1 | © 2017 Infoblox Inc. All Rights Reserved.

DNS: Eine Sicherheitslücke?Dr. Claudia Johnson

April 3rd, 2017

2 | © 2017 Infoblox Inc. All Rights Reserved.

Agenda

1. Angriffsszenarien2. Infoblox Lösungen3. Demo4. Wie Sie sich schützen können

3 | © 2017 Infoblox Inc. All Rights Reserved.

• Infoblox DNS Threat Index at all-time high Infrastructure known to host or facilitate ransomware

grew just over 35x Exploit kits still the dominant category – less

sophisticated criminals are being enabled by more mature ones that sell exploit kits, pre-weaponized

• Over 91% percent malware uses DNS to1

Communicate with Command and Control (C&C) servers

Exfiltrate data Redirect traffic to malicious sites

• Existing security controls lack visibility into DNS based malware

DNS is a Key Threat Vector for Malware Spread

Source: 1. Cisco 2016 Annual Security Report

Infoblox DNS Threat Index

4 | © 2017 Infoblox Inc. All Rights Reserved.

Typische Kundenumgebung – Sind Kunden geschützt?

DMZ

dns hardcoded by users…

Proxy

ProxyTraffic

UnprotectedDNS Traffic

Application server

8.8.8.8or ISPservers

Microsoft DNS

Bind DNS Cache

Regular User

DNS request

Problemstellung• Viele Ausfalltore von DNS• Kunde fühlt sich sicher

wg. Proxy-Server• DMZ-DNS nicht gehärtet

gegen DNS DDOS• DNS-Requests

werden nicht auf Malware • untersucht• Systeme werden nicht vor

DNS-Datenexfiltration• geschützt

Proxy

UnprotectedDNS Traffic

UnprotectedDNS Traffic

5 | © 2017 Infoblox Inc. All Rights Reserved.

1. Malware Prevention und Containment - ActiveTrustBekannte Domains, IPs, etc.

2. DNS Data Exfiltration Prevention - Threat Insight Unbekannte Domains, IPs anhand von Heuristiken

3. DDOS Prevention - Advanced DNS Protection (ADP)

3 Lösungsbausteine

6 | © 2017 Infoblox Inc. All Rights Reserved.

ACTIVETRUST

7 | © 2017 Infoblox Inc. All Rights Reserved.

Other Partner Feeds

IID, SURBL Feeds

Threat Intelligence Platform

DNS FW

NGEP,NGFW,SIEM

…

TIDE

Dossier

Threat Analyst

((((((

Infoblox ActiveTrust: How it works

Also reputation, passiveDNS, Google Custom Search…

8 | © 2017 Infoblox Inc. All Rights Reserved.

• Redirects the endpoint’s DNS to Infoblox DNS in the cloud

• Encrypts and embeds the client identity in DNS packets

• Available for Windows (7/8/10) and Mac OSX 10.10 – 10.12

• Can be configured to switch to bypass mode when inside corporate network protected by on-premises ActiveTrust

• Small light-weight agent

Roaming Client: ActiveTrust Endpoint

* First phase offers support for Windows and Mac. Support for Linux, iOS, Android in future.

Corpor@te172

2501:621:201:1d3

9 | © 2017 Infoblox Inc. All Rights Reserved.

Dossier Demo

10 | © 2017 Infoblox Inc. All Rights Reserved.

Kundenumgebung mit Infoblox – Kunden sind geschützt

DMZ

dns hardcoded by users…

Proxy

ProxyTraffic

Application server

8.8.8.8or ISPservers

Microsoft DNS

Bind DNS Cache

Regular User

DNS request

Lösungen:• Malware C&C Schutz• DNS Datenexfiltrations-Schutz• DNS DDOS Schutz

Proxy

PtrotectedDNS Traffic