PLNOG15-DNS is the root of all evil in the network. How to become a superhero of your users- Adam Obszyński
•Transferir como PPTX, PDF•
0 gostou•120 visualizações
PLNOG15-DNS is the root of all evil in the network. How to become a superhero of your users
Recomendados
Recomendados
Mais conteúdo relacionado
Mais procurados
Mais procurados (20)
Destaque
Destaque (20)
Semelhante a PLNOG15-DNS is the root of all evil in the network. How to become a superhero of your users- Adam Obszyński
Semelhante a PLNOG15-DNS is the root of all evil in the network. How to become a superhero of your users- Adam Obszyński (20)
Último
Último (20)
PLNOG15-DNS is the root of all evil in the network. How to become a superhero of your users- Adam Obszyński
- 1. 1 | © 2013 Infoblox Inc. All Rights Reserved.1 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL DNS źródłem całego zła w sieci. Czyli jak zostać superbohaterem twoich użytkowników Adam Obszyński, aobszynski@infoblox.com
- 2. 2 | © 2013 Infoblox Inc. All Rights Reserved.2 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL Why Securing DNS is Critical Unprotected, DNS increases risk to critical infrastructure and data #1 protocol for volumetric reflection/ amplification attacks DNS is critical networking infrastructure DNS protocol is easy to exploit and attacks are prevalent Traditional security is ineffective against evolving threats
- 3. 3 | © 2013 Infoblox Inc. All Rights Reserved.3 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL • One of the fastest growing attack vectors • Easy-to-exploit protocol • Firewalls and IDS/IPS devices not focused on DNS threats • Proliferation of BYOD devices and mobile users, meaning threats may be inside the firewall • DNS security layer needed to complement existing security solutions DNS Security Gap
- 4. 4 | © 2013 Infoblox Inc. All Rights Reserved.4 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL DNS Security Challenges Stopping APTs/malware from using DNS2 Defending against DNS DDoS attacks1 Preventing data exfiltration via DNS3
- 5. 5 | © 2013 Infoblox Inc. All Rights Reserved.5 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL DNS Protection is Not Only About DDoS Volumetric/DDoS Attacks DNS-specific Exploits DNS reflection DNS amplification TCP/UDP/ICMP floods NXDOMAIN attack Phantom domain attack Random subdomain attack Domain lockup attack DNS-based exploits DNS cache poisoning DNS tunneling Protocol anomalies Reconnaissance DNS hijacking Domain lockup attack
- 6. 6 | © 2013 Infoblox Inc. All Rights Reserved.6 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL • Malicious traffic is visible on 100% of corporate networks1 • Every minute a host accesses a malicious website1 • The question isn’t if, but when you will be attacked, and how effectively you can respond • APTs rely on DNS at various stages of the cyber kill chain to infect devices, propagate malware, and exfiltrate data APTs: The New Threat Landscape Source: 1 Cisco 2014 Annual Security Report Organized and well funded Profile organizations using public data/social media Target key POI’s via spear phishing “Watering hole” target groups on trusted sites Leverage tried and true techniques like SQLi, DDoS & XSS Coordinated attacks, distract big, strike precisely Operational sophistication
- 7. 7 | © 2013 Infoblox Inc. All Rights Reserved.7 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL CryptoLocker • Targets Windows-based computers in form of email attachment • Upon infection, encrypts files on local hard drive and mapped network drives • If ransom isn’t paid, encryption key deleted and data irretrievable Gameover Zeus (GOZ) • 500,000 – 1M infections globally and100s of millions of dollars stolen • Uses P2P communication to control infected devices or botnet • Takes control of private online transactions and diverts funds to criminal accounts Malware Examples
- 8. 8 | © 2013 Infoblox Inc. All Rights Reserved.8 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL • Uses DNS as a covert communication channel to bypass firewalls • Attacker tunnels other protocols like SSH, TCP, or web within DNS • Enables attackers to easily pass stolen data or tunnel IP traffic without detection • A DNS tunnel can be used as a full remote-control channel for a compromised internal host Impact: • Data exfiltration or malware insertion can happen through the tunnel DNS Tunneling Encoded IP in DNS queries INTERNET ENTERPRISE Client-side tunnel program DNS terminal server IP traffic Internet
- 9. 9 | © 2013 Infoblox Inc. All Rights Reserved.9 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL Malware Steals File Containing Sensitive Data Data Exfiltration over DNS Queries • Infected endpoint gets access to file containing sensitive data • It encrypts and converts info into encoded format • Text broken into chunks and sent via DNS using hostname.subdomain or TXT records • Exfiltrated data reconstructed at the other end • Can use spoofed addresses to avoid detection INTERNET ENTERPRISE NameMarySmith.foo.thief.com MRN100045429886.foo.thief.com DOB10191952.foo.thief.com NameMarySmith.foo.thief.com MRN100045429886.foo.thief.com DOB10191952.foo.thief.com Infected endpoint DNS server Attacker controller server- thief.com (C&C) DataC&C commands
- 10. 10 | © 2013 Infoblox Inc. All Rights Reserved.10 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL How Infoblox Secures DNS
- 11. 11 | © 2013 Infoblox Inc. All Rights Reserved.11 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL Dedicated hardware with no unnecessary logical or physical ports No OS-level user accounts—only admin accts Immediate updates to new security threats Secure HTTPS-based access to device management No SSH or root-shell access Encrypted device-to-device communication Hardware based Security & DNS Acceleration • Many open ports are subject to attack. • Users have OS-level account privileges on server. • Requires time-consuming manual updates. Conventional Server Approach Hardened Appliance Approach Multiple Open Ports Limited Port Access Update ServiceSecure Access Hardened DNS Appliances
- 12. 12 | © 2013 Infoblox Inc. All Rights Reserved.12 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL Internal DNS Security Deployment INTERNET ENTERPRISE Infoblox Automated Threat Intelligence Service Firewall Infoblox Internal DNS Security x x x x x Attacker Thief Badsite1.comGood.com Badsite1.com Badsite2.com Badsite3.com SSN:123456789.foo.thief.com PESEL:77050502143.foo.thief.com Updates for DNS attacks and malicious domains Legitimate Query DNS DDoS attacks detected and dropped Data exfiltration detected and dropped Malware site blocked
- 13. 13 | © 2013 Infoblox Inc. All Rights Reserved.13 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL DNS reflection DNS amplification TCP/UDP/ICMP floods NXDOMAIN attack Phantom domain attack Random subdomain attack Domain lockup attack DNS-based exploits DNS cache poisoning DNS tunneling Malformed DHCP requests Protection Against Internal DNS Attacks Infoblox Internal DNS Security DNS attacks detected & dropped LegitimateTraffic DNSDDoS LegitimateTraffic DNSTunneling x x Firewall Infoblox Automated Threat Intelligence Service INTERNET ENTERPRISE
- 14. 14 | © 2013 Infoblox Inc. All Rights Reserved.14 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL Protection Against APTs/Malware DNS Firewall An infected device brought into the office. Malware spreads to other devices on network.1 Malware makes a DNS query to find “home” (botnet / C&C). DNS Firewall looks at the DNS response and takes admin-defined action (disallows communication to malware site or redirects traffic to a landing page or “walled garden” site). 2 Pinpoint. Infoblox Reporting lists DNS Firewall action as well as the: • Device IP address • Device MAC address • Device type/OS (DHCP fingerprint) • Device host name • Device lease history • AD login name • Switch/port/VLAN 3 An update will occur every 2 hours (or more often for significant threat).4 Malware/APT Malicious Domains Infoblox threat update device IPs, Domains, ect. of Bad Servers Blocked communication attempt sent to Syslog Malware/APT spreads within network; calls home INTERNET INTRANET
- 15. 15 | © 2013 Infoblox Inc. All Rights Reserved.15 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL Automatic and Customizable Threat Intelligence DNS Firewall Malware droppers Botnet C&C/ DNS servers Geographic blocks Malware droppers Infoblox DNS Firewall Pre-defined Lists Inbound attacks User-defined Lists User-defined RPZ behaviors Custom Feed Custom Feed • Automatic ongoing protection against APTs/malware without intervention, downtime or patching • Choose from lists of threat categories and sources • Implement whitelists, blacklists, and RPZ actions based on client • Benefits: flexibility and performance
- 16. 16 | © 2013 Infoblox Inc. All Rights Reserved.16 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL What is DNS data exfiltration? • Tunneling is the mechanism by which attackers ex-filtrate data • Tunneling also used to bypass wifi hotspots and to do anti-virus updates DNS Tunneling vs DNS Ex-filtration • Hackers know that DNS port is always open and available • Stolen data is broken into small chunks, often encrypted and encoded to avoid detection • Exfiltrated data is decrypted and reassembled at the other end Malware frequently uses DNS to ex- filtrate data • DLP products protect against leakage via email, web, ftp and other vectors • We cover one use case – one that these products typically don’t – but not the whole market This detection IS NOT a substitute for Data Loss Protection products Jane-Doe.foo.thief.com SSN-543112197.foo.thief.com DOB-04-10-1999.foo.thief.com MC-7895206822348781.foo.thief.com CCV-567-E-10-21.foo.thief.com John-Public.bar.thief.com SSN-9845762093.bar.thief.com DOB-01-22-1943.bar.thief.com V-3850384711230911.bar.thief.com CCV-434-E-11-19.bar.theif.com Data Exfiltration via host/subdomain Simplified/unencrypted example Example Malware that uses DNS Tunnels FrameworkPOS FeederBot Moto Morto PlugX Win32.Zbot.chas/Unruy.H Win32.Mufanom.vha Win32.AutoTsifiri.n Win32.Hiloti
- 17. 17 | © 2013 Infoblox Inc. All Rights Reserved.17 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL Data Exfiltration via DNS Tunneling • Real Customer Example • File containing sensitive info converted to text, broken into chunks and exfiltrated via DNS • Exfiltrated data put back together and decrypted to get the valuable information • Used spoofed addresses
- 18. 18 | © 2013 Infoblox Inc. All Rights Reserved.18 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL Data Exfiltration Protection with Infoblox DNS Threat Analytics
- 19. 19 | © 2013 Infoblox Inc. All Rights Reserved.19 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL • DNS Threat Analytics detects tunneling based on the patterns of requests. ̶ Looks at TXT records, A, AAAA records ̶ Finds tunneling by using lexical and temporal analysis looking for signs that the requests are data exfiltration ̶ Adds destinations to an internal RPZ feed automatically • Products: Internal DNS Security/DNS FW How DNS Threat Analytics Work Note: DNS based detection IS NOT a substitute for Data Loss Protection products. Analysis Model Entropy Lexically N-GramFrequency Size
- 20. 20 | © 2013 Infoblox Inc. All Rights Reserved.20 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL Behavior Infoblox analytics Entropy Lexically N-Gram Time Series Generally speaking queries should not all be uniform in size Contiguous sequence of n-items Number of queries (overall) number of Queries to a domain Are they words?
- 21. 21 | © 2013 Infoblox Inc. All Rights Reserved.21 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL Intelligence Needed to Take Action Contextual Reporting • Attack details by category, member, rule, severity, and time • Drill-down analytics and visualization of entire network • List of top infected clients with associated user names (enabled by Microsoft AD integration) • CISO/Executive report with top APT/malware threats
- 22. 22 | © 2013 Infoblox Inc. All Rights Reserved.22 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL Integrations – Cisco, FireEye, Bit9 etc. Only Team wins!
- 23. 23 | © 2013 Infoblox Inc. All Rights Reserved.23 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL
- 24. 24 | © 2013 Infoblox Inc. All Rights Reserved.24 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL Security Product Strategy INTERNET INTRANET DNS DDoS Global Threat Intelligence Platform Malicious Domains Infoblox Internal DNS Security & DNS Firewall Infoblox External DNS Security Harden DNS Anti-Malware & Data Exfiltration Security Operations & EcosystemExploits Reflection Amplification SaaS/Cloud DDOS NAC APT/Malware SEIM Business Intelligence Infoblox DDI Security
- 25. 25 | © 2013 Infoblox Inc. All Rights Reserved.25 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL Find DNS Threats in your Network
- 26. 26 | © 2013 Infoblox Inc. All Rights Reserved.26 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL Send Us Your PCAP Files • Infoblox analyzes and provides insights on malicious activity in seconds • Report on findings to take back to management
- 27. 27 | © 2013 Infoblox Inc. All Rights Reserved.27 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL Q&A
Notas do Editor
- Mściciele
- So let’s take a look at why securing DNS is so important. Firstly, many times, attackers know that DNS is the cornerstone of the internet. All businesses need DNS to function, for having your web site online, for email communication, VoIP, etc. It is critical networking infrastructure, connecting all users, applications and devices on the internet. Second, DNS as a protocol is easy to exploit and attacks are prevalent today. DNS is a UDP based protocol that was developed 30 odd years ago, and nobody thought DNS would be used as a way to attack a network. Because DNS wasn’t designed with security in mind, the protocol itself is easy to exploit. Today, DNS attacks are higher than ever. DNS is the number-one protocol used in reflection/amplification attacks (81 percent). DNS is tied with HTTP (75%) for the top targeted service of application-layer DDoS attacks. Furthermore, advanced persistent threats or APTs and Malware Use DNS as C&C Channel to Avoid Detection (Source: http://www.pcworld.com/article/250971/malware_increasingly_uses_dns_as_command_and_control_channel_to_avoid_detection_experts_say.html). The third key point is that traditional protection is ineffective. The products don’t have a complete understanding of DNS and hence, may either lack or just bolt-on some DNS security. So, traditional protection is actually not effective enough against DNS based attack vectors. It’s a gap that needs to be filled. The bottom line is: Unprotected, DNS increases risk to Critical Infrastructure and Data.
- Mściciele
- We are a critical component of the customer infrastructure and a target for many of these attacks. DNS is an open global communication mechanism that is not well secured nor a well protected channel. The platform on which DNS services are run can be a challenge to secure, especially if that platform is also running other applications with no stringent access control to the OS. The DNS needs to be protected against attacks that try to bring it and the IT infrastructure down. Malware communicates to its command and control site/domain using DNS to resolve the name
- These are some of the key attacks we’ve seen growing in number in the last year… This list is always growing as malware architects find new ways and workarounds to exploit vulnerabilities in DNS protocols. The blue font indicates Volumetric or DDoS DNS attacks, such as amplification or reflection where a victim’s device is flooded with an overwhelming amount of traffic. Some in-line devices and cloud vendors can rate-limit to slow down these attacks– they will try to scale out their infrastructure to meet the firepower of the DDoS attack itself. But the attackers always seem to find a way to launch a bigger attack. If you remember from earlier in the course, most DDoS attacks today are exceeding 200Gb in size! The red font indicates DNS specific exploits. These attacks are very difficult for IPS, DPI devices, and Next Gen firewalls to mitigate because they’re not designed for DNS protocol. See your power point notes to learn more about each of these attacks, and how Infoblox External DNS Security protects against ALL of them. <name each one> <Additional Information> DNS reflection/DrDoS attacks Reflection attacks are attacks that use a third party DNS server, mostly an open resolver in the internet, to propagate a DDoS attack on the victim’s server. A recursive server will process queries from any IP address and return responses. An attacker spoofs the DNS queries he sends to the recursive server by including the victim’s IP address as the source IP in the queries. So when the recursive name server receives the requests, it sends all the responses to the victim’s IP address. DrDoS or Distributed Reflection Denial of Service uses multiple such open resolvers, thereby creating a Denial of Service (DoS). DNS amplification DNS amplification is an attack where a large number of specially crafted DNS queries are sent to the victim server. These result in a very large response that can reach up to 70 times the size of the request. Since DNS relies on the User Datagram Protocol (UDP), the attacker can use a small volume of outbound traffic to cause the DNS server to generate a much larger volume. The the amplification of outbound responses congests the DNS server’s outbound bandwidth. This results in a Denial of Service (DoS). DNS-based exploits These are attacks that exploit vulnerabilities in the DNS software. This causes the DNS software to terminate abnormally, causing the server to stop responding or crash. TCP/UDP/ICMP floods These are volumetric attacks with massive numbers of packets that consume a network’s bandwidth and resources. Attackers can also use BGP, OSPF, NTP, or ICMP (Ping of Death, Smurf) protocols to bring down servers or network devices. ------------------------------------- Additional attack types with more detailed descriptions: TCP SYN floods consist of large volumes of half-opened TCP connections. This attack takes advantage of the way TCP establishes connections. The attacking software generates spoofed packets that appear to the server to be valid new connections. These packets enter the queue, but the connection is never completed—leaving false connections in the queue until they time out. The system under attack quits responding to new connections until the attack stops. This means the server is not responding to legitimate requests from clients to open new connections, resulting in a Denial of Service (DoS). UDP floods send large numbers of UDP packets to random ports on a remote server, which checks for applications listening to the port but doesn’t find them. The remote server is then forced to return a large number of ICMP Destination Unreachable packets to the attacker saying that the destination is unreachable. The attacker can also spoof the return IP address so that the replies don’t go to the attacker’s servers. Sending the replies exhausts the victim server’s resources and causes it to become unreachable. ICMP attacks use network devices like routers to send error messages when a requested service is not available or the remote server cannot be reached. Examples of ICMP attacks include ping floods, ping-of-death and smurf attacks. This overwhelms the victim server or causes it to crash due to overflow of memory buffers DNS cache poisoning Corruption of DNS cache data. It involves inserting a false address record for an Internet domain into the DNS query. If the DNS server accepts the record, subsequent requests for the address of the domain are answered with the address of a server controlled by the attacker. For as long as the false entry is cached, incoming web requests and emails will go to the attacker’s address. New cache-poisoning attacks such as the “birthday paradox” use brute force, flooding DNS responses and queries at the same time, hoping to get a match on one of the responses and poison the cache. Cache poisoning prevents access or helps to redirect the clients to a rogue address (hijacking), preventing legitimate users from accessing the company’s site. Protocol anomalies Send malformed DNS packets, including unexpected header and payload values, to the targeted server. Even though the packet size may be the same, the payload contents may not. Attackers make use of software bugs in protocol parsing and processing implementation. The victim server stops responding by going into an infinite loop or crashes. Reconnaissance This attack consists of attempts to get information on the network environment before launching a large DDoS or other type of attack. Techniques include port scanning and finding versions and authors. These attacks exhibit abnormal behavior patterns that, if identified, can provide early warning. No direct effect on the server but indicates an impending attack. DNS tunneling This attack involves tunneling another protocol through DNS port 53—which is allowed if the firewall is configured to carry non-DNS traffic—for the purposes of malware insertion and/or data exfiltration. A free ISC-licensed tunneling application for forwarding IPv4 traffic through DNS servers is widely used in this kind of attack. How Infoblox protects against these attacks: Smart rate thresholds can put the brakes on DNS DDoS and flood attacks— without denying services to legitimate users. Smart rate thresholds use External DNS Security’s ability to discriminate between different query types and rates associated with them. For example, a downstream DNS caching server might generate 100 times base traffic compared to a normal desktop source, and this traffic might be legitimate. An HTTP or mail proxy server has a higher DNS traffic demand, which is legitimate. So basic rate limiting is ineffective (they either cause too much false positive, or provide too large a gap). The key to flood control is smart rate thresholds. Source-based throttling detects abnormal query rate increase by source IP and applying rate limits. There is a counter per IP address and if we get too many operations per second from that IP, rate limits will be applied to that traffic. Destination-based throttling detects abnormal increases in traffic grouped by target domains. For anomalies and exploits, External DNS Security ensures the packets are valid DNS packets and then analyzes those packets for patterns of exploits that target specific vulnerabilities before they reach the DNS software. The definition of a good packet has been tightened based on extensive analysis. Input validation failures include: DNS UDP packets when the DNS question name or label is too long, invalid question count, invalid number of entries in the question section, invalid question class or resource record. It also drops DNS UDP packets when incremental zone transfer requests contain zero or more than one authority or an invalid authority. For cache poisoning, External DNS Security can reduce the window of DNS resolver response acceptance and uses rate limiting and packet response matching to mitigate this attack. This rule passes DNS UDP response packets from upstream DNS servers or external DNS primaries if the packet rate is less than the packets per second value setting. If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a certain period of time. It offers similar mitigation for DNS ACK packets from NIOS initiated connections. For reconnaissance, External DNS Security drops UDP packets requesting information on authors and/or version information. For tunneling, the anti-tunneling rule passes a large amount of inbound UDP DNS queries if the packet rate is less than the packets per second value (default = 2). If any source IP sends packets over this value, the appliance blocks all such traffic from this source IP for a certain period of time.
- Advanced Persistent Threats are a common theme in most of the data breaches that we are have read or heard about through various social media and news outlets. Advanced Persistent Threats are nation-state or organized crime sponsored targeted attacks that are directed at governments or enterprises, with the mission of not just exploiting system and application vulnerabilities, but ultimately, accessing and stealing sensitive data. Malware is practically sitting in every corporate network, whether lying dormant or being actively exploited by APTs via DNS communications which will cause infected devices to call ‘home’ to a command and control site/botnet. In situations where data is successfully exfiltrated, the average material loss per such incident is $7.6M according to the latest Ponemon Institute 2014 Global Report on the Cost of Cybercrime. In 2015 alone, there have been over 200 data breaches globally, with the #1 vertical being Business and #2 Medical/Healthcare, according to the latest information from the Identity Theft Resource Center which is constantly monitoring data breaches globally. Anthem is the biggest victim in terms of compromised records so far. There are many other verticals commonly targeted are Financial/Banking/Credit, Education, Government, as well as Entertainment and Retail as exemplified by Sony Pictures and Target which were highly publicized. The question isn’t if, but when you will be attacked, and how effectively you can respond. DNS is often a hole in network security and can be exploited by APTs to execute the cyber kill chain and exfiltrate data. DNS security should be part of your defense-in-depth strategy.
- CryptoLocker example of malware, also called Ransomware Once it affects an endpoint it runs an encryption algorithm and encrypts all the data and files on that endpoint. It asks for a ransom and you have to pay up to get your data back. So CryptoLocker actually uses DNS as a way to connect to its Command & Control site, download the encryption software, run it, and then encrypt the data. If you can use the DNS RPZ feed to detect and block and prevent the encryption from actually happening, you save your data from the ill effects of CryptoLocker. And that’s exactly what DNS Firewall does, as I will explain further in the presentation. Gameover Zeus (GOZ), another highly publicized botnet, mainly targets Financial industries A peer-to-peer botnet that uses P2P communications to control infected devices, used as a way to drop CryptoLocker in many of those devices. Significant loss, with hundreds of millions of dollars stolen. Again, the botnet and communications happen through DNS. You can use DNS to disrupt these types of botnets and malicious software.
- DNS-based DDoS attacks are constantly evolving and methods range from amplification, reflection, and simple NXDOMAIN to highly sophisticated attacks involving botnets and misbehaving domains created for the purpose
- For protecting against malware and APT, Infoblox offers a DNS RPZ feed based protection. This is a software that can run on Infoblox appliances. It has intelligence on known malicious domains and networks. Let me walk you through an example of how this works. When an infected device is brought onto the network, it tries to communicate to its command and control site using DNS. The infected endpoint sends a DNS query to the Infoblox DNS server, and when the DNS response comes back to the Infoblox DNS Server, the product will compare the destination information with its list of known malicious destinations received from the threat-update service. The threat intelligence feed is highly scalable, highly available (utilizes Anycast) and customizable. The product leverages intelligence on the top domains that host malicious activity. After checking the query and determining it is to a bad site or IP address, it will then take administrator defined action such as blocking the communication of that endpoint to the known malicious destination or redirecting the traffic to a landing page or “walled garden” site defined by the network administrator. 3. It will also report on the malicious activity. With Infoblox Reporting, you can find out which endpoint actually tried to make the malicious communications, what is the device IP address, device MAC Address, what type of device it is. With DHCP fingerprinting, you can find out if it’s an iPad, a smart phone, a PC, or a MAC. So you get more intelligence on the infected endpoint, so you can easily go and clean it up. The product is updated every 2 hours with information on newly discovered malicious domain destinations, IPs, etc. It uses a regularly updated RPZ feed that is based on malware data from multiple public and private sources. 5. The product can also receive and act on threat intelligence from outside Infoblox. For example, it works with FireEye Adapter, a mechanism that enables intelligence from FireEye on zero day malware to be used to block with our product. As you may know, FireEye is a sandboxing technology for detecting zero day malware, basically advanced persistent threats or APTs. If you don’t have FireEye deployed inline, the FireEye appliance would just give you alerts and you would have to go and take action on them. But our product takes those alerts and intelligence from FireEye, and it actually takes action. It blocks and disrupts those APT communications that the FireEye detects. So it’s one step further. It’s a complete solution for APT mitigation. Key Benefits of Infoblox DNS RPZ feed based security+ FireEye Adapter solution: Blocks internet malware and internal APT DNS communications to malicious domains and networks Automatic updates to stay protected against constantly evolving threat landscape. Easily pinpoint infected devices based on DHCP fingerprint and lease information Easily lookup threat severity and reputation of malware that has been blocked
- With DNS Firewall, you can customize the utilized threat intelligence feed according to your business needs. We provide seven pre-defined threat feeds, basically collections of domains that differ by category such as malware dropping sites, botnets, and geographical blocks. You can tune the feed to be as specific or broad as needed. You can also customize the RPZ policy definition based on threat type, geo, severity, source and reputation. Furthermore, you can specify custom RPZ actions (pass-through, drop, substitute policy) on a per client basis. The benefits of this automated and customizable threat intelligence are flexibility and performance so that you can continue business as usual.
- Customer: developer of video games This is simple data exfiltration where a file is taken, converted to text, chunked apart, then sent offsite via DNS. This was done using spoofed IP addresses so the clients were coming from 1.x.x.x to 128.x.x.x so I can't alarm on or rate-limit the clients. The query rate started out at 47 QPS and instantly dropped to ~5 QPS.
- Customer: developer of video games This is simple data exfiltration where a file is taken, converted to text, chunked apart, then sent offsite via DNS. This was done using spoofed IP addresses so the clients were coming from 1.x.x.x to 128.x.x.x so I can't alarm on or rate-limit the clients. The query rate started out at 47 QPS and instantly dropped to ~5 QPS.
- Entropy (the amount of data within a record) Lexical (are they words or not) N-Gram (contiguous sequences of numbers or letters) http://guidetodatamining.com/ngramAnalyzer/ Time Series (that is number of hits to the same IP but different sub-domains)
- Infoblox Internal DNS Security generates 8 reports. These reports show attack details by category, rule type, severity etc. Helps in early detection and mitigation.
- If you don’t have cycles or resources to do the evaluation yourself, we can help! Go to infoblox.com/free-malware-report A local Sales Engineer will contact you and will then take a snapshot of just your network traffic that you provide It will be run in our own lab environment and a report will be generated With this report you can discover APT activity in your network and easily make a case to upper management for DNS security.