Richard langston

  • Published on
    20-Feb-2017

  • View
    287

  • Download
    0

Embed Size (px)

Transcript

  • Securing DNS against malware threats & the importance of an integrated security ecosystemRichard Langston, Senior Product Manager Security, Infoblox

    Indlg p DANSK ITs konference It-sikkerhed 2016Torsdag den 4. februar 2016

  • 2 | 2013 Infoblox Inc. All Rights Reserved. 2 | 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL

    Overview on Security Richard Langston, Sr. Product Manager, Security

  • 4 | 2013 Infoblox Inc. All Rights Reserved. 4 | 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL

    Why is DNS so vital?

    DNS cannot go down because

    everything in the network depends on

    it. But why not turn DNS from a

    vulnerability that needs to be

    engineered to an asset that can be

    leveraged? Brand, customer

    satisfaction, and employee

    productivity are all dependant on

    DNS being secure, reliable, and fast.

  • 5 | 2013 Infoblox Inc. All Rights Reserved. 5 | 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL

    DNS is a great tool for bad guys to exploit

    #1protocol for

    volumetric

    reflection/

    amplification

    attacks

    DNS is critical

    networking

    infrastructure

    DNS protocol is

    easy to exploit and

    attacks are

    prevalent

    Traditional security

    is ineffective against

    evolving threats

  • 6 | 2013 Infoblox Inc. All Rights Reserved. 6 | 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL

    DNS is a top attack vectorDNS is vulnerable to attacks, and exploitations

    *Cloudmark 2014 report

    DNS76%

    NTP11%

    HTTP9%

    Other4%

    DoS Attacks

    DNS45%

    HTTP40%

    FTP7%

    Other8%

    Exfiltration

  • 7 | 2013 Infoblox Inc. All Rights Reserved. 7 | 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL

    Threats levels on DNS are increasing

  • 8 | 2013 Infoblox Inc. All Rights Reserved. 8 | 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL

    http://www.itbusinessedge.com/slideshows/top-dns-threats-and-how-to-

    deal-with-them-06.html

    In a recent survey 66 percent of U.S. respondents reported that their

    organization suffered a DNS attack within the last 12 months.

    Loss of Internet service (63 percent)

    Increase in customer complaints (42 percent)

    Loss of confidential customer information (33 percent).

    Recently Lenovo and Google were victims of "domain hijacking.

    Visitors to Google's Vietnamese site were redirected to another site.

    Visitors to Lenovo's site were maliciously redirected to a defaced site controlled by the

    well-known hacker group, Lizard Squad.

    Many of the recent high profile attacks either used DNS to exfiltrate data or the

    malware used has evolved to use DNS

    Why DNS Security

    http://www.itbusinessedge.com/slideshows/top-dns-threats-and-how-to-deal-with-them-06.html

  • 9 | 2013 Infoblox Inc. All Rights Reserved. 9 | 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL

    DNS Security Challenges

    Stopping APTs/malware from using DNS2

    Defending against DNS DDoS attacks1

    Preventing data exfiltration via DNS3

  • 10 | 2013 Infoblox Inc. All Rights Reserved. 10 | 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL

    DNS Security - How to detect threats?

    Reputation

    SignatureBehavior

  • 11 | 2013 Infoblox Inc. All Rights Reserved. 11 | 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL

    Defending against DDOS attacks

  • 12 | 2013 Infoblox Inc. All Rights Reserved. 12 | 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL

    The Rising Tide of DNS ThreatsAre You Prepared?

    In the last

    year alone

    there has been

    an increase of

    216%DNS attacks1

    47%DDoS attacks2

    With possible amplification up to

    100xon a DNS attack, the

    amount of traffic delivered

    to a victim can be huge

    1. Prolexic Quarterly Global DDoS Attack Report, Q4, 2013 2. Prolexic Quarterly Global DDoS Attack Report, Q1, 2014 3. www.openresolverproject.org

    28MPose a significant threat

    to the global network

    infrastructure and can

    be easily utilized in DNS

    amplification attacks3

    33M Number of openrecursive DNS servers3

    With enterprise level businesses receiving an

    average of 2 million DNS queries every single

    day, the threat of attack is significant

    2M

  • 14 | 2013 Infoblox Inc. All Rights Reserved. 14 | 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL

    DNS-based exploits

    DNS cache poisoning

    DNS tunneling

    Protocol anomalies

    Reconnaissance

    DNS hijacking

    Domain lockup attack

    Malformed DHCP requests

    Evolving DNS Attacks and More

    Volumetric/DDoS AttacksProtocol specific Exploits

    DNS reflection

    DNS amplification

    TCP/UDP/ICMP floods

    NXDOMAIN attack

    Phantom domain attack

    Random subdomain attack

    Domain lockup attack

  • 15 | 2013 Infoblox Inc. All Rights Reserved. 15 | 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL

    Anatomy of an AttackDistributed Reflection DoS Attack (DrDoS)

    How the attack works

    Attacker

    Internet

    Target Victim

    Combines reflection and amplification

    Uses third-party open resolvers in

    the Internet (unwitting accomplice)

    Attacker sends spoofed queries

    to the open recursive servers

    Uses queries specially crafted to

    result in a very large response

    Causes DDoS on the victims server

  • 16 | 2013 Infoblox Inc. All Rights Reserved. 16 | 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL

    Random Subdomain Attack (Slow Drip) Infected clients create queries by

    prepending randomly generated

    subdomain strings to the victims

    domain. E.g. xyz4433.yahoo.com

    Each client may only send a small

    volume of these queries to the DNS

    recursive server

    Harder to detect

    Multiple of these infected clients send

    such requests

    Impact

    Responses may never come back from

    these non-existing subdomains

    DNS recursive server waits for

    responses, outstanding query limit

    exhausted

    Target domains auth server experiences

    DDoS

    How the attack works

    Victim Domain

    e.g. yahoo.com

    Bot/bad clients

    Queries with random

    strings prefixed to victim's

    domain

    e.g. xyz4433.yahoo.com

    Flood of queries

    for non-existent

    subdomains

    DNS recursive

    Servers (ISP)

    DDoS on target

    victim

    Resource

    exhaustion on

    recursive

    servers

  • 17 | 2013 Infoblox Inc. All Rights Reserved. 17 | 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL

    Stopping APTs/malware

  • 18 | 2013 Infoblox Inc. All Rights Reserved. 18 | 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL

    Malicious traffic is visible on 100% of corporate

    networks1

    91.3% of malware uses DNS in attacks2

    68% of organisations dont monitor recursive DNS2

    The question isnt if, but when you will be attacked,

    and how effectively you can respond

    APTs rely on DNS at various stages of the cyber kill

    chain to infect devices, propagate malware, and

    exfiltrate data

    APTs: The New Threat Landscape

    Source: 1 Cisco 2014 Annual Security Report

    2 Cisco 2016 Annual Security Report

    Organized and

    well funded

    Profile organizations using

    public data/social media

    Target key POIs

    via spear phishing

    Watering hole target

    groups on trusted sitesLeverage tried and true

    techniques like SQLi, DDoS & XSS

    Coordinated attacks,

    distract big, strike precisely

    Operational

    sophistication

    http://www.itbusinessedge.com/slideshows/top-dns-threats-and-how-to-deal-with-them-06.html

    http://www.itbusinessedge.com/slideshows/top-dns-threats-and-how-to-deal-with-them-06.html

  • 19 | 2013 Infoblox Inc. All Rights Reserved. 19 | 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL

    Malware/APT requires DNS

    DNS server

    Every step of malware life cycle relies on DNS

    Query a malicious domain

    Query the call home

    server

    Query Exfiltration destination

    s

    Infection Download Exfiltration

  • 20 | 2013 Infoblox Inc. All Rights Reserved. 20 | 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL

    CryptoLocker

    Targets Windows-based computers in form of email attachment

    Upon infection, encrypts files on local hard drive and mapped

    network drives

    If ransom isnt paid, encryption key deleted and data

    irretrievable

    Gameover Zeus (GOZ)

    500,000 1M infections globally and100s of millions of dollars

    stolen

    Uses P2P communication to control infected devices or botnet

    Takes control of private online transactions and diverts funds to

    criminal accounts

    Malware Examples

  • 21 | 2013 Infoblox Inc. All Rights Reserved. 21 | 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL

    Preventing Data Exfiltration

  • 22 | 2013 Infoblox Inc. All Rights Reserved. 22 | 2015 Infoblox Inc. All Rights Reserved. CONFIDENTIAL

    DNS tunnels are commonly used to send sensitive information out

    Data can be exfiltrated by embedding data directly in DNS queries

    DNS and Data Breach

    % of survey respondents that

    experienced DNS data

    ex