Richard langston
-
Upload
dansk-it -
Category
Technology
-
view
301 -
download
0
Transcript of Richard langston
Securing DNS against malware threats & the importance of an integrated security ecosystemRichard Langston, Senior Product Manager Security, Infoblox
Indlæg på DANSK IT’s konference It-sikkerhed 2016Torsdag den 4. februar 2016
2 | © 2013 Infoblox Inc. All Rights Reserved. 2 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
Overview on Security Richard Langston, Sr. Product Manager, Security
4 | © 2013 Infoblox Inc. All Rights Reserved. 4 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
Why is DNS so vital?
DNS cannot go down because
everything in the network depends on
it. But why not turn DNS from a
vulnerability that needs to be
engineered to an asset that can be
leveraged? Brand, customer
satisfaction, and employee
productivity are all dependant on
DNS being secure, reliable, and fast.
5 | © 2013 Infoblox Inc. All Rights Reserved. 5 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
DNS is a great tool for bad guys to exploit
#1protocol for
volumetric
reflection/
amplification
attacks
DNS is critical
networking
infrastructure
DNS protocol is
easy to exploit and
attacks are
prevalent
Traditional security
is ineffective against
evolving threats
6 | © 2013 Infoblox Inc. All Rights Reserved. 6 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
DNS is a top attack vectorDNS is vulnerable to attacks, and exploitations
*Cloudmark 2014 report
DNS76%
NTP11%
HTTP9%
Other4%
DoS Attacks
DNS45%
HTTP40%
FTP7%
Other8%
Exfiltration
7 | © 2013 Infoblox Inc. All Rights Reserved. 7 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
Threats levels on DNS are increasing
8 | © 2013 Infoblox Inc. All Rights Reserved. 8 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
http://www.itbusinessedge.com/slideshows/top-dns-threats-and-how-to-
deal-with-them-06.html
• In a recent survey 66 percent of U.S. respondents reported that their
organization suffered a DNS attack within the last 12 months.
Loss of Internet service (63 percent)
Increase in customer complaints (42 percent)
Loss of confidential customer information (33 percent).
• Recently Lenovo and Google were victims of "domain hijacking.”
Visitors to Google's Vietnamese site were redirected to another site.
Visitors to Lenovo's site were maliciously redirected to a defaced site controlled by the
well-known hacker group, Lizard Squad.
• Many of the recent high profile attacks either used DNS to exfiltrate data or the
malware used has evolved to use DNS
Why DNS Security
9 | © 2013 Infoblox Inc. All Rights Reserved. 9 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
DNS Security Challenges
Stopping APTs/malware from using DNS2
Defending against DNS DDoS attacks1
Preventing data exfiltration via DNS3
10 | © 2013 Infoblox Inc. All Rights Reserved. 10 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
DNS Security - How to detect threats?
Reputation
SignatureBehavior
11 | © 2013 Infoblox Inc. All Rights Reserved. 11 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
Defending against DDOS attacks
12 | © 2013 Infoblox Inc. All Rights Reserved. 12 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
The Rising Tide of DNS ThreatsAre You Prepared?
In the last
year alone
there has been
an increase of
216%DNS attacks1
47%DDoS attacks2
With possible amplification up to
100xon a DNS attack, the
amount of traffic delivered
to a victim can be huge
1. Prolexic Quarterly Global DDoS Attack Report, Q4, 2013 2. Prolexic Quarterly Global DDoS Attack Report, Q1, 2014 3. www.openresolverproject.org
28MPose a significant threat
to the global network
infrastructure and can
be easily utilized in DNS
amplification attacks3
33M Number of open
recursive DNS servers3
With enterprise level businesses receiving an
average of 2 million DNS queries every single
day, the threat of attack is significant
2M
14 | © 2013 Infoblox Inc. All Rights Reserved. 14 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
DNS-based exploits
DNS cache poisoning
DNS tunneling
Protocol anomalies
Reconnaissance
DNS hijacking
Domain lockup attack
Malformed DHCP requests
Evolving DNS Attacks and More…
Volumetric/DDoS AttacksProtocol specific Exploits
DNS reflection
DNS amplification
TCP/UDP/ICMP floods
NXDOMAIN attack
Phantom domain attack
Random subdomain attack
Domain lockup attack
15 | © 2013 Infoblox Inc. All Rights Reserved. 15 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
Anatomy of an AttackDistributed Reflection DoS Attack (DrDoS)
How the attack works
Attacker
Internet
Target Victim
Combines reflection and amplification
Uses third-party open resolvers in
the Internet (unwitting accomplice)
Attacker sends spoofed queries
to the open recursive servers
Uses queries specially crafted to
result in a very large response
Causes DDoS on the victim’s server
16 | © 2013 Infoblox Inc. All Rights Reserved. 16 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
Random Subdomain Attack (Slow Drip)• Infected clients create queries by
prepending randomly generated
subdomain strings to the victim’s
domain. E.g. xyz4433.yahoo.com
• Each client may only send a small
volume of these queries to the DNS
recursive server
• Harder to detect
• Multiple of these infected clients send
such requests
Impact
• Responses may never come back from
these non-existing subdomains
• DNS recursive server waits for
responses, outstanding query limit
exhausted
• Target domain’s auth server experiences
DDoS
How the attack works
Victim Domain
e.g. yahoo.com
Bot/bad clients
Queries with random
strings prefixed to victim's
domain
e.g. xyz4433.yahoo.com
Flood of queries
for non-existent
subdomains
DNS recursive
Servers (ISP)
DDoS on target
victim
Resource
exhaustion on
recursive
servers
17 | © 2013 Infoblox Inc. All Rights Reserved. 17 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
Stopping APTs/malware
18 | © 2013 Infoblox Inc. All Rights Reserved. 18 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
• Malicious traffic is visible on 100% of corporate
networks1
• 91.3% of malware uses DNS in attacks2
• 68% of organisations don’t monitor recursive DNS2
• The question isn’t if, but when you will be attacked,
and how effectively you can respond
• APTs rely on DNS at various stages of the cyber kill
chain to infect devices, propagate malware, and
exfiltrate data
APTs: The New Threat Landscape
Source: 1 Cisco 2014 Annual Security Report
2 Cisco 2016 Annual Security Report
Organized and
well funded
Profile organizations using
public data/social media
Target key POI’s
via spear phishing
“Watering hole” target
groups on trusted sitesLeverage tried and true
techniques like SQLi, DDoS & XSS
Coordinated attacks,
distract big, strike precisely
Operational
sophistication
http://www.itbusinessedge.com/slideshows/top-dns-threats-and-how-to-deal-with-them-06.html
19 | © 2013 Infoblox Inc. All Rights Reserved. 19 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
Malware/APT requires DNS
DNS server
Every step of malware life cycle relies on DNS
Query a malicious domain
Query the ‘call home
server’
Query Exfiltration destination
s
Infection Download Exfiltration
20 | © 2013 Infoblox Inc. All Rights Reserved. 20 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
CryptoLocker
• Targets Windows-based computers in form of email attachment
• Upon infection, encrypts files on local hard drive and mapped
network drives
• If ransom isn’t paid, encryption key deleted and data
irretrievable
Gameover Zeus (GOZ)
• 500,000 – 1M infections globally and100s of millions of dollars
stolen
• Uses P2P communication to control infected devices or botnet
• Takes control of private online transactions and diverts funds to
criminal accounts
Malware Examples
21 | © 2013 Infoblox Inc. All Rights Reserved. 21 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
Preventing Data Exfiltration
22 | © 2013 Infoblox Inc. All Rights Reserved. 22 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
• DNS tunnels are commonly used to send sensitive information out
• Data can be exfiltrated by embedding data directly in DNS queries
DNS and Data Breach
% of survey respondents that
experienced DNS data
exfiltration
% of survey respondents that
experienced DNS tunneling
Average material loss per
breach incident
$7.6 M
Source: SC Magazine, Dec 2014, “DNS attacks putting organizations at risk, survey finds”
46% 45%
Source: SC Magazine, Dec 2014, “DNS attacks putting organizations at risk, survey finds”
23 | © 2013 Infoblox Inc. All Rights Reserved. 23 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
• Uses DNS as a covert communication channel to
bypass firewalls
• Attacker tunnels other protocols like SSH, TCP, or
web within DNS
• Enables attackers to easily pass stolen data or
tunnel IP traffic without detection
• A DNS tunnel can be used as a full remote-control
channel for a compromised internal host
Impact:
• Data exfiltration or malware insertion can happen
through the tunnel
Problem: DNS Tunneling
Encoded IP
in DNS queries
INTERNET
ENTERPRISE
Client-side
tunnel program
DNS server
IP traffic
Internet
25 | © 2013 Infoblox Inc. All Rights Reserved. 25 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
Malware Steals File Containing Sensitive Data
Problem: Exploiting DNS to steal data
• Infected endpoint gets access to file containing
sensitive data
• It encrypts and converts info into
encoded format
• Text broken into chunks and sent via DNS using
hostname.subdomain or TXT records
• Exfiltrated data reconstructed at the other end
• Can use spoofed addresses to avoid detection
INTERNET
ENTERPRISE
NameMarySmith.foo.thief.com
MRN100045429886.foo.thief.com
DOB10191952.foo.thief.com
NameMarySmith.foo.thief.com
MRN100045429886.foo.thief.com
DOB10191952.foo.thief.com
Infected
endpoint
DNS server
Attacker controller
server- thief.com
(C&C)
DataC&C commands
Example Malware that uses DNS to ex-filtrate data
FrameworkPOS, FeederBot, Moto, Morto,PlugX
Win32.Zbot.chas/Unruy.H
Win32.Mufanom.vha, Win32.AutoTsifiri.n
Win32.Hiloti
26 | © 2013 Infoblox Inc. All Rights Reserved. 26 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
Solution: Protection Against Data Exfiltration
using DNS Threat Analytics
• Analytics engine stores previous ‘n’
queries and uses behavioral analysis to
identify patterns of requests- Looks at TXT records, A, AAAA records
- Finds tunneling by using lexical and
temporal analysis looking for signs that
the requests are part of data exfiltration
attempt
- Adds destinations to an internal RPZ
feed automatically
27 | © 2013 Infoblox Inc. All Rights Reserved. 27 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
Infoblox Security Approach
Visibility
See attacks, infections,
and data-exfiltration
attempts in the network
Protection
Protect infrastructure
and data from attacks
and malicious agents
Response
Enable rapid response
by providing contextual
information on
infections
28 | © 2013 Infoblox Inc. All Rights Reserved. 28 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
Infected endpoint
attempts data
exfiltration
Infoblox identifies
domain associated
with data exfiltration
and blocks connection
Infoblox sends alert
to Carbon Black
• Carbon Black correlates
endpoint, network data
and remediates infected
endpoint automatically
• Isolates endpoint to
prevent malware spread
• Kills endpoint process,
preserves evidence
Infoblox and Bit 9 + Carbon Black
Automating Security Response Through Integrations
29 | © 2013 Infoblox Inc. All Rights Reserved. 29 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
Automating Response Through Infoblox / Cisco ISE
Customer Value• Visibility into what users and devices are communicating with
bad domains associated with data exfiltration• User/device visibility increases confidence in taking mitigation
actions• ISE access is enabled when Network Insight joins the Grid
Infoblox DDI
DNS FW EventsDNS Threat Analytics EventsDHCP Leases
Cisco ISE
• ISE quarantines device
• Informs vulnerability
scanner to scan device
30 | © 2013 Infoblox Inc. All Rights Reserved. 30 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
Build security into your DNS
INTERNET
ENTERPRISE
Infoblox
Automated
Threat Intelligence
Service
Firewall
Infoblox Internal
DNS Security
x
x
xxx
Attacker Thief Badsite1.comGood.com
Badsite1.com
Badsite2.com
Badsite3.com
SSN:123456789.foo.thief.co
m
DOB-01012001.foo.thief.com
Updates for DNS attacks
and malicious domains
Legitimate Query DNS DDoS attacks
detected and dropped
Data exfiltration
detected and dropped
Malware site blocked
Ecosystem Partners
- Malware detection APTs
- NAC Solutions
31 | © 2013 Infoblox Inc. All Rights Reserved. 31 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
• One of the fastest growing attack vectors
• Easy-to-exploit protocol
• Firewalls and IDS/IPS devices not focused on
DNS threats
• DNS security layer needed to complement
existing security solutions
• Internal DNS servers are an ideal detection and
enforcement point.
• Every DNS server should be a secure DNS
server.
DNS Security Gap
Send Us Your PCAP Files – Register now