Infoblox BloxOne · – detect by comparing domain name against dictionaries (N-Grams, entropy) – Indication of malicious activity due to NXDomainmostly • Dictionary DGA Detection:

1 | © Infoblox Inc. All rights reserved.

Infoblox BloxOne

Modularità, Scalabilità, Personalizzazione.Per gestire e proteggere facilmente in cloudle vostre reti IT.

Virtual Workshop – 8 Luglio 2020


EXCLUSIVE NETWORKS & INFOBLOX - TEAM

ALESSANDRO PILOTTISENIOR SYSTEMS ENGINEER – EXCLUSIVE

[email protected]

GIANLUCA DE RISISOLUTIONS ARCHITECT – INFOBLOX

[email protected]


AGENDA

q Perchè Infoblox ed Exclusive Networks

q Comprendere le capacità e i vantaggi di BloxOne DDI e BloxOne Threat Defense

q In che modo BloxOne DDI e BloxOne Threat Defense semplificano congiuntamente la

gestione delle reti e della sicurezza

q La Demo della Soluzione

q Quiz a premi

q Q&A


Infoblox Overview

• Founded in 1999

• Headquartered in Santa Clara, CA with global operations in 25 countries

• Leader in technology for network control

• Market leadership– DDI Market Leader (Gartner)– 50% DDI Market Share (IDC)

• 8,000+ customers

• 64,000+ systems shipped

• 63+ patents

Excslusive Network Italy Overview


POWERLAB: TEST THE POTENTIAL

Showroom Live or Remote

Keypoint - Benefits

Cross & Up Selling

Open to Reseller and End User Excellence

ShowcaseKnowledge

SharingThis user-friendly tool is used to detect the integrations between

different products with the reseller and end user customers.

You can show possibleintegrations and

solutions LIVE or in REMOTE mode.

It’s a way to optimisetime and reduce the

costs relative to on site POC.

Can rent it to supply your clients with a

demo. Thus reducingthe need to purchase

NFR appliances.

This tool proves the excellence of the

implementedsolutions. It’s added

value compared to the competion and allowsyou to be accreditedas Trusted Advisor.

This an internal sharing tool, a sales accelerator. This essential tool has a

tangible value, as itallows you to analyse all

implementationscenarios of the variousfunctions, to which you

can add ad hoc services.

https://powerlab.exclusive-networks.it


Branch Office & Remote Locations solution: Cloud-managed, highly scalable & local survivable

BloxOne™ DDI Overview - Cloud Managed DDI

❖ Auto configuration & provisioning (ZTP) at scale

❖ Template for automation

❖ Centralized software updates

❖ Automated cloud-based reporting

❖ API support for integrations


BloxOneTM DDI Benefits


BloxOneTM DDI Technology Use Case – Centralize Management


BloxOneTM DDI Technology Use Case - DNS


BloxOneTM DDI Technology Use Case – DHCP


Why DNS is Dangerous

www.hacker.com

dns.hacker.com

Log requestwww.hacker.com

“A” RecordResponse

DNS Query for hacker.com

Bad Actor Communication Path


Slow DNS

Iodine

GuizmOVPN

Tunneling IP, TCP, and other things over DNS


How DNS is used to Exfiltrate Data Zero Day

4412.5314.7754.4798.hacker.com

dns.hacker.com

Log request4412.5314.7754.4798.hacker.com

Credit Card, Personal and Intellectual Property Data

Exfiltration

4412.9876.8543.5540.hacker.com4412.6650.4378.3332.hacker.com

DNS Query RequestHost Name or Sub-domain

For hacker.com


Infiltration

DNS as a Transport Mechanism

• TCP features can be imitated by encoding the chunks with additional data, such as Checksum & Packet Number

• Data can be sent back in a variety of records, e.g. – A - allowing 4 bytes

(enough for codes, e.g. 1.1.1.200 = resend packet 200)– AAAA - allowing 16 bytes– MX record : 2 bytes + domain name (255 bytes)– CNAME - allowing up to 110 bytes in Base32– TXT - allowing up to 220 bytes in Base64 – NULL - allowing up to 256 bytes

• Using TXT and NULL make transmission faster, at expense of easier detection


• g63uar2ejiq5tlrkg3zezf2fkemc6pi88tz.er.spotify.com

• a-0.19-

b3000081.a010083.15e0.1d99.36d4.210.0.ic7arfsqqzf694fs8zf8nz2t9b.avts.mcafee.com

• 4rzjp8zy7i7vawluximoxrko1p2tn58gj0fjjj2g.p.03.s.sophosxl.net

• p2.a22a43lt5rwfg.ihg5ki5i6q3cfn3n.191742.i1.ds.ipv6-

exp.l.google.com

• a1294.w20.akamai.net

• dnn506yrbagrg.cloudfront.net

• A98dc034c7781a941ebabac02262202668bbe918ea9fb5289cd2.r58.cf2.rackcdn.com

Legitimate DNS Tunneling


Examples of malware using DNS for communicationMalware Discovered DNS CommunicationUDPoS 2018 C2 / exfilALMA Communicator 2017 C2 / exfil

(just 10 bytes out / 4 bytes in)DNSMessenger 2017 C2 Backdoor.Win32.Denis 2017 C2 Backdoor.Win32.ClIEcker 2017 C2 / InfilTrojan.Win32.Ismdoor.gen 2017 C2 Wekby 2016 C2 Multigrain POS 2016 ExfilStrider / ProjectSauron 2016 c2/exfilC3PRO-Raccoon 2015 C2 FrameworkPOS 2014 ExfilPlugX v2 2014 C2 FeederBot 2011 C2 Morto 2011 C2


Clusit Report 2019 -Microsoft Azure-


Multi-pronged Approach to Threat Detection

Patented Streaming Analytics Technology

“Machine Learning”

Detect & Prevent Zero-day Data Exfiltration

Detect & block malware communications to

command & control sites

Government-grade Threat Intelligence

Carrier-grade deep packet inspection

Instant identification of popular DNS tunneling

tools

SignatureReputation BehaviorPatented Streaming

Analytics Technology

“Machine Learning”

Detect & Prevent Zero-day Data Exfiltration

Behavior


Detecting communication over DNS using behavioral analysis

DNS Analytical Detection Model

• Detects transmission of data in DNS queries using

behavioral analysis

• Patented algorithm (US 2016/0294773 A1)

• Examines all DNS records (e.g.: TXT, A, AAAA)

• Certain attributes add to a threat score;

others subtract from it

• Final score classifies a request as exfiltration or not

Behavioral Analysis

Entropy

Lexical

N-GramFrequency

Size


• Dictionary - DGA has been used by malware families like Suppobox and Matsnu– facegone.net and ballpull.net are Suppobox family DGAs

• Suppobox is a very active family, representing about 10% of all DGA Malware activity

• Examples – Normal DGA: Lexical Feature - Random Characters

⚬ nn4rzw6r4yv4ezapuu.ru⚬ 1raqjrrzjj3x1127cx9d1vsxhof.net

– Dictionary DGA: Lexical Feature – Words from Dictionary⚬ facegone.net⚬ ballpull.net

• Our new detection method on Dictionary DGA is based on graph analysis and able to catch about 95% of the domains with a very low false positive rate ~10^-4

Dictionary DGA Detection


• Normal DGA Detection: – example nn4rzw6r4yv4ezapuu.ru, 1raqjrrzjj3x1127cx9d1vsxhof.net– detect by comparing domain name against dictionaries (N-Grams, entropy)– Indication of malicious activity due to NXDomain mostly

• Dictionary DGA Detection:– Example: facegone.net, ballpull.net– detect via graph analysis– detect resolved domain hence can block/mitigate

Detect and Mitigate DGA and Dictionary DGAs


How dictionary DGA domains are formed...

Words are used repeatedly!

Suppobox MalwareDomains


Assume there isan algorithm forfinding “words”within a domain

facebook.com booksales.com

face

book

sales

face + book book + sales

How dictionary DGA domains are formed...


DGA words connect differently

DGA Benign


• Uses Deep Learning Algorithms to differentiate benign domains from DGA Domains

• Trains Deep Neural Networks using real traffic, which results in models with a better performance to find DGA data in customers networks.

• Online learning: it is constantly retrained to catch the variations and new trends in DNS traffic

Inline DGA Detection

Income Traffic

DGA Domains

Benign Domains

Inline DGA Detection


• Domains look like other (legitimate) domains

• Example: bankofthevvest.com, g00gle.com

• Common forms● Letter replacement : w to vv, l to 1, o to 0● Change top level domains: Walmart.com -> Walmart.cc● Cyrillic/Greek/Amenian/Hebrew alphabet replacement ● Other generic highly-resembled domain names: bankofAmericas.com

• Use distance analysis to detect the likelihood of lookalike attacks– Letter replacement, example g00gle.com, bankofthevvest.com– TLD change, example, warmart.cc– Other generic highly resembled domains like the one noted above

Lookalike Domain Detection

http://g00gle.com/

http://bankofthevvest.com/

http://warmart.cc/


• Often used for the following purposes – brandjacking – traffic-redirecting – phishing – malware/adware installation

• Enterprise spend big $$$ for domain reputation to protect their business. Lego, for example, has spent roughly US$500,000 on taking 309 cases.

• Lookalike-domain detection provides early prevention of much bigger issues later

Why is Lookalike Detection important?


•Request: fluxdomain.com•Answer: 174.115.54.22067.198.60.17324.218.221.23971.206.237.15791.217.178.76

Flux Behavior


Proxy Botnet

Command & Control

Victim

Attacks Through Flux Domain Technique


The Pyramid of Pain

Tactics, Techniques and Procedures (TTPs):

Source: http://detect-respond.blogspot.fr/2013/03/the-pyramid-of-pain.html

Threat Insight, Newly Observed Domains RPZ

DNS Firewall

Firewall

Antivirus

http://detect-respond.blogspot.fr/2013/03/the-pyramid-of-pain.html


Infoblox Architectures

Reporting & Analytics

Network InsightDevice Discovery

Microsoft DNS/DHCP

DNS Traffic Control

Grid Master

Private Cloud

Grid MasterCandidate

Ecosystem

Firewall Email Filter

Endpoint Security

Intrusion Protection

System (IPS)

Malware/APT

Detection

Network Access

Control (NAC)

Security Info Event Mgmt.

(SIEM)

Threat Intel Platform

(TIP)

Vulnerability Scanner

Hybrid and Public Cloud

Internet

SD-WAN

Switches Routers Firewalls

Network InsightDevice Discovery

Infoblox Cloud

BloxOneDDI

BloxOneDDI

BloxOneTIDE/Dosie

r

NetMRI

BloxOnePlatform

BloxOneDDI

External Threat Feeds

External Threat Feeds

BloxOne Threat

Defense


DEMO


QUIZ TIME


Grazie per aver partecipato

ALESSANDRO PILOTTISENIOR SYSTEMS ENGINEER – EXCLUSIVE

[email protected]

GIANLUCA DE RISISOLUTIONS ARCHITECT – INFOBLOX

[email protected]


Thank You

Documents

Infoblox BloxOne · – detect by comparing domain name against dictionaries (N-Grams, entropy) – Indication of malicious activity due to NXDomainmostly • Dictionary DGA Detection: