PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei.Analityka w służbie jej DNS-owej mości, Adam Obszyński

1 | © 2013 Infoblox Inc. All Rights Reserved.1 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
DNS – przyjaciel e-szpiegów i e-złodziei.
Analityka w służbie jej DNS-owej mości.
Adam Obszyński

Why Securing DNS is Critical
Unprotected, DNS increases risk to critical infrastructure and data
#1
protocol for
volumetric
reflection/
amplification
attacks
DNS is critical
networking
infrastructure
DNS protocol is
easy to exploit and
attacks are
prevalent
Traditional security
is ineffective against
evolving threats

DNS tunneling attacks
let infected endpoints
or malicious insiders
exfiltrate data.
Attackers have recently
used DNS tunneling in
cases involving the theft of
millions of accounts.5
of large businesses
have experienced
DNS exfiltration.6
46%
Goal of Malicious Actors
• Hacktivism
• Espionage
• Financial
Data Targets
• Regulated Data
• PII (personally identifiable information)
• Intellectual property
• Company financials, payroll data
Average consolidated
cost of a data breach7
$3.8M

CryptoLocker
• Targets Windows-based computers in form of email attachment
• Upon infection, encrypts files on local hard drive and mapped
network drives
• If ransom isn’t paid, encryption key deleted and data
irretrievable
Gameover Zeus (GOZ)
• 500,000 – 1M infections globally and100s of millions of dollars
stolen
• Uses P2P communication to control infected devices or botnet
• Takes control of private online transactions and diverts funds to
criminal accounts
Malware Examples

DNS Firewall

Infoblox DNS Firewall – How it Works
An infected device brought into the office.
Malware spreads to other devices on network.1
Malware makes a DNS query to find “home” (botnet /
C&C). DNS Firewall looks at the DNS response and
takes admin-defined action (disallows communication
to malware site or redirects traffic to a landing page or
“walled garden” site).
2
Pinpoint. Infoblox Reporting lists DNS Firewall
action as well as the:
• User name (if AD)
• Device IP address
• Device MAC address (if DHCP)
• Device type (if DHCP fingerprint)
3 An update will occur every 2 hours (or more
often for significant threat).4
Additional threat intelligence from sources
outside Infoblox can also be used by DNS
Firewall (e.g. FireEye)
5
Malware/APT
Malicious Domains
Infoblox threat
intelligence service
IPs, Domains, etc. of Bad
Servers
Blocked communication attempt
sent to Syslog
Malware/APT spreads within
network; calls home
INTERNET
INTRANET
Infoblox DNS Firewall

Automatic and Customizable Threat Intelligence
Malware
droppers
Botnet C&C/
DNS servers
Geographic
blocks
Malware
droppers
Infoblox
DNS Firewall
Pre-defined Lists
Inbound
attacks
User-defined Lists
User-defined
RPZ behaviors
Custom
Feed
Custom
Feed
• Automatic ongoing protection
against APTs/malware without
intervention, downtime or
patching
• Choose from lists of threat
categories and sources
• Implement whitelists, blacklists,
and RPZ actions based on
client
• Benefits: flexibility and
performance

DNS Firewall Keeps Subscribers Safe
Provides protection against growing malware threats
Infoblox DNS Firewall
• Mitigates access to
malicious sites
58% growth in malware
sites in 2Q2015
“…security is now among the
top three elements consumers
consider when choosing a mobile
operator, after pricing and network
coverage…”
“…52% of consumers would
switch providers after a major
data breach…”

Advanced DNS Protection

DNS Protection is Not Only About DDoS
Volumetric/DDoS Attacks DNS-specific Exploits
DNS reflection
DNS amplification
TCP/UDP/ICMP floods
NXDOMAIN attack
Phantom domain attack
Random subdomain attack
Domain lockup attack
DNS-based exploits
DNS cache poisoning
DNS tunneling
Protocol anomalies
Reconnaissance
DNS hijacking
Domain lockup attack

ADP: Using Signatures to Detect Tunneling
Infoblox Internal
DNS Security
Tunneling
detected & dropped
LegitimateTraffic
DNSTunneling
LegitimateTraffic
DNSTunneling
x x
Firewall
Infoblox Automated
Threat Intelligence
Service
INTERNET
ENTERPRISE
• Most standard DNS Tunneling toolkits
(like Iodine) have well known
signatures
• Infoblox Internal DNS Security has 12
different threat protection rules that use
these signatures to detect tunneling
attempts
• Allows immediate blocking
• As new signatures become available,
customers get automatic updates
through the threat intelligence service

ADP: Using Signatures to Detect Tunneling
NIOS 7.3.x

DNS & Data Exfiltration

• Uses DNS as a covert communication channel to
bypass firewalls
• Attacker tunnels other protocols like SSH, or web
within DNS
• Enables attackers to easily insert malware, pass
stolen data or tunnel IP traffic without detection
• A DNS tunnel can be used as a full remote-control
channel for a compromised internal host
Examples:
̶ Iodine
̶ OzymanDNS
̶ SplitBrain
̶ DNS2TCP
Exfiltrating Data via DNS Tunneling
Encoded IP
in DNS queries
INTERNET
ENTERPRISE
Client-side
tunnel program
DNS
terminal server
IP traffic
Internet

Data Exfiltration over DNS Queries
• Infected endpoint gets access to file containing
sensitive data
• It encrypts and converts info into
encoded format
• Text broken into chunks and sent via DNS using
hostname.subdomain or TXT records
• Exfiltrated data reconstructed at the other end
• Can use spoofed addresses to avoid detection
INTERNET
ENTERPRISE
NameMarySmith.foo.thief.com
MRN100045429886.foo.thief.com
DOB10191952.foo.thief.com
NameMarySmith.foo.thief.com
DOB10191952.foo.thief.com
Infected
endpoint
DNS server
Attacker controller
server- thief.com
(C&C)
DataC&C commands
MarySmith.foo.thief.com
SSN-543112197.foo.thief.com
DOB-04-10-1999.foo.thief.com
Data Exfiltration via host/subdomain
Simplified/unencrypted example:

What the Bad Guys are After and Why
PII (Personally
Identifiable Information)
Information like social security numbers of employees or customers
that cybercriminals can use to steal identity, or sell in the
underground market for profit
Regulated Data Data related to PCI DSS and HIPAA compliance that can be misused
Intellectual Property Data that can give an organization a competitive advantage
Other Sensitive
Information
Credit card numbers, company financials, payroll and emails
Hacktivism Espionage Financial Profit

DEMO #1

Topology – DEMO #1
We are safe…
Source The EVIL one:
INTERNET
Bartender
:-)
192.168.0.235
MacGyver

Securing DNS To Block Data Exfiltration
~ Artificial Intelligence

Infoblox DNS Threat Analytics
Using Real-time Streaming Analytics
• Detects sophisticated data exfiltration techniques
which don’t have well known signatures (zero day)
- Models the behavior of DNS queries
- Looks at TXT records, A, AAAA records
- Detects presence of data using lexical and
temporal analysis
- Automatic adds destinations to internal RPZ
feed
- Scales protection to all parts of the network
• Not a substitute for DLP products.
Analysis
Model
Entropy
Lexically
N-GramFrequency
Size

Entropy
•Does the request
contain lots of
information?
Frequency/Size
•It is unusual to
send many
different
requests to the
same external
domain.
Lexical Analysis
•Does it appear to
be encoded or
encrypted?
n-Gram
Analysis
•Does the
request
contain words
in a
language?
Proprietary
methods
•False positive
mitigation
•Other indicators
and factors
How the Analytics Model Works
Adds to score Adds to score Adds to score
Subtracts
from score Adjusts score
• Analytics algorithms are sophisticated and complex
• Simplifying greatly, certain attributes add to a threat score, others subtract from it
• All attributes are evaluated and weighted
• After all attributes are evaluated, a final score will classify a request as exfiltration
or not
• If the finding is exfiltration, the destination DNS server is added to a special RPZ
zone that contains the block, log, redirect policy

Infoblox DNS Threat Analytics Deployment
Minimum appliance size: 20x0
PT-2200, PT-4000, TE-22x0, TE-4010, TE-V22x0
Add on to ADP appliances
Add on to non-ASIC (non-ADP) appliances
Adds ZONEs to DNS Firewall feed

Infoblox DNS Threat Analytics
Active Blocking of Data Exfiltration Attempts
Automatically adds destinations to RPZ feed and scales enforcement to all parts of
network through Grid wide update
Integrated into DNS
Data exfiltration protection built directly into DNS, providing real-time protection without
need for additional network infrastructure or end point agents
Unique Patented Technology
Uses machine learning and performs real-time streaming analytics on live queries; uses
advanced math (entropy, lexical analysis and time series) to determine presence of data
Visibility
Pinpoints infected devices or potential rogue employees that try to steal data

DEMO #2

Topology – DEMO #2
We are aware.
Source The EVIL one:
INTERNET
Bartender
:-)
MacGyver
192.168.0.233
192.168.0.235

Security eq Partnership

Security Ecosystem Solutions Available today
Vendor Integration Type
FireEye Policy enforcement using DNS Firewall based on threat intelligence received
from FireEye Appliance
ThreatConnect (New) Policy enforcement using DNS Firewall based on threat intelligence received
from ThreatConnect
Bit9+Carbon Black Automatic Remediation on Endpoint using Carbon Black based on indicator of
compromise published by Infoblox
CISCO ISE • Enforcement of NAC policy using CISCO ISE based on indicator of
compromise published by Infoblox
• Data Enrichment use-cases for IB and CISCO ISE
Rapid7 (New) • Asset Discovery using Infoblox
• Automatic real-time scan based on Infoblox

Automating Response Through Infoblox / Cisco ISE
Customer Value
• Visibility into what users and devices are communicating with
bad domains associated with data exfiltration
• User/device visibility increases confidence in taking mitigation
actions
• ISE access is enabled when Network Insight joins the Grid
Infoblox DDI
DNS FW Events
DNS Threat Analytics
Events
DHCP Leases
Cisco ISE
• ISE quarantines device
• Informs vulnerability
scanner to scan device

Extending pxGrid Data to Other Community Members
Rapid Threat Containment
Cisco ISE
DNS Query to C&C
Infected device
1
Internal DNS Security
DNS Firewall
Malicious Domain
2
Notify ISE of Indicator of
Compromise with IP / MAC data
3
ISE Quarantines Device
4
Infoblox IPAM updated
with quarantine status
5
ISE Requests Device Scan
and Remediation
6
Rapid7 scans device
and remediates threat
7
Reports remediation, updates
status to not quarantined
8
9

Summary

Thank You

PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei.Analityka w służbie jej DNS-owej mości, Adam Obszyński

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei.Analityka w służbie jej DNS-owej mości, Adam Obszyński

Similar a PLNOG16: DNS – przyjaciel e-szpiegów i e-złodziei.Analityka w służbie jej DNS-owej mości, Adam Obszyński (20)

Último

Último (9)