secure dns for your network · 2018-11-20 · • use different exploitation techniques–e.g....

1 | © Infoblox Inc. All rights reserved.

SECURE DNS FOR YOUR NETWORK

Mitigate DNS Attacks, Malware, and Data Exfiltration

Pheerawat Kittivacharaphong

Systems Engineer, Infoblox (Thailand)

[email protected]


• Introduction of Secure Network and Security Trends

• Why DNS is the #1 Targeted by Attackers?

• Innovation for Secure DNS (AI, Machine Learning)

• Best Practices for Enterprise to Secure Your Network

• Case Study

Agenda


Introduction of Secure Network and

Security Trends

4 | © 2013 Infoblox Inc. All Rights Reserved. 4 | © Infoblox Inc. All Rights Reserved.

1 Billion

in 200720012 Billion

in 20071975

Trends Shaping Our Future

Digital

Everything

Accelerated

Pace of Change

Security for

Everything

1 Billion

in 20101879


Connecting and Serving a Global Community of

Customers, Partners and Employees

Reliably

Safely

Intelligently

Anytime Anywhere Hyper Connectivity

Through any InfrastructureANY ‘Thing’ EVERY ‘Thing’

eBusiness and eCommerce is collectively referred to as the Digital Economy


Growth and Complexity in the Digital Economy

Active internet users

worldwide in 2018

People

4.1 Billion

From 4.9 billion to 25 billion

connected devices by 2020

25 Billion

Devices Data

2.5 Million

Terabytes of data created

each day


Challenges in Realizing Digital Economy

Availability

• Underlying infrastructure not

always highly available to

support always on

communications and

transactions

Scale

• Operational challenges to supporting

communications between billions of

connected devices

• Inability of infrastructure to handle

volume of transactions/connections

Security

• Security for eCommerce

transactions, data and

underlying infrastructure

• Are IoT devices compliant?

• IoT botnets

Visibility

• Visibility into all the devices

connecting to the network across

diverse infrastructure

• Operational efficiency – knowing

when you will run out of capacity


Weaponization of IoT Devices Drive Massive DDoS Attacks

650 GBPS IN 2016

1.7 TBPS IN 2018

> 100%

INCREASE

Source: Arbor Networks, Inc – 13th annual Worldwide Infrastructure Security Report (2018)


What is the weapon of choice?

Source: Arbor Networks, Inc – 2017 Security Report

DNS is the most commonservice targeted by DDoS attacks


IoT botnet “Mirai” Used to Attack DynDNS

• Consists of compromised ~1.5M“Internet of Things” (IoT) devices

– IP CCTV cameras

– Digital video recorders

• Hurled traffic at Dyn’s name servers

– Said to peak at 1.2 Tbps

– Name servers rendered unresponsive

• High-profile Dyn customers impacted

• Impact

– Customers cannot connect to your web presence

– Cannot receive emails

– VPN or remote workers may be impacted

More than 14,000 internet domains

dropped Dyn as their DNS service

provider in the wake of the incident


DNS Hijacking – Bank With $27B Assets HijackedMajor Brazilian bank, hundreds of branches, operations in the US and the Cayman Islands, 5M customers, 36 External DNS Online Presence

Hackers changed the DNS registrations of all 36 of the bank’s online properties. Hijack was so complete that the bank wasn't even able to send email. Bank couldn’t even communicate with customers to send them an alert. All of the bank's online operations were under the attackers' control for five to six hours.

“…, the incident should serve as a clear warning to check on the security of their DNS. He notes that half of the top 20 banks ranked by total assets don’t manage their own DNS, instead leaving it in the hands of a potentially hackable third party.”

Read the full story http://securityaffairs.co/wordpress/57736/cyber-crime/brazilian-bank-hacked.html

https://www.wired.com/2017/04/hackers-hijacked-banks-entire-online-operation/


https://www.scmagazineuk.com/hackers-crack-blackwallet-dns-server-steal-us-400000/article/737083/

http://securityaffairs.co/wordpress/67146/cyber-crime/exchange-etherdelta-dns-attack.html

Cryptocurrency vs DNS Threats16 Jan 2018 27 Dec 2017


91% of Malware (ab)uses DNS to communicate with C&C sites to carry out campaigns

Source: Cisco 2016 Annual Security Report

Malicious Traffic!!


Examples and Impact of DNS Based Threats

• Use different exploitation techniques– e.g.

Microsoft SMB vulnerabilities, email

phishing

• Upon infection, uses DNS for callback to

C&C server and attain encryption software

• Encrypts files on local hard drive and

mapped network drives

• If ransom isn’t paid, encryption key deleted

and data irretrievable

Ransomware – CryptoLocker, WannaCry


University in Thailand

Chart Shows 1 Week of DNS Traffic to Infoblox ATC (40M Queries Per Day, 400K Malicious Queries Stopped)

About 40M DNS queries

per day

Up to 400,000 malicious DNS

queries per day blocked by ATC


Human Organization in Thailand

Chart Shows 1 Week of DNS Traffic to Infoblox ATC (8.5M Queries Per Day, 30K Malicious Queries Stopped)

About 8.5M DNS queries

per day

Up to 30,000 malicious DNS

queries per day blocked by ATC


During DNS Traffic Security Assessment

What DNS Threats They Found?

Cryptomining malware abuses corporate resources leading to increased cost and greater exposure to risk for organizations.

Domain generation algorithms (DGA) are algorithms seen in various families of malware that are used to periodically generate a large number of domain names that can be used as rendezvous points with their command and control servers.

Hackers using DNS to circumvent next-generation firewalls, DLP, IDSs, and IPSs to unauthorized transfer of data from an organizations


Cryptomining Malware

https://threatvector.cylance.com/en_us/home/threat-spotlight-cryptocurrency-malware.html

https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/Cryptomining-malware-on-NAS-servers.pdf

https://www.fortinet.com/blog/threat-research/yet-another-crypto-mining-botnet.html

https://securityintelligence.com/network-attacks-containing-cryptocurrency-cpu-mining-tools-grow-sixfold/


gyptnmywbowgvlw.net 1raqjrrzjj3x1127cx9hof.net dl83vn1wffiy6echyls1oo37m.nethcbwivdzyau816vo1n3.org oldhyccnopvmm.info 8pxtfz24iir4126ygd919hht23.org4q24akcpfafgfk7tfmsjd.net hpdjysgstusos.info ckexxboehohcygj.comvxrhyqrgjtuckyj.co.uk d6psn41m8mkxs17x5.net fxaprvbcgqin.comemdunksgvdeg.net yfrogfkwuibhfjx.org ndhydgidtephnka.orgnpwxquiibnqqwf.org gnndxotmiosivqg.info 1pb1e3khu3n971sseh8ptfe.org

1vtyrnt630wec1uu2bg.net aquwdnrhsevy.info ogqfacfqmvdiha.combipebdnhnqwl.ru 1ue6ouu1yovhc61t7dj7.biz cag6h866ennjti89u5c98pvv.net

yluxdyqyaibtw.org hslcrmhdthgwww.net gqdhbpwoynfnlmk.net1cp7c5fw90azo1v177.org bpxivvloyljdne.info umftdkuqbsxgm.biz

glhwwpkfyyrskrj.info ivqimpseremnhia.info yohpdjmlgsgw84.comgmvcuvfpraisn.info qqrsdwrhrdlhu.org rtxkyfsnmcvfhti.info

uvvhqwpuwmfk.biz gcqxijlvwgwk.net emnscidlbvbmke.ruyiwaictfihos.info dinffjrcrvmgnf.org 1o395ta1dbuqxirg75umgttx.biz

What is DGA (Domain Generation Algorithm)?


46% Of Respondents experienced data Exfiltration / data Leakage thru DNS

Source: SC Magazine, Dec 2014, “DNS attacks putting organizations at risk, survey finds”

Malicious Traffic!! Malicious Traffic!!


According to organizations that sustained a breach

Transports used to exfiltrate sensitive data

Source: The SANS 2017 Data Protection Survey


PoS Malware Steals Credit Card Data via DNS

https://www.fireeye.com/blog/threat-research/2016/04/multigrain_pointo.html


DNS Tunneling

• Infected client initiate DNS queries

• Firewall allow DNS traffic

• Attacker response to complete a 2-way transactional communication

• DNS tunnel is set up

• File could be sent out / remote access to infected client

Internet

Internal Network

InternalDNS

DNS query

DNS response

DNS

Tunnel

Infected End-Point

Credit Card info / User credential / Sensitive Data


Data Leakage over DNS Queries

Internet

Internal Network

Infected End-Point

InternalDNS

Credit Card info / User credential / Sensitive Data

DNSQueries

a2b5c8.1.12.xyz.comd1e3f0.2.12.xyz.comd5e6f2.3.12.xyz.com

• Sophisticated (zero-day)

• Infected endpoint gets access to file containing sensitive data

• Data break down into pieces, encrypt and encoded in DNS queries

• Exfiltrated data reconstructed at attacker side

• Spoofed addresses to avoid detection

Pheerawat-Kitti Name543112197 ID04-10-1999 DOB7895-2068-2234-8781

Visa Card #

567 2017-12 CVV & Expiry

Pheerawat-Kitti Name543112197 ID04-10-1999 DOB7895-2068-2234-8781

Visa Card #

567 2017-12 CVV & Expiry


Live Demo- Data Leakage over DNS Queries


Government in Thailand

Infoblox ATC detects DNS Data Exfiltration on Holiday(~9K Malicious Queries Stopped)


Why DNS is the #1 Service Targeted by Attacker?


• ใช้เก็บข้อมลูของช่ือโดเมน (โดเมนเนม) ท่ีใช้ในระบบเครือข่าย

• แปลงหมายเลขไอพีซึง่เป็นชดุตวัเลขท่ีจดจ าได้ยาก มาเป็นช่ือท่ีสามารถจดจ าได้ง่ายแทน

DNS – Domain Name System

ระบบ DNS เปรียบเทียบง่ายๆ ไดก้บั Contact List บนโทรศพัท์มือถือ

Domain Name

Domain Name

IP Address

161.47.10.70 infoblox.com


DNS – Domain Name System

Domain Name IP Address


DNS – Service พืน้ฐานที่ท าให้ Apps, Users สามารถเช่ือมต่อกันได้

i


ท าไม DNS ถึงเป็นเป้าหมายอันดบัหน่ึง?

Unprotected DNS increases risk to critical infrastructure and data

#1protocol for volumetric reflection/

amplification attacks

DNS is critical networking

infrastructure

DNS protocol is easy to exploit and attacks

are rising

Traditional security is ineffective against evolving threats


DNS in the Attack Kill Chain

1

ReconnaissanceHarvesting email

addresses, conference information, etc.

2

WeaponizationCoupling exploit with backdoor

into deliverable payload

3

DeliveryDelivering weaponized bundle to the victim via email, web, USB, etc.

4

ExploitationExploiting a vulnerability to

execute code on victim’s system

5

InstallationInstalling malware on

the asset

7

Actions on ObjectivesWith “Hands on Keyboard”

access, intruders accomplish their original goal

6

Command & Control (C2)Command channel for remote

manipulation of victim

DNS ReconnaissanceDNS ResolutionDNS Infiltration

DNS TunnelingDNS Exfiltration

DNS DDoS

DNS ResolutionDNS Callback

DNS Tunneling

DNS Protocol AnomaliesDNS Exploits

DNS Hijacking


Innovation for Secure DNS


Innovation for Threat Detection

Detect & prevent communications to malware,

C2, ransomware

Government-grade threat intelligence

Ecosystem

Reputation

Infrastructure protection for critical core services

Carrier-grade deep packet inspection

Instant identification of popular tunneling tools

Signature

Patented streaming analytics technology

Detect & prevent data exfiltration

”Machine learning”

Behavior


An infected device brought into the office.

Malware spreads to other devices on

network.

1

Malware makes a DNS query to find “home”

(botnet / C&C). DNS Firewall looks at the DNS

response and takes admin-defined action

(disallows communication to malware site or

redirects traffic to a landing page or “walled

garden” site).

2

Pinpoint. Infoblox Reporting lists DNS

Firewall action as well as

• User name

• Device IP address

• Device MAC address

• Device type (DHCP fingerprint)

• Device host name

• Device lease history

3 Threat intelligence is regularly updated for up-to-

date protection.4

Additional threat intelligence from sources

outside Infoblox can also be used by DNS

Firewall and DNS Firewall can likewise share

indicators of compromise with other security

technologies for enhancing protection and

easing incident response efforts.

5

Malware

3rd party security

technologies

exchange data

Malicious

Internet

destinations

ActiveTrust Threat

Intelligence Feed

database of

malicious hostnames

Malware spreads within

network; calls home

INTERNET

INTRANET

Infoblox DNS

Firewall

Blocked communication

attempt/indicator of

compromise

Reputation-based for Known Threats Protection

1 2

3

4

5


Leveraging Threat Intel Across Entire Security Infrastructure

Infoblox

SURBL

Marketplace

Custom TI

Single-source of TI managementRESULT:

Various

file

formats

C&C IP List

Spambot IPs

C&C & Malware Host/Domain

Phishing & Malware URLs

WWW

DNS

SIEM

TIDE

Define Data

Policy,

Governance &

Translation

Dossier

Investigate

Threats

Faster triage Threat Prioritization


Customer

3rd Party

AIcontinuous

12B per day

2.5 years

1 PB

Data Scientists

Universities

Infoblox

ActiveTrust Cloud

Infoblox

ActiveTrust (on-prem)

AI Powered to address the “unknown” threats


Behavior-based to Detect Zero Day Attacks using AI

• Analytics algorithms are sophisticated and complex

• Simplifying greatly, certain attributes add to a threat score, others subtract from it

• All attributes are evaluated and weighted

• After all attributes are evaluated, a final score will classify a request as exfiltration or not

• If the finding is exfiltration, the destination DNS server is added to a special RPZ zone

that contains the block, log, redirect policy

Entropy

• Does the request contain lots of information?

Frequency / Size

• It is unusual to send many different requests to the same external domain.

Lexical Analysis

• Does it appear to be encoded or encrypted?

n-Gram Analysis

• Does the request contain words in a language?

Proprietary methods

• False positive mitigation

• Other indicators and factors

Adds to score Adds to score Adds to score Subtracts

from scoreAdjusts score


AI powered DNS service is a solution!

Malicious domains automatically added

to custom list

AI


Best Practices for Enterprise to

Secure Your Network


Best Practice for the Digital Economy Network

An Ideal Solution Provides the following key aspects

• Highly available redundant architecture for core network

services that keeps the infrastructure up and running

• Global load balancing of network traffic to handle the volumes

of transactions and communications

• Scaling with automation, centralized management, templates

and wizards for consistent expansion and growth

• Enhanced visibility into devices connecting to the network

across diverse environments (on premise, virtual or cloud)

• Operational efficiencies using network context and insights

(capacity planning)

• Context-aware security for data and infrastructure in any

environment – physical, virtual or cloud; faster remediation of

threats

redundant

architecture

Global

load

balancing

Scaling

with

automation

Enhanced

visibility into

devices

Operational

Efficiencies

Context-

aware

security


การรักษาความปลอดภยัให้ระบบ DNS

เพ่ือสามารถให้บริการได้อย่างต่อเน่ือง

#1ป้องกัน DNS Server

เพ่ือปอ้งกนัการติดต่อไปยงั C&C Server และขโมยข้อมลูส าคญัขององค์กร

#2ป้องกัน Malware ที่มาใช้ DNS Server

เพ่ือให้สามารถตรวจสอบความผิดปกตท่ีิเกิดขึน้และแจ้งเตือน เพ่ือปอ้งกนัอยา่งทนัทว่งที

#3เฝ้าระวังและป้องกันภัยคุกคาม

ที่เกดิขึน้


Security built-in to the DNS infrastructure

DNS Server DNS Server

Security Protection against all DNS threats

Serve DNS queries under attack

Traditional security mitigate only partial attacks against DNS

Internet


DNS hosting

provider

Malware

Malware

Existing: Hosted Authoritative Name Servers

Legitimate

querier

ns1 ns2

Normal RTT 17 ms 12 ms

Duress RTT 999 ms 911 ms


How-to: Heterogeneous Authoritative Name Servers

ns1.provider ns2.provider ns1.corp ns2.corp

Normal RTT 17 ms 12 ms 53 ms 61 ms

Duress RTT 999 ms 911 ms 53 ms 61 ms

DNS hosting

provider

Malware

Malware

Legitimate

querier


February 1st,

2019• ALL DNS servers which do not

respond at all to EDNS queries are going to be treated as DEAD

• EDNS (Extension mechanisms for DNS) for DNSSEC, DNS Cookies

• Action:• Check your domain• Upgrade/Reconfig your DNS• Revise firewall configuration

(Allow UDP packet > 512 bytes)


การรักษาความปลอดภัยให้ระบบ DNS

• ส าหรับ External DNS แนะน าให้ตดิตัง้อยา่งน้อย 2 ชดุ คือภายในองค์กรและท่ี ISP หรือ Cloud Provider เพ่ือให้มี Redundant กรณีท่ีใดท่ีหนึง่ถกูโจมตี และสามารถท า Integrity Check ได้

• ส าหรับ Internal DNS อาจถกูโจมตีจาก Infected Clients ภายในองค์กร แนะน าให้ตดิตัง้แบบHA (High Availability) หรือใช้ DNS Anycast เพ่ือเพิ่มประสิทธิภาพ, มี Redundant และกระจาย Load ไปยงั DNS Server หลายๆ ตวัได้

• ตรวจสอบ DNS Traffic แบบ Deep Packet Inspection เพ่ือคดักรอง ทราฟฟิกการโจมตีออกก่อนสง่ให้ DNS Engine ประมวลผล

• ตรวจสอบ DNS Traffic แบบ Rate-based เพ่ือ Block หรือ Rate Limit ทราฟฟิกท่ีมีปริมาณมากผิดปกตกิ่อนสง่ให้ DNS Engine ประมวลผล

• Update DNS Software/Firmware อยา่งสม ่าเสมอ• ท า Hardening ให้กบั DNS Server หรือใช้ DNS Appliance ท่ีออกแบบมาโดยเฉพาะ เพ่ือ

ปอ้งกนัการโจมตีไปยงัชอ่งโหวต่า่งๆ

เพ่ือสามารถให้บริการได้อย่างต่อเน่ือง

#1ป้องกัน DNS Server


Malwares/APTs rely on DNS at various stages of the cyber kill chain

Penetration

Query malicious domains and report to C&C

Download Malware to the infected host

Transport the data offsite

Infection Exfiltration

DNS Server



• ตรวจสอบ DNS Query จากโดเมนวา่เป็น Malicious Query หรือไม?่

• หากเป็น Malicious Query ให้ท าการ Block เพ่ือ ปอ้งกนั MalwareCallback ไปหา C&C Server

• มีการอพัเดท Feed ของโดเมนท่ีอนัตรายจากหลายๆแหลง่อยา่งสม ่าเสมอ เพ่ือความถกูต้องและแมน่ย า

• วิเคราะห์ DNS Query วา่มีความผิดปกตหิรือไม?่

• Domain name• Encoded Text• Query rate

• อาจเป็นการขโมยข้อมลูผา่น DNSQueries

เพ่ือปอ้งกนัการติดต่อไปยงั C&C Server และขโมยข้อมลูส าคญัขององค์กร

#2ป้องกัน Malware ที่มาใช้ DNS Server



• ตรวจสอบสถิติการใช้งานอย่างสม ่าเสมอ เช่น DNS Query Rate (qps), CPU/Memory Utilization

• ตรวจสอบเหตกุารณ์ท่ีผิดปกติ เช่น Malicious Domain Queries, DNS Attacks Events เป็นต้น

• ตัง้ค่าการแจ้งเตือนเม่ือเกิดเหตกุารณ์ผิดปกติผ่านทาง Email, SNMP, SMS เป็นต้น• ก าหนด Workflow ในการแก้ไขปัญหาเม่ือเกิดเหตกุารณ์ผิดปกติ เช่น การท า

Security Event Correlation, Quarantine Client, การสแกนช่องโหว่ เป็นต้น• Integrate กบัระบบ Security ภายในองค์กรเพ่ือปอ้งกนัปัญหาแบบอตัโนมตัิ

เพ่ือให้สามารถตรวจสอบความผิดปกตท่ีิเกิดขึน้และแจ้งเตือน เพ่ือปอ้งกนัอยา่งทนัทว่งที

#3เฝ้าระวังและป้องกันภัยคุกคาม

ที่เกดิขึน้


Case Study


Case Study – Top Bank in Thailand

Challenges:• Cannot access internal system due to security incident last year.

• Internal clients send a large number of DNS queries to outside domain that makes DNS server

down that caused service downtime.

Infoblox solution:• Advanced appliance with Advanced DNS Protection (ADP) to protect the DNS appliance from

DDoS attacks and related exploits

• ActiveTrust to prevent malware C&C

• Threat Insight to prevent data leakage via DNS

Outcome:• ADP prevents DNS infrastructure from internal attackers

• ActiveTrust and Threat Insight blocked all malware lookups with DNS tunneling and data

exfiltration


Case Study – Large Auto Manufacturer

Background

• Have scanners, welders and robots on the factory

floor that are connected

• Reliability of manufacturing processes is very much

dependent on DNS and DHCP functioning efficiently

• They have sensitive data running through three data

centers, so security is critical too

Solution

• Infoblox DNS, DHCP

• Advanced DNS Protection

• DNS Firewall

• Network Insight

• Reporting


Case Study – Chain for Gourmet Burgers

Challenges:

• The attackers in the high profile Chipotle breach were targeting restaurants wanted to prevent a

similar attack to their organizations

• Conducted a security audit by a 3rd party and DNS was a major vulnerability

• During evaluations of other products, This restaurant was attacked; that product was not stopping

the attack

Infoblox solution:

ActiveTrust Cloud Plus to protect up to 5,000 users for the point of sale

Outcome:

ActiveTrust Cloud blocked all malware lookups with DNS tunneling and data exfiltration


Infoblox: Industry Leading DDI SolutionDNS, DHCP, IPAM (IP Address Management)

$56 $62$102

$133$169

$225$250

$306

$358

2008 2010 2012 2014 2016

DDI Market Share Leadership

• 8,900+ Customers

• 83 of Fortune 100

• Global Sales & Support Presence

73 patents | 18 pending

Sustained YOY Growth($MM)

“All organizations looking

to deploy DDI should

consider Infoblox.”Infoblox49.90%

BT Diamond IP…

BlueCat Netw…

Nokia (ALU) -…

Ohers9.20% 2015

Market

Share

54%


Free! DNS Security Assessment with Infoblox ATC

Without control it is not a proof of concept!


Questionnaire

ชุดที่ 1 DNS Traffic Assessment Request ชุดที่ 2 ความคดิเหน็เก่ียวกับ DNS Security

63 | © 2013 Infoblox Inc. All Rights Reserved. 63 | © 2018 Infoblox Inc. All Rights Reserved.

มีข้อสงสัย หรือต้องการสอบถามข้อมูลเพิ่มเตมิSuwatchai Chitphakdeebodin <[email protected]>Pheerawat Kittivacharaphong <[email protected]>

secure dns for your network · 2018-11-20 · • use different exploitation techniques–e.g....

Documents