Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
1 | © Infoblox Inc. All rights reserved.
Infoblox BloxOne
Modularità, Scalabilità, Personalizzazione.Per gestire e proteggere facilmente in cloudle vostre reti IT.
Virtual Workshop – 8 Luglio 2020
2 | © Infoblox Inc. All rights reserved.
EXCLUSIVE NETWORKS & INFOBLOX - TEAM
ALESSANDRO PILOTTISENIOR SYSTEMS ENGINEER – EXCLUSIVE
GIANLUCA DE RISISOLUTIONS ARCHITECT – INFOBLOX
3 | © Infoblox Inc. All rights reserved.
AGENDA
q Perchè Infoblox ed Exclusive Networks
q Comprendere le capacità e i vantaggi di BloxOne DDI e BloxOne Threat Defense
q In che modo BloxOne DDI e BloxOne Threat Defense semplificano congiuntamente la
gestione delle reti e della sicurezza
q La Demo della Soluzione
q Quiz a premi
q Q&A
4 | © Infoblox Inc. All rights reserved.
Infoblox Overview
• Founded in 1999
• Headquartered in Santa Clara, CA with global operations in 25 countries
• Leader in technology for network control
• Market leadership– DDI Market Leader (Gartner)– 50% DDI Market Share (IDC)
• 8,000+ customers
• 64,000+ systems shipped
• 63+ patents
Excslusive Network Italy Overview
6 | © Infoblox Inc. All rights reserved.
POWERLAB: TEST THE POTENTIAL
Showroom Live or Remote
Keypoint - Benefits
Cross & Up Selling
Open to Reseller and End User Excellence
ShowcaseKnowledge
SharingThis user-friendly tool is used to detect the integrations between
different products with the reseller and end user customers.
You can show possibleintegrations and
solutions LIVE or in REMOTE mode.
It’s a way to optimisetime and reduce the
costs relative to on site POC.
Can rent it to supply your clients with a
demo. Thus reducingthe need to purchase
NFR appliances.
This tool proves the excellence of the
implementedsolutions. It’s added
value compared to the competion and allowsyou to be accreditedas Trusted Advisor.
This an internal sharing tool, a sales accelerator. This essential tool has a
tangible value, as itallows you to analyse all
implementationscenarios of the variousfunctions, to which you
can add ad hoc services.
https://powerlab.exclusive-networks.it
7 | © Infoblox Inc. All rights reserved.
Branch Office & Remote Locations solution: Cloud-managed, highly scalable & local survivable
BloxOne™ DDI Overview - Cloud Managed DDI
❖ Auto configuration & provisioning (ZTP) at scale
❖ Template for automation
❖ Centralized software updates
❖ Automated cloud-based reporting
❖ API support for integrations
8 | © Infoblox Inc. All rights reserved.
BloxOneTM DDI Benefits
9 | © Infoblox Inc. All rights reserved.
BloxOneTM DDI Technology Use Case – Centralize Management
10 | © Infoblox Inc. All rights reserved.
BloxOneTM DDI Technology Use Case - DNS
11 | © Infoblox Inc. All rights reserved.
BloxOneTM DDI Technology Use Case – DHCP
12 | © Infoblox Inc. All rights reserved.
Why DNS is Dangerous
www.hacker.com
dns.hacker.com
Log requestwww.hacker.com
“A” RecordResponse
DNS Query for hacker.com
Bad Actor Communication Path
13 | © Infoblox Inc. All rights reserved.
Slow DNS
Iodine
GuizmOVPN
Tunneling IP, TCP, and other things over DNS
14 | © Infoblox Inc. All rights reserved.
How DNS is used to Exfiltrate Data Zero Day
4412.5314.7754.4798.hacker.com
dns.hacker.com
Log request4412.5314.7754.4798.hacker.com
Credit Card, Personal and Intellectual Property Data
Exfiltration
4412.9876.8543.5540.hacker.com4412.6650.4378.3332.hacker.com
DNS Query RequestHost Name or Sub-domain
For hacker.com
15 | © Infoblox Inc. All rights reserved.
Infiltration
DNS as a Transport Mechanism
• TCP features can be imitated by encoding the chunks with additional data, such as Checksum & Packet Number
• Data can be sent back in a variety of records, e.g. – A - allowing 4 bytes
(enough for codes, e.g. 1.1.1.200 = resend packet 200)– AAAA - allowing 16 bytes– MX record : 2 bytes + domain name (255 bytes)– CNAME - allowing up to 110 bytes in Base32– TXT - allowing up to 220 bytes in Base64 – NULL - allowing up to 256 bytes
• Using TXT and NULL make transmission faster, at expense of easier detection
16 | © Infoblox Inc. All rights reserved.
• g63uar2ejiq5tlrkg3zezf2fkemc6pi88tz.er.spotify.com
• a-0.19-
b3000081.a010083.15e0.1d99.36d4.210.0.ic7arfsqqzf694fs8zf8nz2t9b.avts.mcafee.com
• 4rzjp8zy7i7vawluximoxrko1p2tn58gj0fjjj2g.p.03.s.sophosxl.net
• p2.a22a43lt5rwfg.ihg5ki5i6q3cfn3n.191742.i1.ds.ipv6-
exp.l.google.com
• a1294.w20.akamai.net
• dnn506yrbagrg.cloudfront.net
• A98dc034c7781a941ebabac02262202668bbe918ea9fb5289cd2.r58.cf2.rackcdn.com
Legitimate DNS Tunneling
17 | © Infoblox Inc. All rights reserved.
Examples of malware using DNS for communicationMalware Discovered DNS CommunicationUDPoS 2018 C2 / exfilALMA Communicator 2017 C2 / exfil
(just 10 bytes out / 4 bytes in)DNSMessenger 2017 C2 Backdoor.Win32.Denis 2017 C2 Backdoor.Win32.ClIEcker 2017 C2 / InfilTrojan.Win32.Ismdoor.gen 2017 C2 Wekby 2016 C2 Multigrain POS 2016 ExfilStrider / ProjectSauron 2016 c2/exfilC3PRO-Raccoon 2015 C2 FrameworkPOS 2014 ExfilPlugX v2 2014 C2 FeederBot 2011 C2 Morto 2011 C2
18 | © Infoblox Inc. All rights reserved.
Clusit Report 2019 -Microsoft Azure-
19 | © Infoblox Inc. All rights reserved.
Multi-pronged Approach to Threat Detection
Patented Streaming Analytics Technology
“Machine Learning”
Detect & Prevent Zero-day Data Exfiltration
Detect & block malware communications to
command & control sites
Government-grade Threat Intelligence
Carrier-grade deep packet inspection
Instant identification of popular DNS tunneling
tools
SignatureReputation BehaviorPatented Streaming
Analytics Technology
“Machine Learning”
Detect & Prevent Zero-day Data Exfiltration
Behavior
20 | © Infoblox Inc. All rights reserved.
Detecting communication over DNS using behavioral analysis
DNS Analytical Detection Model
• Detects transmission of data in DNS queries using
behavioral analysis
• Patented algorithm (US 2016/0294773 A1)
• Examines all DNS records (e.g.: TXT, A, AAAA)
• Certain attributes add to a threat score;
others subtract from it
• Final score classifies a request as exfiltration or not
Behavioral Analysis
Entropy
Lexical
N-GramFrequency
Size
21 | © Infoblox Inc. All rights reserved.
• Dictionary - DGA has been used by malware families like Suppobox and Matsnu– facegone.net and ballpull.net are Suppobox family DGAs
• Suppobox is a very active family, representing about 10% of all DGA Malware activity
• Examples – Normal DGA: Lexical Feature - Random Characters
⚬ nn4rzw6r4yv4ezapuu.ru⚬ 1raqjrrzjj3x1127cx9d1vsxhof.net
– Dictionary DGA: Lexical Feature – Words from Dictionary⚬ facegone.net⚬ ballpull.net
• Our new detection method on Dictionary DGA is based on graph analysis and able to catch about 95% of the domains with a very low false positive rate ~10^-4
Dictionary DGA Detection
22 | © Infoblox Inc. All rights reserved.
• Normal DGA Detection: – example nn4rzw6r4yv4ezapuu.ru, 1raqjrrzjj3x1127cx9d1vsxhof.net– detect by comparing domain name against dictionaries (N-Grams, entropy)– Indication of malicious activity due to NXDomain mostly
• Dictionary DGA Detection:– Example: facegone.net, ballpull.net– detect via graph analysis– detect resolved domain hence can block/mitigate
Detect and Mitigate DGA and Dictionary DGAs
23 | © Infoblox Inc. All rights reserved.
How dictionary DGA domains are formed...
Words are used repeatedly!
Suppobox MalwareDomains
24 | © Infoblox Inc. All rights reserved.
Assume there isan algorithm forfinding “words”within a domain
facebook.com booksales.com
face
book
sales
face + book book + sales
How dictionary DGA domains are formed...
25 | © Infoblox Inc. All rights reserved.
DGA words connect differently
DGA Benign
26 | © Infoblox Inc. All rights reserved.
• Uses Deep Learning Algorithms to differentiate benign domains from DGA Domains
• Trains Deep Neural Networks using real traffic, which results in models with a better performance to find DGA data in customers networks.
• Online learning: it is constantly retrained to catch the variations and new trends in DNS traffic
Inline DGA Detection
Income Traffic
DGA Domains
Benign Domains
Inline DGA Detection
27 | © Infoblox Inc. All rights reserved.
• Domains look like other (legitimate) domains
• Example: bankofthevvest.com, g00gle.com
• Common forms● Letter replacement : w to vv, l to 1, o to 0● Change top level domains: Walmart.com -> Walmart.cc● Cyrillic/Greek/Amenian/Hebrew alphabet replacement ● Other generic highly-resembled domain names: bankofAmericas.com
• Use distance analysis to detect the likelihood of lookalike attacks– Letter replacement, example g00gle.com, bankofthevvest.com– TLD change, example, warmart.cc– Other generic highly resembled domains like the one noted above
Lookalike Domain Detection
28 | © Infoblox Inc. All rights reserved.
• Often used for the following purposes – brandjacking – traffic-redirecting – phishing – malware/adware installation
• Enterprise spend big $$$ for domain reputation to protect their business. Lego, for example, has spent roughly US$500,000 on taking 309 cases.
• Lookalike-domain detection provides early prevention of much bigger issues later
Why is Lookalike Detection important?
29 | © Infoblox Inc. All rights reserved.
•Request: fluxdomain.com•Answer: 174.115.54.22067.198.60.17324.218.221.23971.206.237.15791.217.178.76
Flux Behavior
30 | © Infoblox Inc. All rights reserved.
Proxy Botnet
Command & Control
Victim
Attacks Through Flux Domain Technique
31 | © Infoblox Inc. All rights reserved.
The Pyramid of Pain
Tactics, Techniques and Procedures (TTPs):
Source: http://detect-respond.blogspot.fr/2013/03/the-pyramid-of-pain.html
Threat Insight, Newly Observed Domains RPZ
DNS Firewall
Firewall
Antivirus
32 | © Infoblox Inc. All rights reserved.
Infoblox Architectures
Reporting & Analytics
Network InsightDevice Discovery
Microsoft DNS/DHCP
DNS Traffic Control
Grid Master
Private Cloud
Grid MasterCandidate
Ecosystem
Firewall Email Filter
Endpoint Security
Intrusion Protection
System (IPS)
Malware/APT
Detection
Network Access
Control (NAC)
Security Info Event Mgmt.
(SIEM)
Threat Intel Platform
(TIP)
Vulnerability Scanner
Hybrid and Public Cloud
Internet
SD-WAN
Switches Routers Firewalls
Network InsightDevice Discovery
Infoblox Cloud
BloxOneDDI
BloxOneDDI
BloxOneTIDE/Dosie
r
NetMRI
BloxOnePlatform
BloxOneDDI
External Threat Feeds
External Threat Feeds
BloxOne Threat
Defense
33 | © Infoblox Inc. All rights reserved.
DEMO
34 | © Infoblox Inc. All rights reserved.
QUIZ TIME
35 | © Infoblox Inc. All rights reserved.
Grazie per aver partecipato
ALESSANDRO PILOTTISENIOR SYSTEMS ENGINEER – EXCLUSIVE
GIANLUCA DE RISISOLUTIONS ARCHITECT – INFOBLOX
36 | © Infoblox Inc. All rights reserved.
Thank You