com
Infected endpoint
DNS server
Attacker controller server- thief.com
(C&C)
DataC&C commands
![Page 10: 20150928-plnog15___dns-to-zlo-public](https://reader036.fdocuments.net/reader036/viewer/2022062820/58a9ffd61a28abec248b5d3f/html5/thumbnails/10.jpg)
10 | © 2013 Infoblox Inc. All Rights Reserved. 10 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
How Infoblox Secures DNS
![Page 11: 20150928-plnog15___dns-to-zlo-public](https://reader036.fdocuments.net/reader036/viewer/2022062820/58a9ffd61a28abec248b5d3f/html5/thumbnails/11.jpg)
11 | © 2013 Infoblox Inc. All Rights Reserved. 11 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
Dedicated hardware with no unnecessary logical or physical ports
No OS-level user accounts—only admin accts Immediate updates to new security threatsSecure HTTPS-based access to device managementNo SSH or root-shell access Encrypted device-to-device communicationHardware based Security & DNS Acceleration
• Many open ports are subject to attack.• Users have OS-level account privileges on
server.• Requires time-consuming manual updates.
Conventional Server ApproachHardened Appliance Approach
Multiple Open Ports
Limited Port Access
Update ServiceSecure
Access
Hardened DNS Appliances
![Page 12: 20150928-plnog15___dns-to-zlo-public](https://reader036.fdocuments.net/reader036/viewer/2022062820/58a9ffd61a28abec248b5d3f/html5/thumbnails/12.jpg)
12 | © 2013 Infoblox Inc. All Rights Reserved. 12 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
Internal DNS Security Deployment
INTERNET
ENTERPRISE
Infoblox Automated Threat Intelligence Service
Firewall
Infoblox Internal DNS Security
x
xxxx
Attacker Thief Badsite1.comGood.com
Badsite1.comBadsite2.comBadsite3.com
SSN:123456789.foo.thief.comPESEL:77050502143.foo.thief.com
Updates for DNS attacks and malicious domains
Legitimate Query DNS DDoS attacks detected and dropped
Data exfiltration detected and dropped
Malware site blocked
![Page 13: 20150928-plnog15___dns-to-zlo-public](https://reader036.fdocuments.net/reader036/viewer/2022062820/58a9ffd61a28abec248b5d3f/html5/thumbnails/13.jpg)
13 | © 2013 Infoblox Inc. All Rights Reserved. 13 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
DNS reflectionDNS amplification
TCP/UDP/ICMP floodsNXDOMAIN attack
Phantom domain attack
Random subdomain attack
Domain lockup attackDNS-based exploits
DNS cache poisoningDNS tunneling
Malformed DHCP requests
Protection Against Internal DNS Attacks
Infoblox InternalDNS Security
DNS attacksdetected & dropped
Legi
timat
e Tr
affic
DN
S D
DoS
Legi
timat
e Tr
affic
DN
S T
unne
ling
x x
Firewall
Infoblox Automated Threat Intelligence
Service
INTERNET
ENTERPRISE
![Page 14: 20150928-plnog15___dns-to-zlo-public](https://reader036.fdocuments.net/reader036/viewer/2022062820/58a9ffd61a28abec248b5d3f/html5/thumbnails/14.jpg)
14 | © 2013 Infoblox Inc. All Rights Reserved. 14 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
Protection Against APTs/MalwareDNS Firewall
An infected device brought into the office. Malware spreads to other devices on network.1Malware makes a DNS query to find “home” (botnet / C&C). DNS Firewall looks at the DNS response and takes admin-defined action (disallows communication to malware site or redirects traffic to a landing page or “walled garden” site).
2 Pinpoint. Infoblox Reporting lists DNS Firewall action as well as the:
• Device IP address• Device MAC address• Device type/OS (DHCP fingerprint)• Device host name• Device lease history• AD login name• Switch/port/VLAN
3 An update will occur every 2 hours (or more often for significant threat).4
Malware/APT
Malicious Domains
Infoblox threat update deviceIPs, Domains, ect. of Bad Servers
Blocked communication attempt sent to SyslogMalware/APT spreads within
network; calls home
INTERNET
INTRANET
![Page 15: 20150928-plnog15___dns-to-zlo-public](https://reader036.fdocuments.net/reader036/viewer/2022062820/58a9ffd61a28abec248b5d3f/html5/thumbnails/15.jpg)
15 | © 2013 Infoblox Inc. All Rights Reserved. 15 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
Automatic and Customizable Threat IntelligenceDNS Firewall
Malware droppers
Botnet C&C/DNS servers
Geographic blocks
Malware droppers
Infoblox DNS Firewall
Pre-defined Lists
Inbound attacks
User-defined Lists
User-defined RPZ behaviors
Custom Feed
Custom Feed
• Automatic ongoing protection against APTs/malware without intervention, downtime or patching
• Choose from lists of threat categories and sources
• Implement whitelists, blacklists, and RPZ actions based on client
• Benefits: flexibility and performance
![Page 16: 20150928-plnog15___dns-to-zlo-public](https://reader036.fdocuments.net/reader036/viewer/2022062820/58a9ffd61a28abec248b5d3f/html5/thumbnails/16.jpg)
16 | © 2013 Infoblox Inc. All Rights Reserved. 16 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
What is DNS data exfiltration?
• Tunneling is the mechanism by which attackers ex-filtrate data• Tunneling also used to bypass wifi hotspots and to do anti-virus
updates
DNS Tunneling vs DNS Ex-filtration
• Hackers know that DNS port is always open and available• Stolen data is broken into small chunks, often encrypted and encoded
to avoid detection• Exfiltrated data is decrypted and reassembled at the other end
Malware frequently uses DNS to ex-filtrate data
• DLP products protect against leakage via email, web, ftp and other vectors
• We cover one use case – one that these products typically don’t – but not the whole market
This detection IS NOT a substitute for Data Loss Protection products
Jane-Doe.foo.thief.comSSN-543112197.foo.thief.comDOB-04-10-1999.foo.thief.comMC-7895206822348781.foo.thief.comCCV-567-E-10-21.foo.thief.comJohn-Public.bar.thief.comSSN-9845762093.bar.thief.comDOB-01-22-1943.bar.thief.comV-3850384711230911.bar.thief.comCCV-434-E-11-19.bar.theif.com
Data Exfiltration via host/subdomainSimplified/unencrypted example
Example Malware that uses DNS TunnelsFrameworkPOSFeederBotMotoMortoPlugXWin32.Zbot.chas/Unruy.HWin32.Mufanom.vhaWin32.AutoTsifiri.nWin32.Hiloti
![Page 17: 20150928-plnog15___dns-to-zlo-public](https://reader036.fdocuments.net/reader036/viewer/2022062820/58a9ffd61a28abec248b5d3f/html5/thumbnails/17.jpg)
17 | © 2013 Infoblox Inc. All Rights Reserved. 17 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
Data Exfiltration via DNS Tunneling• Real Customer Example
• File containing sensitive info converted to text, broken into chunks and exfiltrated via DNS
• Exfiltrated data put back together and decrypted to get the valuable information
• Used spoofed addresses
![Page 18: 20150928-plnog15___dns-to-zlo-public](https://reader036.fdocuments.net/reader036/viewer/2022062820/58a9ffd61a28abec248b5d3f/html5/thumbnails/18.jpg)
18 | © 2013 Infoblox Inc. All Rights Reserved. 18 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
Data Exfiltration Protection with Infoblox DNS Threat Analytics
![Page 19: 20150928-plnog15___dns-to-zlo-public](https://reader036.fdocuments.net/reader036/viewer/2022062820/58a9ffd61a28abec248b5d3f/html5/thumbnails/19.jpg)
19 | © 2013 Infoblox Inc. All Rights Reserved. 19 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
• DNS Threat Analytics detects tunneling based on the patterns of requests. S Looks at TXT records, A, AAAA recordsS Finds tunneling by using lexical and
temporal analysis looking for signs that the requests are data exfiltration
S Adds destinations to an internal RPZ feed automatically
• Products: Internal DNS Security/DNS FW
How DNS Threat Analytics Work
Note: DNS based detection IS NOT a substitute for Data Loss Protection products.
Analysis Model
Entropy
Lexically
N-GramFrequency
Size
![Page 20: 20150928-plnog15___dns-to-zlo-public](https://reader036.fdocuments.net/reader036/viewer/2022062820/58a9ffd61a28abec248b5d3f/html5/thumbnails/20.jpg)
20 | © 2013 Infoblox Inc. All Rights Reserved. 20 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
BehaviorInfoblox analytics
Entropy Lexically
N-Gram Time Series
Generally speaking queries should not all be uniform in size
Contiguous sequence of
n-items
Number of queries (overall) number
of Queries to a domain
Are they words?
![Page 21: 20150928-plnog15___dns-to-zlo-public](https://reader036.fdocuments.net/reader036/viewer/2022062820/58a9ffd61a28abec248b5d3f/html5/thumbnails/21.jpg)
21 | © 2013 Infoblox Inc. All Rights Reserved. 21 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
Intelligence Needed to Take ActionContextual Reporting
• Attack details by category, member, rule, severity, and time• Drill-down analytics and visualization of entire network• List of top infected clients with associated user names (enabled by Microsoft AD integration)• CISO/Executive report with top APT/malware threats
![Page 22: 20150928-plnog15___dns-to-zlo-public](https://reader036.fdocuments.net/reader036/viewer/2022062820/58a9ffd61a28abec248b5d3f/html5/thumbnails/22.jpg)
22 | © 2013 Infoblox Inc. All Rights Reserved. 22 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
Integrations – Cisco, FireEye, Bit9 etc.Only Team wins!
![Page 23: 20150928-plnog15___dns-to-zlo-public](https://reader036.fdocuments.net/reader036/viewer/2022062820/58a9ffd61a28abec248b5d3f/html5/thumbnails/23.jpg)
23 | © 2013 Infoblox Inc. All Rights Reserved. 23 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
![Page 24: 20150928-plnog15___dns-to-zlo-public](https://reader036.fdocuments.net/reader036/viewer/2022062820/58a9ffd61a28abec248b5d3f/html5/thumbnails/24.jpg)
24 | © 2013 Infoblox Inc. All Rights Reserved. 24 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
Security Product Strategy
INTERNET
INTRANET
DN
S D
DoS
Global Threat Intelligence PlatformMalicious Domains
Infoblox Internal DNS Security & DNS Firewall
Infoblox External DNS Security
Harden DNS Anti-Malware & Data Exfiltration
Security Operations & Ecosystem
Expl
oits
Ref
lect
ion
Am
plifi
catio
n
SaaS/Cloud
DDOS
NAC
APT/Malware
SEIM
Business Intelligence
Infoblox DDI
Security
![Page 25: 20150928-plnog15___dns-to-zlo-public](https://reader036.fdocuments.net/reader036/viewer/2022062820/58a9ffd61a28abec248b5d3f/html5/thumbnails/25.jpg)
25 | © 2013 Infoblox Inc. All Rights Reserved. 25 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
Find DNS Threats in your Network
![Page 26: 20150928-plnog15___dns-to-zlo-public](https://reader036.fdocuments.net/reader036/viewer/2022062820/58a9ffd61a28abec248b5d3f/html5/thumbnails/26.jpg)
26 | © 2013 Infoblox Inc. All Rights Reserved. 26 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
Send Us Your PCAP Files
• Infoblox analyzes and provides insights on malicious activity in seconds
• Report on findings to take back to management
![Page 27: 20150928-plnog15___dns-to-zlo-public](https://reader036.fdocuments.net/reader036/viewer/2022062820/58a9ffd61a28abec248b5d3f/html5/thumbnails/27.jpg)
27 | © 2013 Infoblox Inc. All Rights Reserved. 27 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
Q&A