Richard langston

Securing DNS against malware threats & the importance of an integrated security ecosystemRichard Langston, Senior Product Manager Security, Infoblox

Indlæg på DANSK IT’s konference It-sikkerhed 2016Torsdag den 4. februar 2016

2 | © 2013 Infoblox Inc. All Rights Reserved. 2 | © 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL

Overview on Security Richard Langston, Sr. Product Manager, Security


Why is DNS so vital?

DNS cannot go down because

everything in the network depends on

it. But why not turn DNS from a

vulnerability that needs to be

engineered to an asset that can be

leveraged? Brand, customer

satisfaction, and employee

productivity are all dependant on

DNS being secure, reliable, and fast.


DNS is a great tool for bad guys to exploit

#1protocol for

volumetric

reflection/

amplification

attacks

DNS is critical

networking

infrastructure

DNS protocol is

easy to exploit and

attacks are

prevalent

Traditional security

is ineffective against

evolving threats


DNS is a top attack vectorDNS is vulnerable to attacks, and exploitations

*Cloudmark 2014 report

DNS76%

NTP11%

HTTP9%

Other4%

DoS Attacks

DNS45%

HTTP40%

FTP7%

Other8%

Exfiltration


Threats levels on DNS are increasing


http://www.itbusinessedge.com/slideshows/top-dns-threats-and-how-to-

deal-with-them-06.html

• In a recent survey 66 percent of U.S. respondents reported that their

organization suffered a DNS attack within the last 12 months.

Loss of Internet service (63 percent)

Increase in customer complaints (42 percent)

Loss of confidential customer information (33 percent).

• Recently Lenovo and Google were victims of "domain hijacking.”

Visitors to Google's Vietnamese site were redirected to another site.

Visitors to Lenovo's site were maliciously redirected to a defaced site controlled by the

well-known hacker group, Lizard Squad.

• Many of the recent high profile attacks either used DNS to exfiltrate data or the

malware used has evolved to use DNS

Why DNS Security

http://www.itbusinessedge.com/slideshows/top-dns-threats-and-how-to-deal-with-them-06.html


DNS Security Challenges

Stopping APTs/malware from using DNS2

Defending against DNS DDoS attacks1

Preventing data exfiltration via DNS3


DNS Security - How to detect threats?

Reputation

SignatureBehavior


Defending against DDOS attacks


The Rising Tide of DNS ThreatsAre You Prepared?

In the last

year alone

there has been

an increase of

216%DNS attacks1

47%DDoS attacks2

With possible amplification up to

100xon a DNS attack, the

amount of traffic delivered

to a victim can be huge

1. Prolexic Quarterly Global DDoS Attack Report, Q4, 2013 2. Prolexic Quarterly Global DDoS Attack Report, Q1, 2014 3. www.openresolverproject.org

28MPose a significant threat

to the global network

infrastructure and can

be easily utilized in DNS

amplification attacks3

33M Number of open

recursive DNS servers3

With enterprise level businesses receiving an

average of 2 million DNS queries every single

day, the threat of attack is significant

2M


DNS-based exploits

DNS cache poisoning

DNS tunneling

Protocol anomalies

Reconnaissance

DNS hijacking

Domain lockup attack

Malformed DHCP requests

Evolving DNS Attacks and More…

Volumetric/DDoS AttacksProtocol specific Exploits

DNS reflection

DNS amplification

TCP/UDP/ICMP floods

NXDOMAIN attack

Phantom domain attack

Random subdomain attack

Domain lockup attack


Anatomy of an AttackDistributed Reflection DoS Attack (DrDoS)

How the attack works

Attacker

Internet

Target Victim

Combines reflection and amplification

Uses third-party open resolvers in

the Internet (unwitting accomplice)

Attacker sends spoofed queries

to the open recursive servers

Uses queries specially crafted to

result in a very large response

Causes DDoS on the victim’s server


Random Subdomain Attack (Slow Drip)• Infected clients create queries by

prepending randomly generated

subdomain strings to the victim’s

domain. E.g. xyz4433.yahoo.com

• Each client may only send a small

volume of these queries to the DNS

recursive server

• Harder to detect

• Multiple of these infected clients send

such requests

Impact

• Responses may never come back from

these non-existing subdomains

• DNS recursive server waits for

responses, outstanding query limit

exhausted

• Target domain’s auth server experiences

DDoS

How the attack works

Victim Domain

e.g. yahoo.com

Bot/bad clients

Queries with random

strings prefixed to victim's

domain

e.g. xyz4433.yahoo.com

Flood of queries

for non-existent

subdomains

DNS recursive

Servers (ISP)

DDoS on target

victim

Resource

exhaustion on

recursive

servers


Stopping APTs/malware


• Malicious traffic is visible on 100% of corporate

networks1

• 91.3% of malware uses DNS in attacks2

• 68% of organisations don’t monitor recursive DNS2

• The question isn’t if, but when you will be attacked,

and how effectively you can respond

• APTs rely on DNS at various stages of the cyber kill

chain to infect devices, propagate malware, and

exfiltrate data

APTs: The New Threat Landscape

Source: 1 Cisco 2014 Annual Security Report

2 Cisco 2016 Annual Security Report

Organized and

well funded

Profile organizations using

public data/social media

Target key POI’s

via spear phishing

“Watering hole” target

groups on trusted sitesLeverage tried and true

techniques like SQLi, DDoS & XSS

Coordinated attacks,

distract big, strike precisely

Operational

sophistication




Malware/APT requires DNS

DNS server

Every step of malware life cycle relies on DNS

Query a malicious domain

Query the ‘call home

server’

Query Exfiltration destination

s

Infection Download Exfiltration


CryptoLocker

• Targets Windows-based computers in form of email attachment

• Upon infection, encrypts files on local hard drive and mapped

network drives

• If ransom isn’t paid, encryption key deleted and data

irretrievable

Gameover Zeus (GOZ)

• 500,000 – 1M infections globally and100s of millions of dollars

stolen

• Uses P2P communication to control infected devices or botnet

• Takes control of private online transactions and diverts funds to

criminal accounts

Malware Examples


Preventing Data Exfiltration


• DNS tunnels are commonly used to send sensitive information out

• Data can be exfiltrated by embedding data directly in DNS queries

DNS and Data Breach

% of survey respondents that

experienced DNS data

exfiltration

% of survey respondents that

experienced DNS tunneling

Average material loss per

breach incident

$7.6 M

Source: SC Magazine, Dec 2014, “DNS attacks putting organizations at risk, survey finds”

46% 45%

Source: SC Magazine, Dec 2014, “DNS attacks putting organizations at risk, survey finds”


• Uses DNS as a covert communication channel to

bypass firewalls

• Attacker tunnels other protocols like SSH, TCP, or

web within DNS

• Enables attackers to easily pass stolen data or

tunnel IP traffic without detection

• A DNS tunnel can be used as a full remote-control

channel for a compromised internal host

Impact:

• Data exfiltration or malware insertion can happen

through the tunnel

Problem: DNS Tunneling

Encoded IP

in DNS queries

INTERNET

ENTERPRISE

Client-side

tunnel program

DNS server

IP traffic

Internet


Malware Steals File Containing Sensitive Data

Problem: Exploiting DNS to steal data

• Infected endpoint gets access to file containing

sensitive data

• It encrypts and converts info into

encoded format

• Text broken into chunks and sent via DNS using

hostname.subdomain or TXT records

• Exfiltrated data reconstructed at the other end

• Can use spoofed addresses to avoid detection

INTERNET

ENTERPRISE

NameMarySmith.foo.thief.com

MRN100045429886.foo.thief.com

DOB10191952.foo.thief.com

NameMarySmith.foo.thief.com

MRN100045429886.foo.thief.com

DOB10191952.foo.thief.com

Infected

endpoint

DNS server

Attacker controller

server- thief.com

(C&C)

DataC&C commands

Example Malware that uses DNS to ex-filtrate data

FrameworkPOS, FeederBot, Moto, Morto,PlugX

Win32.Zbot.chas/Unruy.H

Win32.Mufanom.vha, Win32.AutoTsifiri.n

Win32.Hiloti


Solution: Protection Against Data Exfiltration

using DNS Threat Analytics

• Analytics engine stores previous ‘n’

queries and uses behavioral analysis to

identify patterns of requests- Looks at TXT records, A, AAAA records

- Finds tunneling by using lexical and

temporal analysis looking for signs that

the requests are part of data exfiltration

attempt

- Adds destinations to an internal RPZ

feed automatically


Infoblox Security Approach

Visibility

See attacks, infections,

and data-exfiltration

attempts in the network

Protection

Protect infrastructure

and data from attacks

and malicious agents

Response

Enable rapid response

by providing contextual

information on

infections


Infected endpoint

attempts data

exfiltration

Infoblox identifies

domain associated

with data exfiltration

and blocks connection

Infoblox sends alert

to Carbon Black

• Carbon Black correlates

endpoint, network data

and remediates infected

endpoint automatically

• Isolates endpoint to

prevent malware spread

• Kills endpoint process,

preserves evidence

Infoblox and Bit 9 + Carbon Black

Automating Security Response Through Integrations


Automating Response Through Infoblox / Cisco ISE

Customer Value• Visibility into what users and devices are communicating with

bad domains associated with data exfiltration• User/device visibility increases confidence in taking mitigation

actions• ISE access is enabled when Network Insight joins the Grid

Infoblox DDI

DNS FW EventsDNS Threat Analytics EventsDHCP Leases

Cisco ISE

• ISE quarantines device

• Informs vulnerability

scanner to scan device


Build security into your DNS

INTERNET

ENTERPRISE

Infoblox

Automated

Threat Intelligence

Service

Firewall

Infoblox Internal

DNS Security

x

x

xxx

Attacker Thief Badsite1.comGood.com

Badsite1.com

Badsite2.com

Badsite3.com

SSN:123456789.foo.thief.co

m

DOB-01012001.foo.thief.com

Updates for DNS attacks

and malicious domains

Legitimate Query DNS DDoS attacks

detected and dropped

Data exfiltration

detected and dropped

Malware site blocked

Ecosystem Partners

- Malware detection APTs

- NAC Solutions


• One of the fastest growing attack vectors

• Easy-to-exploit protocol

• Firewalls and IDS/IPS devices not focused on

DNS threats

• DNS security layer needed to complement

existing security solutions

• Internal DNS servers are an ideal detection and

enforcement point.

• Every DNS server should be a secure DNS

server.

DNS Security Gap

Send Us Your PCAP Files – Register now

https://ww2.infoblox.com/events/event-form.cfm?campID=70113000000v8Xf&elqTrackId=F799C9704B60DE9F133FFA03673E72C9&elq=3aaffa7f4caf414da838468cfe58d726&elqCampaignId=&elqaid=8367&elqat=1


Questions?

Technology

Richard langston