Upload
phamdang
View
223
Download
0
Embed Size (px)
Citation preview
1 | © 2017 Infoblox Inc. All Rights Reserved.
DNS: Eine Sicherheitslücke?Dr. Claudia Johnson
April 3rd, 2017
2 | © 2017 Infoblox Inc. All Rights Reserved.
Agenda
1. Angriffsszenarien2. Infoblox Lösungen3. Demo4. Wie Sie sich schützen können
3 | © 2017 Infoblox Inc. All Rights Reserved.
• Infoblox DNS Threat Index at all-time high Infrastructure known to host or facilitate ransomware
grew just over 35x Exploit kits still the dominant category – less
sophisticated criminals are being enabled by more mature ones that sell exploit kits, pre-weaponized
• Over 91% percent malware uses DNS to1
Communicate with Command and Control (C&C) servers
Exfiltrate data Redirect traffic to malicious sites
• Existing security controls lack visibility into DNS based malware
DNS is a Key Threat Vector for Malware Spread
Source: 1. Cisco 2016 Annual Security Report
Infoblox DNS Threat Index
4 | © 2017 Infoblox Inc. All Rights Reserved.
Typische Kundenumgebung – Sind Kunden geschützt?
DMZ
dns hardcoded by users…
Proxy
ProxyTraffic
UnprotectedDNS Traffic
Application server
8.8.8.8or ISPservers
Microsoft DNS
Bind DNS Cache
Regular User
DNS request
Problemstellung• Viele Ausfalltore von DNS• Kunde fühlt sich sicher
wg. Proxy-Server• DMZ-DNS nicht gehärtet
gegen DNS DDOS• DNS-Requests
werden nicht auf Malware • untersucht• Systeme werden nicht vor
DNS-Datenexfiltration• geschützt
Proxy
UnprotectedDNS Traffic
UnprotectedDNS Traffic
5 | © 2017 Infoblox Inc. All Rights Reserved.
1. Malware Prevention und Containment - ActiveTrustBekannte Domains, IPs, etc.
2. DNS Data Exfiltration Prevention - Threat Insight Unbekannte Domains, IPs anhand von Heuristiken
3. DDOS Prevention - Advanced DNS Protection (ADP)
3 Lösungsbausteine
6 | © 2017 Infoblox Inc. All Rights Reserved.
ACTIVETRUST
7 | © 2017 Infoblox Inc. All Rights Reserved.
Other Partner Feeds
IID, SURBL Feeds
Threat Intelligence Platform
DNS FW
NGEP,NGFW,SIEM
…
TIDE
Dossier
Threat Analyst
((((((
Infoblox ActiveTrust: How it works
Also reputation, passiveDNS, Google Custom Search…
8 | © 2017 Infoblox Inc. All Rights Reserved.
• Redirects the endpoint’s DNS to Infoblox DNS in the cloud
• Encrypts and embeds the client identity in DNS packets
• Available for Windows (7/8/10) and Mac OSX 10.10 – 10.12
• Can be configured to switch to bypass mode when inside corporate network protected by on-premises ActiveTrust
• Small light-weight agent
Roaming Client: ActiveTrust Endpoint
* First phase offers support for Windows and Mac. Support for Linux, iOS, Android in future.
Corpor@te172
2501:621:201:1d3
9 | © 2017 Infoblox Inc. All Rights Reserved.
Dossier Demo
10 | © 2017 Infoblox Inc. All Rights Reserved.
Kundenumgebung mit Infoblox – Kunden sind geschützt
DMZ
dns hardcoded by users…
Proxy
ProxyTraffic
Application server
8.8.8.8or ISPservers
Microsoft DNS
Bind DNS Cache
Regular User
DNS request
Lösungen:• Malware C&C Schutz• DNS Datenexfiltrations-Schutz• DNS DDOS Schutz
Proxy
PtrotectedDNS Traffic