Fernando Zamai – fzamai@cisco.com
Security Consulting
Aug, 2016
Ele pode ser seu vetor de ataques.
Seu DNS está protegido?
enterprise network
Attacker
Perimeter
(Inbound)
Perimeter
(Outbound)
Research targets
11
C2 Server
Spear Phishing
(you@acm...
HARD-CODED IP
@23.4.24.1
“FAST FLUX”
@23.4.24.1
bad.com?
@34.4.2.110
@23.4.34.55
@44.6.11.8
@129.3.6.3
DOMAIN GENERATION
A...
DNS Tunnel
DNS Server
bad.net
10011001
11100010
11010100
10010010
01001000
DNS Query
alknfijuqwelrkmmvclkmzxcladlfmaelrkja...
INTERNET
MALWARE
C2/BOTNETS
PHISHING
AV
AV
AV AV
ROUTER/UTM
AV AV
ROUTER/UTM
SANDBOX
PROXY
NGFW
NETFLOW
AV AV
AV AV
MID LA...
What We Observe
On The Internet
Requests
Per Day
80B Countries
160+
Daily Active
Users
65M Enterprise
Customers
10K
Our Perspective
Diverse Set of Data
Our View of the Internet
providing visibility into global Internet activity (e.g. BGP, AS, Whois, DNS)
We See Where Attacks Are Staged
using modern data analysis to surface threat activity in unique ways
Apply
statistical models and
human intelligence
Identify
probable
malicious sites
Ingest
millions of data
points per secon...
PRODUCTS & TECHNOLOGIES
UMBRELLA
Enforcement
Network security service
protects any device, anywhere
INVESTIGATE
Intelligen...
A New Layer of Breach Protection
Threat Prevention
Not just threat detection
Protects On & Off Network
Not limited to devi...
A Single, Correlated Source of Information
INVESTIGATE
WHOIS record data
ASN attribution
IP geolocation
IP reputation scor...
Investigate
ouvidoria@acirpsjriopreto.com.br
ACIRP - Associação Comercial e
Empresarial de São José do Rio Preto
http://ww...
Suspect Behaviour
Suspect Behaviour
OpenDNS Works With Everything You Use
FUTURE-PROOF
EXTENSIBILITY
ANY
NETWORK
Routers, Wi-Fi,
SDN
ANY
ENDPOINT
VPN, IoE ANY...
ENDPOINT
SECURITY
(block by
file, behavior)
How OpenDNS Complements On-Network
Security Stack
NETWORK
FIREWALL
(block by
I...
Branch
Campus
Edge
Operational
Technology
Cloud
Data Center
Endpoint
Security Everywhere
Cisco’s Strategy
1 2 3
CLOUD SERVICE W/FULL
SELF-PROVISIONED TRIAL
Point DNS traffic from one office without
hardware or software and witho...
O seu DNS está protegido
O seu DNS está protegido
O seu DNS está protegido
O seu DNS está protegido
O seu DNS está protegido
O seu DNS está protegido
O seu DNS está protegido
O seu DNS está protegido
O seu DNS está protegido
O seu DNS está protegido
Próximos SlideShares
Carregando em…5
×

O seu DNS está protegido

526 visualizações

Publicada em

Apresentação de Fenando Zamai, especialista Cisco no Garnter Sec 2016.

Publicada em: Tecnologia
  • Seja o primeiro a comentar

O seu DNS está protegido

  1. 1. Fernando Zamai – fzamai@cisco.com Security Consulting Aug, 2016 Ele pode ser seu vetor de ataques. Seu DNS está protegido?
  2. 2. enterprise network Attacker Perimeter (Inbound) Perimeter (Outbound) Research targets 11 C2 Server Spear Phishing (you@acme.com) 2 https://welcome.to.jangle.com/exploit.php Victim clicks link unwittingly3 Bot installed, back door established and receives commands from C2 server 4 Scan LAN for vulnerable hosts to exploit & find privileged users 5 Privileged account found.6 Admin Node Data exfiltrated7 System compromised and data breached.8 Vulnerabilities, Exploits, Malware Hacked Mail Server – acme.com Hacked Web Server – jangle.com Main Vectors
  3. 3. HARD-CODED IP @23.4.24.1 “FAST FLUX” @23.4.24.1 bad.com? @34.4.2.110 @23.4.34.55 @44.6.11.8 @129.3.6.3 DOMAIN GENERATION ALGORITHM bad.com? @34.4.2.11 0 baa.ru? bid.cn @8.2.130.3 @12.3.2.1 @67.44.21.1 Evolution of Command & Control Callbacks
  4. 4. DNS Tunnel DNS Server bad.net 10011001 11100010 11010100 10010010 01001000 DNS Query alknfijuqwelrkmmvclkmzxcladlfmaelrkjalm.bad.net DNS Answer alknfijuqwelrkmmvclkmzxcladlfmaelrkjalm.bad.net = 2.100.4.30 10011001 11100010 11010100 10010010 01001000 http://blog.talosintel.com/2016/06/detecting-dns-data-exfiltration.html Authoritative DNS root com. cisco.com.
  5. 5. INTERNET MALWARE C2/BOTNETS PHISHING AV AV AV AV ROUTER/UTM AV AV ROUTER/UTM SANDBOX PROXY NGFW NETFLOW AV AV AV AV MID LAYER LAST LAYER MID LAYER LAST LAYER MID LAYER FIRST LAYER Where Do You Enforce Security? Perimeter Perimeter Perimeter Endpoint Endpoint CHALLENGES Too Many Alerts via Appliances & AV Wait Until Payloads Reaches Target Too Much Time to Deploy Everywhere BENEFITS Alerts Reduced 2-10x; Improves Your SIEM Traffic & Payloads Never Reach Target Provision Globally in UNDER 30 MINUTES
  6. 6. What We Observe On The Internet
  7. 7. Requests Per Day 80B Countries 160+ Daily Active Users 65M Enterprise Customers 10K Our Perspective Diverse Set of Data
  8. 8. Our View of the Internet providing visibility into global Internet activity (e.g. BGP, AS, Whois, DNS)
  9. 9. We See Where Attacks Are Staged using modern data analysis to surface threat activity in unique ways
  10. 10. Apply statistical models and human intelligence Identify probable malicious sites Ingest millions of data points per second How Our Security Classification Works a.ru b.cn 7.7.1.3 e.net 5.9.0.1 p.com/jpg
  11. 11. PRODUCTS & TECHNOLOGIES UMBRELLA Enforcement Network security service protects any device, anywhere INVESTIGATE Intelligence Threat intelligence about domains & IPs across the Internet
  12. 12. A New Layer of Breach Protection Threat Prevention Not just threat detection Protects On & Off Network Not limited to devices forwarding traffic through on-prem appliances Turn-Key & Custom API-Based Integrations Does not require professional services to setup Block by Domains, IPs & URLs for All Ports Not just ports 80/443 or only IPs Always Up to Date No need for device to VPN back to an on-prem server for updates UMBRELLA Enforcement
  13. 13. A Single, Correlated Source of Information INVESTIGATE WHOIS record data ASN attribution IP geolocation IP reputation scores Domain reputation scores Domain co-occurrences Anomaly detection (DGAs, FFNs) DNS request patterns/geo. distribution Passive DNS database
  14. 14. Investigate ouvidoria@acirpsjriopreto.com.br ACIRP - Associação Comercial e Empresarial de São José do Rio Preto http://www.acirpsjriopreto.com.br/ culturaembrasilia.com php-code Imprimir.php
  15. 15. Suspect Behaviour
  16. 16. Suspect Behaviour
  17. 17. OpenDNS Works With Everything You Use FUTURE-PROOF EXTENSIBILITY ANY NETWORK Routers, Wi-Fi, SDN ANY ENDPOINT VPN, IoE ANY TECHNOLOGY Firewalls, Gateways SECURE APIs OPEN TO EVERYONE SECURITY PROVIDERS FireEye, Cisco, Check Point NETWORK PROVIDERS Meraki, Aruba, Aerohive CUSTOMERS In-house Security Systems
  18. 18. ENDPOINT SECURITY (block by file, behavior) How OpenDNS Complements On-Network Security Stack NETWORK FIREWALL (block by IP, packet) WEB PROXY (block by URL, content) OpenDNS UMBRELLA (block by domain/IP, URL)
  19. 19. Branch Campus Edge Operational Technology Cloud Data Center Endpoint Security Everywhere Cisco’s Strategy
  20. 20. 1 2 3 CLOUD SERVICE W/FULL SELF-PROVISIONED TRIAL Point DNS traffic from one office without hardware or software and without network topology changes or device configuration changes ADD OFF-NET COVERAGE & PER-DEVICE VISIBILITY Protect your weakest links and identify which specific devices (or users) are targeted by attacks; self-updating software is required EXTEND PROTECTION & ENRICH DATA VIA APIs Help SOC teams to get more value out of existing investments like FireEye and incident response teams investigate threats faster Get Started in 30 Seconds…Really

×