DNS Security, is it enough?

0
©2018 Zscaler, Inc. All rights reserved.
DNS Security, is it enough?
How to protect against DNS tunneling and other advanced threats
Patrick Foxhoven, CIO & VP of Emerging Technologies
@pfoxhoven | p@zscaler.com

To Ask A Question
• Type your questions into the chat box in the
WebEx panel or email us at
communications@zscaler.com
• We’ll try to get to all questions during the
Q&A session. If we do not get to your
question, we’ll make sure to follow up
afterwards
• At the end of the webcast – please let us
know how we did!
Ask your question here…

©2018 Zscaler, Inc. All rights reserved.22 ©2018 Zscaler, Inc. All rights reserved.
Why Does DNS Security Matter?
DNS Threats Quantified & Mitigation Techniques

Why Does DNS Security Matter?
DNS threats are infiltrating networks because, more often than not,
DNS is ignored. It's uncontrolled, not monitored and not well
understood.
DNS is a blind spot
DNS-
driven
DDoS
attacks are
real
Malware is
utilizing
DNS to hide
C2C
networks
Targeted
attacks
exploit DNS
by hijacking
or poisoning
Information
is exfiltrating
networks via
DNS
tunneling

It’s Not Just Me
• Arbor Networks 2017 Worldwide Infrastructure Security Report
• 390 Network Operators and Enterprises Responses
• "Network Operators Speak Out on the Status of DNS Security”
16% have
no group
responsible
for DNS
security
25%
witnessed
DNS DDoS
&
13% had no
visibility
18% had
cache
poisoning &
38% lacked
visibility to
know
19% are
operating
OPEN
resolvers -
Identical to
the prior
year
* https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf

DNS Reflection Attacks
Attacker
IP: 1.1.1.1
Open, Recursive DNS Server
IP: 8.1.1.1
Victim
IP: 2.1.1.1
isc.org Authoritative
DNS Server
Step #1
REQUEST: dig ANY isc.org
@8.1.1.1
(spoof request from 2.1.1.1)
64 bytes out
Step #2
Step #3
REPLY: isc.org type ANY
3223 bytes back

DNS Reflection Attacks
* http://arstechnica.com/information-technology/2013/03/how-spamhaus-attackers-turned-dns-into-a-weapon-of-mass-destruction/http://blog.cloudflare.com/the-ddos-that-knocked-spamhaus-offline-and-ho
120 Gbps - 100X Amplification,
30,000 Open DNS Resolvers
Need to generate only 750 Mbps
on the attacker side
(Possible with <10 AWS instances)

DNS Changer (DNS-Focused Malware)
• DNS Changer was a piece of malware that was in operation from 2007 to 2015
• It hijacked (changed the IP address) of recursive DNS servers on clients
• Compromised 4M+ clients
• Generated an estimated $14M+ Revenue* for an Estonian Company
Why was it around for so long? Why was it so successful?
* http://arstechnica.com/tech-policy/2011/11/how-the-most-massive-botnet-scam-ever-made-millions-for-estonian-hackers/
** https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS

DNS Goes Mainstream
• In March, 2014 the Turkish Government implemented a country wide block on
Twitter
• All carriers in the country implemented DNS-level blocking of Twitter domains
• Citizens responded by spray painting Google DNS IP addresses to evade the
blocking
• Traffic to Twitter from Turkey had a net increase of 138%* after the ban!
* http://www.theguardian.com/world/2014/mar/21/turkey-twitter-users-flout-ban-erdogan

DNS Goes Mainstream
http://www.wsj.com/articles/SB10001424052702304157204579473060024750936 http://www.cnet.com/news/google-confirms-turkey-is-blocking-its-dns-service/

Network Blind Spot
• Risks
• Mitigation Techniques
• Simple Answer: Gain Awareness and Visibility
• Log resolutions, visualize data, use DNS "Black Art" analysis skills
Zero Visibility
Fast Fluxing
DNS
Tunneling

DNS is a Network Blind Spot
• www.vpnoverdns.com
• “In a few words, it lets you tunnel data through a DNS server.
Data exfiltration, for those times when everything else is
blocked.”
• “The main advantage of this type of tunnel is that it does not
require a direct Internet connection; you only need an access
to a DNS resolver”

DNS Cache Poisoning
• Risks
• Probably the most well known DNS vulnerability
• Dan Kaminsky discovered in 2008 a fundamental flaw in the DNS protocol
• Simple Answer: Gain Awareness and Visibility
• Log resolutions, visualize data, use DNS "Black Art" analysis skills
• Use trusted recursive DNS servers
Phishing Attacks
Advanced, Highly
Targeted attacks
Malware Delivery
(Infect users)

DNSSEC
• Risks
• Ironic - A protocol meant to enhance DNS security but can makes it worse in other ways
• Good question…
Lack of Adoption
(Weakest Link)
Widespread
Misunderstandings
(False Sense of
Security)
Can Make DNS
Reflection
Attacks Worse

Registrar Hijacking/Errors
No one is immune from errors…
• On January 12, 2014 at 3:15PM local time, China TLDs started to resolve
incorrectly
• 1 million requests per second event
• All queries resolved in error to a US-based company Dynamic Internet
Technology (DIT)
* http://www.reuters.com/article/2014/01/22/us-china-internet-idUSBREA0K04T20140122
** http://www.cnn.com/2014/01/22/world/asia/china-internet-outage/

Foot Printing
• Risks
• Discovery and mapping of a network
• Can be very valuable for IP spoofing attacks (discover trusted IP addresses)
• Awareness: Understand what data exists publicly
• Configuration: Make sure zone transfers are locked down
dnsenum

Is DNS-Based Security Solutions Enough?

DNS Only Based Security Solutions…
… Mostly focus on 5 key areas (there’s only so much insight you can gain from a name and a
number)
Domain Age
& History
Recently
registered or
transferred
domain?
Obscurity
Have there
been queries
to the domain
before?
Record
Analysis
How many
records are
returned per
query?
Frequency &
Count
Have queries
to the domain
been seen
before?
Reputation
Are the
domains or
the IP
addresses
resolved safe?

©2018 Zscaler, Inc. All rights reserved.18
Web content scanning, Risk based
analysis, App Control
Browser Control
Risk Based Scoring
File, User, Group and QoS Control,
Signature-based AV and IPS
Inline Content Control
Complete Packet ByteScan
Malicious Hosts, Sites, Botnets
Phishing, GEO, Protocol & ACLs
Destination Based Blocking
Dynamic & Behavioral
Analysis of User ContentSandboxing
You Have To Go Much Deeper Than DNS Alone…
Recon and
Creation
Survey defenses
Planning attack
Create Payload
Delivery
Via trusted/untrusted
sites and web content
Exploitation
Payload exploits
unpatched
vulnerability
Installation
Installing malware
onto asset
Command &
Control (C2)
Remote Control.
Additional malware
downloads
Action on
Objectives
Lateral movement,
data exfiltration,
disruption, etc.
DNS
Security
Botnet and
Callback
Detection
DLP
Security
Full SSL Inspection Full SSL Inspection
Find and stop more malicious threats

Objectives
Ransom ExfiltratePropagate
.Exe, Archive or
Embedded Script
How Files and Websites Spread Malware
Infection StageHunting Stage
Malware .EXE delivers final payload.
Enables final hacking objectives.
Enables command and control.
4
User browses trusted web page
with compromised content
1
Hackers web servers deliver initial
file and keeps exploit server hidden
2
Exploit Server Creates new malware samples
on demand to bypass signature
detection
3
iFrame
redirect
Exploit &
Call home

125 Total Objects requested
Personalized content from CDN
Content hidden in SSL Traffic
JavaScript, CSS, & Images loaded
125 Potential Threats
Jay Leno on NBC.com
But Are We still Vulnerable?
Trusted Sites are More Dangerous than Expected

It’s Not Just Compromised Trusted Websites
Cisco VNI Report
Estimated to be ~60% (or
greater) of all Internet
traffic
CDNs File Sharing
Box, Dropbox, Google
Drive, etc.
amazonaws.com,
tumblr.com,
wordpress.com etc.
Hosting Providers
DNS Only Security is also blind to…
Modern advanced persistent threats required a “Zero Trust” posture where
every possible byte is scanned to ensure clean pipes to the internet“ ”

SSL Inspection Matters
2018 Google Transparency report
of traffic across Google is
encrypted
91% 54%
2016 ThreatLabZ Research
of advanced threats hide
behind SSL
Ironically, increased use of SSL in attempt to make our online lives more
secure can create ‘blind spots’ that can actually reduce security…
NSS Labs
“ ”
Ignoring the issue is not an option
Sources: 1Google Transparency Report 2018
Source: 2Pirc, John W., “SSL Performance Problems: Significant SSL Performance Loss Leaves Much Room for Improvement,” NSS Labs, 2013.

About Zscaler

HQ
EMEA
Branch
APJ
Branch
Branch
Branch
Branch Branch BranchBranch
Home, Coffee Shop Airport, Hotel
SaaS Open Internet IaaS
Users and Apps left the corporate network
The Internet is the new Corporate Network
How can you secure something you don’t control?
“GE will run 70 percent of its
workload in the cloud by 2020”
Jim Fowler, CIO
“The Internet will be our new
corporate network by 2020”
Frederik Janssen, Head of Infrastructure

Branch
Branch Branch
HQ
Branch Branch BranchBranch
SaaS Open Internet IaaS
Flip the security model – protect users and apps, not networks
The Internet is the new Corporate Network
How can you secure something you don’t control?
EMEAAPJ
Branch
Home, Coffee Shop Airport, Hotel
Secure Internet Edge

©2017 Zscaler, Inc. All rights reserved. | ZSCALER CONFIDENTIAL INFORMATION26
Secure
Ongoing third-
party testing
CertifiedReliable
Redundancy within and
failover across DCs
Transparent
Trust portal for service
availability monitoring
Zscaler – the largest security cloud. Reliable. Available. Fast.
45B+
Requests/day
125M+
Threats
blocked/day
120K+
Unique security
updates/day
100 data centers
across 5 continents
Peering in
Internet exchanges
150+
Vendors peered

PROTECTION
ACROSS COUNTRIES
190
130
125
113
70
LOCATIONS
PROTECTED
30,000
12,000
6,000
900
500
EMPLOYEES
PROTECTED
400K
125K
120K
80K
1.6M
1.3M
OFFICE 365
MONTHLY TRAFFIC
83 TB
44 TB
37 TB
35 TB
Unparalleled Cloud Scale
All users – All traffic

Firewall / Intrusion Prevention
URL Filter
Anti-Virus
Data Loss Prevention
Secure Sockets Layer Inspection
Sandbox
Global Load Balancing
Distributed Denial of Service Protection
External Firewall / Intrusion Prevention
VPN Concentrator
Internal Firewall
Internal Load Balancer
Firewall / Intrusion Prevention
URL Filter
Antivirus
Data Loss Prevention
Secure Sockets Layer Inspection
Sandbox
Outbound Gateway
Global Load Balancing
Distributed Denial of Service Protection
External Firewall / Intrusion Prevention
VPN Concentrator
Internal Firewall
Internal Load Balancer
Inbound Gateway
Zscaler
Internet Access
Zscaler
Private Access
EXTERNALLY MANAGED INTERNALLY MANAGED
Open InternetSaaS Public Cloud
Private Cloud
/ On-Premise
Data Center
Securely connects authorized users
to internally managed applications
Any device, any location, on-network or off-network
Securely connects users to externally managed
SaaS applications and internet destinations
Zscaler enables secure IT transformation to the cloud
Fast and secure policy-based access to applications and services over the Internet
HQMOBILE
BRANCHIOT

What sets Zscaler security apart?
Open InternetSaaS Public Cloud
Private
Cloud / On-
Premise
Data Center
HQMOBILE
BRANCHIOT
FULL INLINE CONTENT INSPECTION
All ports/protocols, native SSL scanning
INTEGRATED MULTI-TECHNIQUES
Correlation with dynamically computed risk
score
CLOUD INTELLIGENCE
Identified once, blocked for all customers;
120 thousand unique security updates a day
40+ INDUSTRY THREAT FEEDS
Partnerships - commercial feeds, open
source, private working groups
Destination based
Payload - Antivirus
Application based
Malicious active content
File Type analysis
Static analysis
Behavior analysis SSL Scanning
DNS security
Browser exploits
XSS attacks
Phishing analysis
Botnet C&C call backs
File type controls
SSL Scanning Data Loss Prevention
1
2
3
4
Zscaler cloud architecture protects users at any location on any device (no VPN or backhaul to data center)
Correlation
&
Risk scoring

Building a cloud with single-tenant appliances Zscaler built from scratch a highly scalable and
ultra-fast multitenant cloud security architecture
THE ZSCALER CLOUD
• Disparate redundant control, logging, and enforcement policies
• Multiple appliances, multiple hops — slow user experience
• Expensive and complex to scale and manage
• Integrated control, logging, and enforcement
• Single pass architecture — performance SLA and security efficacy
• Infinitely scalable — cost effective
Would you build a power plant
with home generators?
HOME POWER
GENERATORS
POWER PLANT
NY
USER A
(policy
follows)
USA
EU
USER A
Private
London Sydney
ENFORCE
LOG
CONTROL
Sandbox
DLP
LB
Full AV
SSL Proxy
IPS
NGFW
DNS
Increased
latencyX
X
X
Inefficiency
Impaired
performance
Legacy technology cannot be repurposed for the cloud

Zscaler Internet Access
watch the video
Transform the way you
deliver internet and web
security
visit zscaler.com
Learn more about Zscaler
Secure Remote Access to AWS
Your Users Will Love
Transform your Microsoft
Office 365 and MCAS
deployments with Zscaler
Thank You!
Questions and Next Steps
Patrick Foxhoven
Chief Information Officer & Vice
President of Emerging Technologies
p@zscaler.com | @pfoxhoven
Other Webcasts
zscaler.com > resources > webcasts and live demos
Tuesday, Feb 27th, 2018
Americas - 10:00 am PST
Thursday, Feb 22nd, 2018
Americas - 10:00 am PST

DNS Security, is it enough?

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a DNS Security, is it enough?

Semelhante a DNS Security, is it enough? (20)

Mais de Zscaler

Mais de Zscaler (20)

Último

Último (20)

DNS Security, is it enough?

Notas do Editor