Fernando Zamai – fzamai@cisco.com

Security Consulting

Aug, 2016

Ele pode ser seu vetor de ataques.

Seu DNS está protegido?

enterprise network

Attacker

Perimeter

(Inbound)

Perimeter

(Outbound)

Research targets

11

C2 Server

Spear Phishing

(you@acme.com)

2

https://welcome.to.jangle.com/exploit.php

Victim clicks link unwittingly 3

Bot installed, back door established and

receives commands from C2 server 4

Scan LAN for vulnerable hosts to exploit &

find privileged users5

Privileged account found. 6

Admin Node

Data exfiltrated7

System compromised and data breached. 8

Vulnerabilities, Exploits, Malware

Hacked Mail Server – acme.com

Hacked Web Server – jangle.com

Main Vectors

HARD-CODED IP

@23.4.24.1

“FAST FLUX”

@23.4.24.1

bad.com?

@34.4.2.110

@23.4.34.55@44.6.11.8

@129.3.6.3

DOMAIN GENERATION ALGORITHM

bad.com?

@34.4.2.11

0

baa.ru?

bid.cn

@8.2.130.3

@12.3.2.1

@67.44.21.1

Evolution of Command & Control Callbacks

DNS Tunnel

DNS Server

bad.net

10011001

11100010

11010100

10010010

01001000

DNS Queryalknfijuqwelrkmmvclkmzxcladlfmaelrkjalm.bad.net

DNS Answer

alknfijuqwelrkmmvclkmzxcladlfmaelrkjalm.bad.net = 2.100.4.30

10011001

11100010

11010100

10010010

01001000

http://blog.talosintel.com/2016/06/detecting-dns-data-exfiltration.html

Authoritative DNS

root

com.

cisco.com.

INTERNET

MALWARE

C2/BOTNETS

PHISHING

AV

AV

AV AV

ROUTER/UTM

AV AV

ROUTER/UTM

SANDBOX

PROXY

NGFW

NETFLOW

AV AV

AV AV

MID LAYER

LAST LAYER

MID LAYER

LAST LAYER

MID LAYER

FIRST

LAYER

Where Do You Enforce Security?

Perimeter

Perimeter Perimeter

Endpoint

Endpoint

CHALLENGES

Too Many Alerts via Appliances & AV

Wait Until Payloads Reaches Target

Too Much Time to Deploy Everywhere

BENEFITS

Alerts Reduced 2-10x; Improves Your SIEM

Traffic & Payloads Never Reach Target

Provision Globally in UNDER 30 MINUTES

What We Observe On The Internet

Requests Per Day

80BCountries160+

Daily Active Users

65MEnterprise Customers

10K

Our PerspectiveDiverse Set of Data

Our View of the Internetproviding visibility into global Internet activity (e.g. BGP, AS, Whois, DNS)

We See Where Attacks Are Stagedusing modern data analysis to surface threat activity in unique ways

Applystatistical models and

human intelligence

Identifyprobable

malicious sites

Ingestmillions of data

points per second

How Our Security Classification Works

a.ru

b.cn

7.7.1.3

e.net

5.9.0.1

p.com/jpg

PRODUCTS & TECHNOLOGIES

UMBRELLAEnforcementNetwork security service protects any device, anywhere

INVESTIGATEIntelligenceThreat intelligence about domains & IPs across the Internet

A New Layer of Breach Protection

Threat PreventionNot just threat detection

Protects On & Off NetworkNot limited to devices forwarding traffic through on-premappliances

Turn-Key & Custom API-Based IntegrationsDoes not require professional services to setup

Block by Domains, IPs & URLs for All Ports Not just ports 80/443 or only IPs

Always Up to DateNo need for device to VPN back to an on-prem server for updates

UMBRELLAEnforcement

A Single, Correlated Source of Information

INVESTIGATE

WHOIS record data

ASN attribution

IP geolocation

IP reputation scores

Domain reputation scores

Domain co-occurrences

Anomaly detection (DGAs, FFNs)

DNS request patterns/geo. distribution

Passive DNS database

Investigate

ouvidoria@acirpsjriopreto.com.br

ACIRP - Associação Comercial e

Empresarial de São José do Rio Preto

http://www.acirpsjriopreto.com.br/

culturaembrasilia.com

php-code Imprimir.php

Suspect Behaviour

Suspect Behaviour

OpenDNS Works With Everything You Use

FUTURE-PROOF EXTENSIBILITY

ANY NETWORK

Routers, Wi-Fi, SDN

ANY ENDPOINT

VPN, IoE ANY TECHNOLOGY

Firewalls, Gateways

SECURE APIs OPEN TO EVERYONE

SECURITY PROVIDERS

FireEye, Cisco, Check Point

NETWORK PROVIDERS

Meraki, Aruba,Aerohive

CUSTOMERS

In-houseSecurity Systems

ENDPOINT SECURITY(block by file, behavior)

How OpenDNS Complements On-Network Security Stack

NETWORKFIREWALL(block by IP, packet)

WEB PROXY(block by URL, content)

OpenDNS UMBRELLA(block by domain/IP, URL)

Branch

CampusEdge

Operational

Technology

Cloud

Data Center

Endpoint

Security Everywhere

Cisco’s Strategy

1 2 3CLOUD SERVICE W/FULL

SELF-PROVISIONED TRIAL

Point DNS traffic from one office without

hardware or software and without network

topology changes

or device configuration changes

ADD OFF-NET COVERAGE & PER-DEVICE VISIBILITY

Protect your weakest links and identify

which specific devices (or users) are

targeted by attacks; self-updating software

is required

EXTEND PROTECTION & ENRICH DATA VIA APIs

Help SOC teams to get more value out

of existing investments like FireEye and

incident response teams investigate

threats faster

Get Started in 30 Seconds…Really