Post on 20-Aug-2018
1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2014 Infoblox Inc. All Rights Reserved.
DNS Data ExfiltrationGianluca Silvestri, System Engineer - Exclusive Networks Italy
15/03/2017
2 | © 2013 Infoblox Inc. All Rights Reserved. 2 | © 2013 Infoblox Inc. All Rights Reserved. 2 | © 2014 Infoblox Inc. All Rights Reserved.
Infoblox Solutions
Cloud Network Automation
DDI Cloud Automation & Visibility
Provisioning critical network services for cloud
deployments
External & Internal DNS Security
Threat visibility, protection, and response
Secure DNSCore Network Services
DNS, DHCP, Authoritative IPAM
Integrated DDI for physical and virtual environments
Centralized ManagementPatented GridTM Technology
Reporting and Analytics
3 | © 2013 Infoblox Inc. All Rights Reserved. 3 | © 2013 Infoblox Inc. All Rights Reserved. 3 | © 2014 Infoblox Inc. All Rights Reserved.
Why is DNS an Ideal Target?
DNS is the cornerstone of the Internet used by
every business and government
DNS as a protocol is easy to exploit
DNS Outage = Business Downtime
Traditional protection is
ineffective against evolving threats
4 | © 2013 Infoblox Inc. All Rights Reserved. 4 | © 2013 Infoblox Inc. All Rights Reserved. 4 | © 2014 Infoblox Inc. All Rights Reserved.
SANS Institute – 1st 60 Seconds of Malware Report
© 2008 Infoblox Inc. All Rights
DNS is #1 protocol during 1st 60 Seconds of Malware
“There are no surprises in the top protocols used. Just over 15,000 samples utilized DNS. It makes sense a majority of the samples utilize DNS to locate their [malicious home] network resources. This provides resiliency to their network and allows them to utilize techniques such as fast-flux networks”
5 | © 2013 Infoblox Inc. All Rights Reserved. 5 | © 2013 Infoblox Inc. All Rights Reserved. 5 | © 2014 Infoblox Inc. All Rights Reserved.
Easy to Let in, Touch to Get Out
APT/Malware uses DNS as Control Plane
1. Source: Cisco 2016 Annual Security Report 2. Symantec 2016 Internet Security Threat Report 3. Verizon 2016 Data Breach Investigations Report
• Intruders rely on DNS to infect devices, propagate malware and exfiltrate data• Malware is designed to spread, morph and hide within your IT infrastructure• Longer it takes to discover, the higher the cost of damage
New unique pieces of malware in 20152
Malware C&C is #1 responsible vector for
crimeware3
Of malware uses DNS to carry out campaigns1
91% 431M #1
6 | © 2013 Infoblox Inc. All Rights Reserved. 6 | © 2013 Infoblox Inc. All Rights Reserved. 6 | © 2014 Infoblox Inc. All Rights Reserved.
InternetFirewall
DNS query
Root Server
infoblox.com Server
com Server
Ask com NS
Ask infoblox.com NS
www.infoblox.comA 54.235.223.101
www.infoblox.comA 54.235.223.101
Recursive Resolver
www.infoblox.com
Stub resolver
• DNS needs to pass through Firewalls
• This leaves a big security gap in your defensive strategy
OG2
Slide 6
OG2 Need to ungroup and rotate text, add question text and reformat some text boxes, realign lines and regroup. Olafur Gudmundsson; 06/11/2005
7 | © 2013 Infoblox Inc. All Rights Reserved. 7 | © 2013 Infoblox Inc. All Rights Reserved. 7 | © 2014 Infoblox Inc. All Rights Reserved.
Download malware to the infected host
Infection
DNS server
Transport the data offsite
Exfiltration
Query malicious domains and report to C&C
Penetration
APT/malware uses DNS at every stage
Motion of Malware through Networks: “PIE”
End-User Host
8 | © 2013 Infoblox Inc. All Rights Reserved. 8 | © 2013 Infoblox Inc. All Rights Reserved. 8 | © 2014 Infoblox Inc. All Rights Reserved.
One Byte is Too Much
DNS - Leading Culprit for Data Exfiltration
Source: SC Magazine, Dec 2014, “DNS attacks putting organizations at risk, survey finds”2. Source: SC Magazine, Dec 2014, “DNS attacks putting organizations at risk, survey finds”1. Source: Ponemon Institute, 2015 Cost of Data Breach Study
• DNS tunnels are commonly used to send sensitive information out• Data can also be exfiltrated by embedding it directly in DNS queries
% of survey respondents that experienced DNS data
exfiltration2
% of survey respondents that experienced DNS
tunneling2
Average consolidated cost of a data breach1
$3.8M 46% 45%
9 | © 2013 Infoblox Inc. All Rights Reserved. 9 | © 2013 Infoblox Inc. All Rights Reserved. 9 | © 2014 Infoblox Inc. All Rights Reserved.
• Uses DNS as a covert communication channel to bypass firewalls
• Attacker tunnels other protocols like SSH, or web within DNS
• Enables attackers to easily insert malware, pass stolen data or tunnel IP traffic without detection
• A DNS tunnel can be used as a full remote-control channel for a compromised internal host
Examples:
Iodine
OzymanDNS
SplitBrain
DNS2TCP
Exfiltrating Data via DNS Tunneling
Encoded IP in DNS queries
INTERNET
ENTERPRISE
Client-side tunnel program
DNS terminal server
IP traffic
Internet
10 | © 2013 Infoblox Inc. All Rights Reserved. 10 | © 2013 Infoblox Inc. All Rights Reserved. 10 | © 2014 Infoblox Inc. All Rights Reserved.
Using Signatures to Detect Tunneling
Infoblox InternalDNS Security
Tunnelingdetected & dropped
Legitim
ate
Tra
ffic
DN
S T
unnelin
g
Legitim
ate
Tra
ffic
DN
S T
unnelin
g
x x
Firewall
Infoblox Automated Threat Intelligence
Service
INTERNET
ENTERPRISE
• Implemented in Advanced DNS Protection
• Most standard DNS Tunneling toolkits (like Iodine) have well known signatures
• Infoblox Internal DNS Security has 12 different threat protection rules that use these signatures to detect tunneling attempts
• Allows immediate blocking without any thresholds
• As new signatures become available, customers get automatic updates through the threat intelligence service
• OzymanDNS
• SplitBrain
• DNS2TCP
11 | © 2013 Infoblox Inc. All Rights Reserved. 11 | © 2013 Infoblox Inc. All Rights Reserved. 11 | © 2014 Infoblox Inc. All Rights Reserved.
Malware Steals File Containing Sensitive Data
Data Exfiltration over DNS Queries
• Infected endpoint gets access to file containing sensitive data
• It encrypts and converts info into encoded format
• Text broken into chunks and sent via DNS using hostname.subdomain or TXT records
• Exfiltrated data reconstructed at the other end
• Can use spoofed addresses to avoid detection
• Example Malware that uses DNS Tunnels: FrameworkPOS, FeederBot, Moto, Morto, PlugX, Win32.Zbot.chas/Unruy.H, Win32.Mufanom.vha, Win32.AutoTsifiri.n, Win32.Hiloti
INTERNET
ENTERPRISE
NameMarySmith.foo.thief.comMRN100045429886.foo.thief.comDOB10191952.foo.thief.com
NameMarySmith.foo.thief.comMRN100045429886.foo.thief.comDOB10191952.foo.thief.com
Infected endpoint
DNS server
Attacker controller server- thief.com
(C&C)
DataC&C commands
12 | © 2013 Infoblox Inc. All Rights Reserved. 12 | © 2013 Infoblox Inc. All Rights Reserved. 12 | © 2014 Infoblox Inc. All Rights Reserved.
Examples of data exfiltration
100000ff51cf3f640038c742012057c038c742405.notashutin.com8b0211040037508b0a01040005860d0b8400ff51c04f6400ff510d0b8400b8c.notashutin.com42411000008e24863000184c811000003cccccccccccccccccccccccccccccc.notashutin.comb844424065b84742c07c60000000001887c0001000005781b80401388fb1475.notashutin.com388f9057b08e0abd40007c6010000000e52c8000ccccccccccccccccccccccc.notashutin.com65b8474280586f47d2b84442c0580c4752b8c44201b84542411565a6ff05a60.notashutin.com25667c600000ff518f3f64007f8db10c326ce52c0100330ce52c0100ccccccc.notashutin.com8bcd7f64003ccccccccccccccccccccc65b81fd8e8061000008e21701000b8e.notashutin.come59e1e6b4000ccccccccccccccccccccb8444240d3e000700857508e6ef5400.notashutin.com058e83086000cccccccccccccccccccc35b8c5428075b8c742017535ff51ce3.notashutin.com7ZvVDE6L0g3orDetdzmUqIDKVW3CihcDh77gHhzATHLYxPIUtn.y.comkgTfHv3FBSyUs6B8iOqFkQEgS0BbOzTwc2EqBwygJx21YNGIQE.y.com
HkBOcoGWSRDFa43NyrTF3kqWAqGqTsqcypaywDA6Rxqm1OAR6P.y.com NvX8PtEA75yAXnR2KtnoKprJQRhS75CSdTge0dnKPtnsDXk0cN.y.com rTNmolUWfp1yW8AOPIUbdEwkuYuKfCrSOwGme3AWTWFJCbVsvW.y.com NZrhKG2KQNP1Ya2QY6k5xuimLeFE76krZ0jl1XIywoSe6DVGrX.y.com UTuOhSTXdXLl5GTs14WLjradQztKFHnRtSVW6YoixNBg04AzSQ.y.com 6X6YXk0VGD6Ud6vsYsK6iFup7cnqw23LigxMRFmm0zo8w52Vhg.y.com TMDT18cMKREksmXcm1aQdDXXHqE2K1g3LeLiUbnDW8RKrBbxfv.y.com XoBmOzQ6fQghkKQRBDnzBiiY9v1u2KPWokQUjOZerhRXM89dta.y.com
13 | © 2013 Infoblox Inc. All Rights Reserved. 13 | © 2013 Infoblox Inc. All Rights Reserved. 13 | © 2014 Infoblox Inc. All Rights Reserved.
Not Examples of DNS Tunneling
VDCPENDEP001.kdc.capitalone.com KDCPENDEPO02.cof.ds.capitalone.com MDCPENDEP002.dqa.capitalone.com MDCPENDEP002.osd.dev.capitalone.com latency_check.perftest_latency9u16190.n1.netalyzr.icsi.berkeley.edu latency-set.perftest-latency3u16190.n1.netalyzr.icsi.berkeley.edu ir5soq-bn1305.files.1drv.com ir5wew-bn1305.files.1drv.com ir5wew-bn1305.files.1drv.com 0.data.fantlab.ru_-.images_-.editions_-.small_-.112413.6250.ko-146501.url.esoft.com 0.data.fantlab.ru_-.images_-.editions_-.small_-.121387.6250.ko-146501.url.esoft.com 0.data.fantlab.ru_-.images_-.editions_-.small_-.127370.6250.ko-146501.url.esoft.com
14 | © 2013 Infoblox Inc. All Rights Reserved. 14 | © 2013 Infoblox Inc. All Rights Reserved. 14 | © 2014 Infoblox Inc. All Rights Reserved.
EntropyEntropy
•Does the request contain lots of information?
Frequency/SizeFrequency/Size
• It is unusual to send many different requests to the same external domain.
Lexical AnalysisLexical Analysis
•Does it appear to be encoded or encrypted?
n-Gram Analysisn-Gram Analysis
•Does the request contain words in a language?
Proprietary methodsProprietary methods
•False positive mitigation
•Other indicators and factors
How DNS Threat Insight Works
Adds to score Adds to score Adds to score
Subtracts from score Adjusts score
• Looks at payload: hostname.subdomain, TXT records, A, AAAA records• Uses sophisticated and complex Analytics algorithms• Certain attributes add to a threat score, others subtract from it• All attributes are evaluated and weighted• After all attributes are evaluated, a final score will classify a request as exfiltration
or not• If the finding is exfiltration, the destination DNS server is added to a special RPZ
zone in the Infoblox DNS Firewall that contains the block, log, redirect policy
15 | © 2013 Infoblox Inc. All Rights Reserved. 15 | © 2013 Infoblox Inc. All Rights Reserved. 15 | © 2014 Infoblox Inc. All Rights Reserved.
Tools to Exfiltrate Data via DNS&
Infoblox DNS Threat Insight Demonstration
16 | © 2013 Infoblox Inc. All Rights Reserved. 16 | © 2013 Infoblox Inc. All Rights Reserved. 16 | © 2014 Infoblox Inc. All Rights Reserved.
DNS Data Exfiltration PortalYou receive on invitation email from your Infoblox Channel Partner to use
WARNING – YOU WILL BE MOVING DATA OUT THE NETWORK!!!
17 | © 2013 Infoblox Inc. All Rights Reserved. 17 | © 2013 Infoblox Inc. All Rights Reserved. 17 | © 2014 Infoblox Inc. All Rights Reserved.
Data Exfiltration Demo PortalThere are three tools that you can use to exfiltrate data via DNS queries
Example: DNS text Decoder toolSimply hex encodes your text and formats it into DNS query commands for you to cut and paste in shell/command prompt
18 | © 2013 Infoblox Inc. All Rights Reserved. 18 | © 2013 Infoblox Inc. All Rights Reserved. 18 | © 2014 Infoblox Inc. All Rights Reserved.
Data Exfiltration Demo Portal – Hexify Tool
https to portal to download file byclicking on View the file
19 | © 2013 Infoblox Inc. All Rights Reserved. 19 | © 2013 Infoblox Inc. All Rights Reserved. 19 | © 2014 Infoblox Inc. All Rights Reserved.
Internet
Recursive Layer
ExternalRecursion
InternetFirewall
Virtual Infoblox DNS Server(VMware)
DNS Packet Query Flow
VPN to Test Lab Environment
VPN Server
dex.infoblox.com
Turn Threat InsightDNS Analytics ON/OFF
Data Exfiltration Demo
20 | © 2013 Infoblox Inc. All Rights Reserved. 20 | © 2013 Infoblox Inc. All Rights Reserved. 20 | © 2014 Infoblox Inc. All Rights Reserved.
What should be your course of action?
“Something is better than nothing”“Addressing priorities does not mean striving for perfection, but rather ensuring, at least, that critical exposures are remediated.”*
*Gartner 2016”
21 | © 2013 Infoblox Inc. All Rights Reserved. 21 | © 2013 Infoblox Inc. All Rights Reserved. 21 | © 2014 Infoblox Inc. All Rights Reserved.
Security in Layers
NGFW
IPS/IDS
DLP
APT
NGEP
“Advanced targeted attacks are easily bypassing traditional firewalls and signature-based prevention mechanisms. All organizations should now assume that they are in a state of continuous compromise.”*
*Neil MacDonald and Peter Firstbrook Designing an Adaptive Security Architecture for Protection From Advanced Attacks(Gartner)
22 | © 2013 Infoblox Inc. All Rights Reserved. 22 | © 2013 Infoblox Inc. All Rights Reserved. 22 | © 2014 Infoblox Inc. All Rights Reserved.
DNS Security SolutionCommon Concerns:
• Avoid Outages/Downtime
• Reputation and Brand Protection against breach
• Compliance – HIPPA, PCI, other
App OfferingsSalesforce.comOffice 365Workday – HRSAP
Internal users query internal DNS which queries Internet servers directly
Risks• Port 53 may be wide open or limited to
only select DNS servers• No inspection/enforcement of data loss
through port 53 using typical DNS platforms (Microsoft, BIND)
• Limited capability to prevent establishing communication with known malware
23 | © 2013 Infoblox Inc. All Rights Reserved. 23 | © 2013 Infoblox Inc. All Rights Reserved. 23 | © 2014 Infoblox Inc. All Rights Reserved.
App OfferingsSalesforce.comOffice 365Workday – HRSAP
• Port 53 filtered to allow only select internal systems to forward to Secure DNS Proxy
• Internal queries all handled inside the protected areas of the network
• Client identification of possible infected/compromised systems possible
• Local enforcement of port 53 protection policies possible
• Port 53 filtered to allow only the Secure DNS proxy to request external resolution
• Ideal choke point for behavior and signature-based port 53 protection
• Last opportunity for reputation-based port 53 protection
Port
80/4
43
We
b T
raffic
Port
s ??
Em
ail/
Oth
ers
Internal DNS Security Deployment
Internal users query internal DNS which forwards to a secure cache proxy
Secure DNS Proxy
24 | © 2013 Infoblox Inc. All Rights Reserved. 24 | © 2013 Infoblox Inc. All Rights Reserved. 24 | © 2014 Infoblox Inc. All Rights Reserved.
Infoblox Secure DNS
Protect Your DNS
Infrastructure
Detect & Find Infected Devices
Prevent Data Exfiltration
25 | © 2013 Infoblox Inc. All Rights Reserved. 25 | © 2013 Infoblox Inc. All Rights Reserved. 25 | © 2014 Infoblox Inc. All Rights Reserved.
26 | © 2013 Infoblox Inc. All Rights Reserved. 26 | © 2013 Infoblox Inc. All Rights Reserved. 26 | © 2014 Infoblox Inc. All Rights Reserved.
Q&A or
Thank you