O seu DNS está protegido
-
Upload
cisco-do-brasil -
Category
Technology
-
view
327 -
download
0
Transcript of O seu DNS está protegido
Fernando Zamai – [email protected]
Security Consulting
Aug, 2016
Ele pode ser seu vetor de ataques.
Seu DNS está protegido?
enterprise network
Attacker
Perimeter
(Inbound)
Perimeter
(Outbound)
Research targets
11
C2 Server
Spear Phishing
2
https://welcome.to.jangle.com/exploit.php
Victim clicks link unwittingly 3
Bot installed, back door established and
receives commands from C2 server 4
Scan LAN for vulnerable hosts to exploit &
find privileged users5
Privileged account found. 6
Admin Node
Data exfiltrated7
System compromised and data breached. 8
Vulnerabilities, Exploits, Malware
Hacked Mail Server – acme.com
Hacked Web Server – jangle.com
Main Vectors
HARD-CODED IP
@23.4.24.1
“FAST FLUX”
@23.4.24.1
bad.com?
@34.4.2.110
@129.3.6.3
DOMAIN GENERATION ALGORITHM
bad.com?
@34.4.2.11
0
baa.ru?
bid.cn
@8.2.130.3
@12.3.2.1
@67.44.21.1
Evolution of Command & Control Callbacks
DNS Tunnel
DNS Server
bad.net
10011001
11100010
11010100
10010010
01001000
DNS Queryalknfijuqwelrkmmvclkmzxcladlfmaelrkjalm.bad.net
DNS Answer
alknfijuqwelrkmmvclkmzxcladlfmaelrkjalm.bad.net = 2.100.4.30
10011001
11100010
11010100
10010010
01001000
http://blog.talosintel.com/2016/06/detecting-dns-data-exfiltration.html
Authoritative DNS
root
com.
cisco.com.
INTERNET
MALWARE
C2/BOTNETS
PHISHING
AV
AV
AV AV
ROUTER/UTM
AV AV
ROUTER/UTM
SANDBOX
PROXY
NGFW
NETFLOW
AV AV
AV AV
MID LAYER
LAST LAYER
MID LAYER
LAST LAYER
MID LAYER
FIRST
LAYER
Where Do You Enforce Security?
Perimeter
Perimeter Perimeter
Endpoint
Endpoint
CHALLENGES
Too Many Alerts via Appliances & AV
Wait Until Payloads Reaches Target
Too Much Time to Deploy Everywhere
BENEFITS
Alerts Reduced 2-10x; Improves Your SIEM
Traffic & Payloads Never Reach Target
Provision Globally in UNDER 30 MINUTES
Requests Per Day
80BCountries160+
Daily Active Users
65MEnterprise Customers
10K
Our PerspectiveDiverse Set of Data
Our View of the Internetproviding visibility into global Internet activity (e.g. BGP, AS, Whois, DNS)
Applystatistical models and
human intelligence
Identifyprobable
malicious sites
Ingestmillions of data
points per second
How Our Security Classification Works
a.ru
b.cn
7.7.1.3
e.net
5.9.0.1
p.com/jpg
PRODUCTS & TECHNOLOGIES
UMBRELLAEnforcementNetwork security service protects any device, anywhere
INVESTIGATEIntelligenceThreat intelligence about domains & IPs across the Internet
A New Layer of Breach Protection
Threat PreventionNot just threat detection
Protects On & Off NetworkNot limited to devices forwarding traffic through on-premappliances
Turn-Key & Custom API-Based IntegrationsDoes not require professional services to setup
Block by Domains, IPs & URLs for All Ports Not just ports 80/443 or only IPs
Always Up to DateNo need for device to VPN back to an on-prem server for updates
UMBRELLAEnforcement
A Single, Correlated Source of Information
INVESTIGATE
WHOIS record data
ASN attribution
IP geolocation
IP reputation scores
Domain reputation scores
Domain co-occurrences
Anomaly detection (DGAs, FFNs)
DNS request patterns/geo. distribution
Passive DNS database
Investigate
ACIRP - Associação Comercial e
Empresarial de São José do Rio Preto
http://www.acirpsjriopreto.com.br/
culturaembrasilia.com
php-code Imprimir.php
OpenDNS Works With Everything You Use
FUTURE-PROOF EXTENSIBILITY
ANY NETWORK
Routers, Wi-Fi, SDN
ANY ENDPOINT
VPN, IoE ANY TECHNOLOGY
Firewalls, Gateways
SECURE APIs OPEN TO EVERYONE
SECURITY PROVIDERS
FireEye, Cisco, Check Point
NETWORK PROVIDERS
Meraki, Aruba,Aerohive
CUSTOMERS
In-houseSecurity Systems
ENDPOINT SECURITY(block by file, behavior)
How OpenDNS Complements On-Network Security Stack
NETWORKFIREWALL(block by IP, packet)
WEB PROXY(block by URL, content)
OpenDNS UMBRELLA(block by domain/IP, URL)
Branch
CampusEdge
Operational
Technology
Cloud
Data Center
Endpoint
Security Everywhere
Cisco’s Strategy
1 2 3CLOUD SERVICE W/FULL
SELF-PROVISIONED TRIAL
Point DNS traffic from one office without
hardware or software and without network
topology changes
or device configuration changes
ADD OFF-NET COVERAGE & PER-DEVICE VISIBILITY
Protect your weakest links and identify
which specific devices (or users) are
targeted by attacks; self-updating software
is required
EXTEND PROTECTION & ENRICH DATA VIA APIs
Help SOC teams to get more value out
of existing investments like FireEye and
incident response teams investigate
threats faster
Get Started in 30 Seconds…Really