the Presentation

Report
Domain Name System (DNS)
Network Security Asset or Achilles Heel?
Seema Kathuria, Sr. Product Marketing Manager, Infoblox
February 19, 2015
Agenda
• What is DNS and How Does It Work?
• Threat Landscape Trends
• Common Attack Vectors
-
Anatomy of an attack: DNS Hijacking
Anatomy of an attack: Reflection Attack
Anatomy of an attack: Data Exfiltration via
DNS Tunneling
• How to Protect Yourself?
• Q&A
3
© 2015 Infoblox Inc. All Rights Reserved.
What is the Domain Name System (DNS)?
• Address book for The Internet
• Translates “google.com” to 173.194.115.96
• Invented in 1983 by Paul Mokapetris (UC Irvine)
Without DNS,DNS
The Internet
Communications
Outage&=Network
Business
Downtime Would Stop
4
© 2015 Infoblox Inc. All Rights Reserved.
How Does DNS Work?
WWW.GOOGLE.COM
“That’s in my cache,
it maps to:
173.194.115.96
“Great, now I know how
to get to
www.google.com”
ROOT DNS
SERVER
173.194.115.96
“Great, I’ll put that in
my cache in case I get
another request”
“That domain is not in
my server, I will ask
another DNS Server”
173.194.115.96
“I need directions to
www.google.com”
5
© 2015 Infoblox Inc. All Rights Reserved.
ISP
DNS SERVER
For Bad Guys, DNS Is a Great Target
DNS is the
cornerstone of the
Internet used by
every business and
government
DNS as a protocol
is easy to exploit
Traditional
protection is
ineffective against
evolving threats
DNS Outage = Business Downtime
6
© 2015 Infoblox Inc. All Rights Reserved.
Defense-in-Depth and DNS Security Gap
• Firewalls and IDS/IPS devices don’t
effectively address DNS security threats
• Proliferation of BYOD devices, mobile
users means threats may be inside the
firewall
• DNS technology is ideal for defending
against threats and disrupting
APT/malware communications from
infected devices
• Traditional security products generally
don’t focus on DNS
• DNS security layer needed to fill gap
7
© 2015 Infoblox Inc. All Rights Reserved.
The DNS Security Challenges
1
Securing the DNS platform
2
Defending against DNS attacks
including data exfiltration via DNS
tunneling
3
Preventing malware from using DNS to
communicate to malicious domains
8
© 2015 Infoblox Inc. All Rights Reserved.
DNS Attack
Vectors
9
© 2015 Infoblox Inc. All Rights Reserved.
Anatomy of an Attack
Syrian Electronic Army
10
© 2015 Infoblox Inc. All Rights Reserved.
Anatomy of an Attack
Distributed Reflection DoS Attack (DrDoS)
How the attack works
Combines reflection and amplification
Internet
Uses third-party open resolvers in
the Internet (unwitting accomplice)
Attacker sends spoofed queries
to the open recursive servers
Uses queries specially crafted to
result in a very large response
Attacker
Causes DDoS on the victim’s server
Target Victim
11
© 2015 Infoblox Inc. All Rights Reserved.
Anatomy of an Attack
Data Exfiltration via DNS Tunneling
1. File containing sensitive
info converted to text,
broken into chunks and
exfiltrated via DNS
2. Exfiltrated data put
back together and
decrypted to get the
valuable information
3. Used spoofed
addresses
12
© 2015 Infoblox Inc. All Rights Reserved.
The Rising Tide of DNS Threats
Are You Prepared?
TCP/UDP/ICMP floods:
DNS amplification:
Flood victim’s network with large
amounts of traffic
DNS cache poisoning:
Protocol anomalies:
Corruption of a DNS cache
database with a rogue address
Malformed DNS packets causing
server to crash
DNS tunneling:
Tunneling of another protocol
through DNS for data ex-filtration
DNS based exploits:
Exploit vulnerabilities in
DNS software
13
Use amplification in DNS reply to
flood victim
Top
DNS
attacks
DNS hijacking:
Subverting resolution of DNS queries
to point to rogue DNS server
Reconnaissance:
Probe to get information on network
environment before launching attack
DNS reflection/DrDos:
Fragmentation:
Use third party DNS servers to
propagate DDoS attack
Traffic with lots of small out of
order fragments
Phantom Domain:
NXDOMAIN:
Force DNS server to resolve multiple
non-existent domains and wait for responses
Flood DNS server with requests
for non-existent domains
© 2015 Infoblox Inc. All Rights Reserved.
APT/Malware Examples
CryptoLocker “Ransomware” and GameOver Zeus
CryptoLocker:
•
Targets Windows-based computers
•
Appears as attachment within seemingly legitimate email
•
Upon infection, encrypts files: local hard drive and mapped network drives
•
Ransom: 72 hours to pay $300USD
•
If not paid, encryption key deleted and data irretrievable
•
Only way to stop (after executable has started) is by blocking outbound
connection to encryption server
GameOver Zeus:
•
500,000 to 1M infections worldwide
•
Hundreds of millions of dollars stolen
•
Highly sophisticated and hard to track
•
Uses P2P communication to control infected devices or botnet
•
Upon infection, it monitors machine for finance-related information
•
Takes control of private online transactions and diverts funds to criminal
accounts
•
Responsible for distribution of CryptoLocker, and infected systems can be
used for DDoS attacks
14
© 2015 Infoblox Inc. All Rights Reserved.
Security Breaches using APTs/Malware
2014
Q1
15
© 2015 Infoblox Inc. All Rights Reserved.
Q2
Q3
Q4
Protection Best Practices
16
© 2015 Infoblox Inc. All Rights Reserved.
Help Is On The Way!
DNSSEC
Dedicated
Appliances
Collaboration
RPZ
Monitoring
Advanced
DNS
Protection
17
© 2015 Infoblox Inc. All Rights Reserved.
Get the Teams Talking – Questions to Ask:
•
•
Who in your organization is responsible for DNS Security?
What methods, procedures, tools do you have in place to
detect and mitigate DNS attacks?
Would you know if an attack was happening? Would you
know how to stop it?
•
IT OPS
Team
IT Apps
Team
© 2015 Infoblox Inc. All Rights Reserved.
Security
Team
Network
Team
18
Hardened DNS Appliances
Conventional Server Approach
Hardened Appliance Approach
Update
Service
Secure
Access
Multiple
Open Ports
Limited
Port Access
 Dedicated hardware with no unnecessary
logical or physical ports
– Many open ports are subject to attack
– Users have OS-level account privileges on
server
– Requires time-consuming manual updates
 No OS-level user accounts—only admin accts
 Immediate updates to new security threats
 Secure HTTPS-based access to device
management
 No SSH or root-shell access
 Encrypted device-to-device communication
19
© 2015 Infoblox Inc. All Rights Reserved.
Legitimate Traffic
Advanced DNS Protection
Automatic
updates
Advanced DNS
Protection
(External DNS)
Data for
Reports
Updated
ThreatIntelligence
Server
Advanced DNS
Protection
(Internal DNS)
Reporting
Server
Reports on attack types, severity
20
© 2015 Infoblox Inc. All Rights Reserved.
Response Policy Zones - RPZ
Blocking Responses from Malicious Domains
1
An infected device
brought into the office.
Malware spreads to
other devices on
network.
2
Malware makes a DNS
query to find “home”
(botnet / C&C). DNS
Server looks at the DNS
response and blocks the
connection to the
malicious domain.
4
Malicious
domains
Reputational Feed:
IPs, Domains, etc.
of Bad Servers
2
Malware /
APT
Internet
Intranet
DNS Server
with RPZ
capability
Blocked
communication
attempt
sent to Syslog
3
1
3
2
4
Malware / APT spreads
within network; Calls home
21
© 2015 Infoblox Inc. All Rights Reserved.
Query to malicious
domain logged; security
teams can now identify
requesting endpoint and
attempt remediation
RPZ regularly updated
with malicious domain
data using available
reputational feeds
Take the DNS Security Risk Assessment
1. Analyzes your organization’s DNS setup to assess level of risk
of exposure to DNS threats
2. Provides DNS Security Risk Score and analysis based on answers given
3. www.infoblox.com/dnssecurityscore
Higher score = higher DNS security risk!!
22
© 2015 Infoblox Inc. All Rights Reserved.
Try DNS Firewall Virtual Evaluation
Use DNS to Find Malware/APT Lurking in Your Network
Two options: Port Span and Standalone
No hardware (100% virtual)
Non-disruptive to production network
60-day trial
See Malware/APT activity with reports
www.infoblox.com/catchmalware
23
© 2015 Infoblox Inc. All Rights Reserved.
Call to Action
• DNS security vulnerabilities pose a significant threat
• Raise the awareness of DNS and DNS security
vulnerabilities in your organization
• There are many resources available to help
• Seek help if needed to protect DNS
• Talk to Infoblox
24
© 2015 Infoblox Inc. All Rights Reserved.
Infoblox Overview
Founded in 1999
Headquartered in Santa Clara, CA
with global operations in 25
countries
Total Revenue (Fiscal Year Ending July 31)
$300.0
Leader in technology
for network control
$250.0
$200.0
• DDI market leader (Gartner)
• 50% DDI market share (IDC)
7,000+ customers
74,000+ systems shipped to 100
countries
$MM
Market leadership
$150.0
$100.0
$50.0
$0.0
FY2009
45 patents, 27 pending
IPO April 2012: NYSE BLOX
25
© 2015 Infoblox Inc. All Rights Reserved.
FY2010
FY2011
FY2012
FY2013
FY2014
IT Analyst Validation
Gartner: “usage of a commercial
DDI solution can reduce (network)
OPEX by 50% or more.”
IDC: Infoblox is the only major DDI vendor
to gain market share over the
past three years.
Gartner: “Infoblox is the DDI
market leader in terms of mainstream brand
awareness.”
26
© 2015 Infoblox Inc. All Rights Reserved.
Worldwide DDI
Market Share – 2013
27
© 2015 Infoblox Inc. All Rights Reserved.

similar documents