Post on 25-Apr-2020
A First Line of Defense Between your Organization and the Internet
OpenDNS Cloud-Security & Threat Intelligence
2 CONFIDENTIAL
AUTHORITATIVE DNS Owns and publishes the “phone books”
DOMAIN REGISTRAR Maps and records names
to #s in “phone books”
RECURSIVE DNS Looks up & remembers the #s for each name
First, A Quick Refresher on DNS
3 CONFIDENTIAL
Requests Per Day
90B Countries 160+
Daily Active Users
65M Enterprise Customers
10K
Big Data ~3% of Global DNS
4 CONFIDENTIAL
Used to detect:
• Compromised systems • Command & control callbacks • Malware & phishing attempts • Algorithm-generated domains • Domain co-occurrences • Newly registered domains
OpenDNS User
Authoritative Logs
Recursive DNS
Gather Intelligence & Enforce Security at the DNS Layer
Authoritative DNS
root
com.
domain.com.
Used to find:
• Newly staged infrastructures • Malicious domains, IPs, ASNs • DNS hijacking • Fast flux domains • Related domains
Request Patterns
5 CONFIDENTIAL
WEB NON-WEB
15% of C2 bypasses
Web ports 80 & 443
DNS IP IP
91% of C2 can be blocked
at the DNS layer
DNS-Layer Network Security Should Block Threats Others Miss
6 CONFIDENTIAL
INTERNET
MALWARE C2/BOTNETS PHISHING
AV
AV
AV AV
ROUTER/UTM
AV AV
ROUTER/UTM
SANDBOX PROXY
NGFW NETFLOW
AV AV
AV AV
MID LAYER
LAST LAYER
MID LAYER
LAST LAYER
MID LAYER
FIRST LAYER
Where Do You Enforce Security?
Perimeter
Perimeter Perimeter
Endpoint
Endpoint CHALLENGES
Too Many Alerts via Appliances & AV
Wait Until Payloads Reaches Target
Too Much Time to Deploy Everywhere
BENEFITS
Alerts Reduced 2-10x; Improves Your SIEM
Traffic & Payloads Never Reach Target
Provision Globally in UNDER 30 MINUTES
7 CONFIDENTIAL
WHY?
Top Use Cases to Add OpenDNS to Customer’s Security Stack
OFF- NETWORK SECURITY
50% of PCs are already mobile1
SECURE DIRECT-TO-NET
OFFICES
70% of offices go direct2 to Internet
NEW LAYER OF PREDICTIVE SECURITY
91% of malware uses DNS3
SPEED UP INCIDENT
RESPONSE
Only 4% of alerts are investigated per week
AUTOMATE ENFORCEMENT
& VISIBILITY
mean time-to-contain threats 26-39 hours4
Sources: (1) Gartner, (2) Forrester, (3) Cisco Security Report, and (4) Ponemon
Umbrella Enforcement & Investigate Threat Intelligence OpenDNS Product Portfolio
9 CONFIDENTIAL
SECURITY LABS
Umbrella (Enforcement)
208.67.222.222 DOMAIN, IP, ASN, EMAIL, HASH
API
OpenDNS Products
CATEGORY IDENTITY
MALWARE INTERNAL IP
C2 CALLBACK HOSTNAME
PHISHING AD USER
CUSTOM (API) HOSTNAME
Investigate (Intelligence)
STATUS & SCORES CO-OCCURRENCES
RELATIONSHIPS ATTRIBUTIONS
PATTERNS & GEOs
10 CONFIDENTIAL
UMBRELLA: The Fastest & Easiest Way To Prevent Threats Before They Reach You
BENEFITS
Simple to point DNS w/o technical or pro services
No hardware to install No software to maintain
Provision globally in under 30 minutes
Infinitely scalable enforcement platform
208.67.222.222
MALWARE
C2 CALLBACKS
PHISHING
CATEGORY IDENTITY
INTERNAL IP
HOSTNAME
AD USER
CUSTOM (API) HOSTNAME
11 CONFIDENTIAL
The Power of Integrating Umbrella + AMP Threat Grid Automate Enforcement & Visibility
CUSTOMER
COMMUNITY CUSTOMER & PARTNER AMP THREAT GRID
Unified Analysis & Intelligence
Dynamic & Static malware analysis identifies key
behavioral indicators
Threat Content enriched with global &
historical context for accuracy
files domains
UMBRELLA Enforcement
& Visibility
Automatically Pulls newly discovered malicious
domains in minutes
Logs & Blocks all Internet activity
destined to these domains
12 CONFIDENTIAL
KEY POINTS
Intelligence about domains and IPs across the Internet
Live graph of DNS requests and other contextual data
Correlated against statistical models
Discover & predict malicious domains & IPs
Enrich security data with global intelligence
DOMAIN, IP, ASN, EMAIL, HASH
CONSOLE SIEM, etc. API
STATUS & SCORES
CO-OCCURRENCES
RELATIONSHIPS
ATTRIBUTIONS
PATTERNS & GEOs
INVESTIGATE: The Most Powerful Way To Uncover Threats Before They Happen
13 CONFIDENTIAL
Our Security Intelligence is Different Than Others single, correlated source of information
INVESTIGATE
WHOIS record data
ASN attribution
IP geolocation
IP reputation scores
Domain reputation scores
Domain co-occurrences
Anomaly detection (DGAs, FFNs)
DNS request patterns/geo. distribution
Passive DNS database
Competing Vendors
OpenDNS Only
OpenDNS Only
OpenDNS Only
OpenDNS Consulting Systems Engineer
Investigate Demo with Sergio Silva
15 CONFIDENTIAL
Pivot Through the Attack Infrastructure with Just one Piece of Information (1/2)
Alerts and risk scores Summarise the suspicious activity identified for the domain
Domain Tagging Shows history of when the malware was associated with malware or botnet activity
Global Requests Patterns Shows an abnormal spike in traffic, which highlights when the attack launched
IP Geography Analysis Reveals the domain is hosted by IP addresses on different networks in more than 20 countries, which, for instance, is unusual for legitimate country code top-level domains.
Analysis of IP Requester Location Shows the vast majority of requests for this domain are coming from people located in a certain country, which could signify a more targeted attack
WHOIS Record Data Shows the domain was recently created and registered by someone who used the same email address to register other malicious domains
16 CONFIDENTIAL
Pivot Through the Attack Infrastructure with Just on Piece of Information (2/2)
Mappings of IP prefixes and ASNs highlight where the domain is hosted and confirm it’s hosted in a “bad neighborhood” with many other malicious domains. You can pivot on the IP or ASN for more details.
Passive DNS Data Provides insight into the history of the mapping between domains and IPs. For example, this domain was associated with different IPs when detected the first Qme.
Named Threat Attribution Confirms that the domain was associated with a particular malware family or botnet C&C.
Related Domains and Co-Occurrences Identify other domains that were queried with a high statistical frequency right before or after this one and are likely related to the same attack.
Starting from a single piece of data, you’re able to quickly investigate the domain leveraging a single, correlated source and speed up incident response.
Anomaly Detection Including identifying that this is a fast flux domain, which is a technique used to hide malware sites behind IPs that are constantly changing
17 CONFIDENTIAL
Our global context
We know all its relationships
Your local intelligence
You know one IOC
18 CONFIDENTIAL
Prioritize Incident Investigation + Response
List of IPs from threat intel feeds
SIEM events about endpoint activity
Network patterns from IDS/firewall
1.227.187.67 excite[.]su ns4[.]rhzq[.]at
162.209.116.14 Known malware outofspain[.]com
kickoffkit[.]com No malicious activity
162.209.116.14 kickoffkit[.]com 1.227.187.67
109.86.11.184 muzalabels[.]com Query Investigate API &
prioritize based on global context
19 CONFIDENTIAL
Speed Up Investigations
Discover attack details: IP and ASN reputation
Domain and IP are Located in a “Bad Neighborhood”
Determine if malicious with attribution and tagging
See Spikes in Global Requests to a Domain
This domain is attributed to the following attack:
CryptoWall Ransomware This domain has a
suspicious ASN score
DNS Queries/Hour
2K
4K
4/16 4/18 4/20 4/22 4/24 4/26 4/28 4/30 5/2
Domain associated with many IPs with very short TTL
20 CONFIDENTIAL
Stay Ahead of Attacks
Find related infrastructure
Pivot to build out view of attacker’s infrastructure
UMBRELLA Enforce protection
Domain IP Address ASN
21 CONFIDENTIAL
Speed up investigations with WHOIS
Query suspicious domain found in proxy logs
Find site was registered by a privacy protection service
Historical data shows previous registrants
Looks like someone was trying to cover their tracks…
Pivot to find other malicious domains
Was registered with email used with other malicious domains
See name server history Uncover other contact information
Single, correlated source
22 CONFIDENTIAL
Stay ahead of attacks with WHOIS
Start with known registrar of past APT1 domains
Find 31 domains currently registered
Pivot on suspicious-looking domain
Pivot on the IP Uncover malicious domains to proactively block
3 clicks to uncover attackers’ infrastructure
23 CONFIDENTIAL
Enrich Other Systems With Real-time Data
Automatically enrich incident tickets
§ Helpdesk tickets automatically updated with Investigate results
§ Ex: end user logs a ticket saying a site is blocked; Investigate gives context about why
Vet new firewall rules before implementing
§ When adding new FW rule, use Investigate to automatically annotate notes with scoring details
Check new domains
§ Query Investigate with net new domains requested by users to see if they’re suspicious
§ Vet domains added to public-facing community pages
24 CONFIDENTIAL