ACTIONABLE (CORE)NETWORK INTELLIGENCE - Axians · 2016-11-18 · • Infoblox Grid data provides...
Transcript of ACTIONABLE (CORE)NETWORK INTELLIGENCE - Axians · 2016-11-18 · • Infoblox Grid data provides...
![Page 1: ACTIONABLE (CORE)NETWORK INTELLIGENCE - Axians · 2016-11-18 · • Infoblox Grid data provides business context that security systems lack and badly need DNS Security • DNS is](https://reader033.fdocuments.in/reader033/viewer/2022042320/5f0a88d57e708231d42c1b94/html5/thumbnails/1.jpg)
1
Paul de Haan
Systems Engineer bij Infoblox
Marco Berkhout
Consultant Core Network Services
bij Axians
ACTIONABLE(CORE)NETWORK INTELLIGENCE
![Page 2: ACTIONABLE (CORE)NETWORK INTELLIGENCE - Axians · 2016-11-18 · • Infoblox Grid data provides business context that security systems lack and badly need DNS Security • DNS is](https://reader033.fdocuments.in/reader033/viewer/2022042320/5f0a88d57e708231d42c1b94/html5/thumbnails/2.jpg)
2
Infoblox
Hostname
IP Address
MAC Address
Username
Switch Name
Switch Port
VLAN/VRF
VHost
VSwitch
Cloud
Device Type
ACTIONABLE NETWORK INTELLIGENCE
• What, When, Where, Who, How, Why• A Single Source of Truth for network
data• Visibility across Public, Private & Cloud
networks• Rapid Security Incident Response• Shared intelligence across Ecosystem• Automated/API Access
![Page 3: ACTIONABLE (CORE)NETWORK INTELLIGENCE - Axians · 2016-11-18 · • Infoblox Grid data provides business context that security systems lack and badly need DNS Security • DNS is](https://reader033.fdocuments.in/reader033/viewer/2022042320/5f0a88d57e708231d42c1b94/html5/thumbnails/3.jpg)
3
WHAT WE PROVIDE – COMPLETELY CONNECTED,
DYNAMIC NETWORKS
Integrated Database, 360 Degree View of IP Data
Advanced Reporting
Network Task Automation
Infoblox DNS/DHCP
Microsoft DNS/DHCP
Virtual Discovery Layer 2 and Layer 3 Discovery
Network
Switch/RoutersIP Endpoints
![Page 4: ACTIONABLE (CORE)NETWORK INTELLIGENCE - Axians · 2016-11-18 · • Infoblox Grid data provides business context that security systems lack and badly need DNS Security • DNS is](https://reader033.fdocuments.in/reader033/viewer/2022042320/5f0a88d57e708231d42c1b94/html5/thumbnails/4.jpg)
4
INFOBLOX SECURITY STRATEGY
Security Integration & Active Ecosystem
• Our unique position in the network creates a rich data source to be shared with customer security systems and architectures
• Infoblox Grid data provides business context that security systems lack and badly need
DNS Security• DNS is a unique threat vector that deserves a
dedicated solution
• Infoblox is best positioned to plug this increasingly critical gap
Actionable (Core)Network Intelligence │ 17.11.2016 ● INN STYLE ● MAARSSEN
![Page 5: ACTIONABLE (CORE)NETWORK INTELLIGENCE - Axians · 2016-11-18 · • Infoblox Grid data provides business context that security systems lack and badly need DNS Security • DNS is](https://reader033.fdocuments.in/reader033/viewer/2022042320/5f0a88d57e708231d42c1b94/html5/thumbnails/5.jpg)
5
INFOBLOX DATA AND ITS RELEVANCE TO
SECURITY
DNS is the first step in almost every activity, good or bad.
DNS query data provides a “client-centric” record of activity
• Includes internal activity inside the security perimeter
• Includes BYOD and IoT devices
• This provides an excellent basis to profile device & user activity
A DHCP assignment signals the insertion of a device on to the network
• Includes context: Device info, MAC, lease history
• DHCP is an audit trail of devices on the network
Fixed IP addresses are typically assigned to important devices:
• Data center servers, network devices, etc.
• IPAM provides “metadata” (additional business context) via EAs: Owner, app, security level, location, ticket number
• And the business importance of the asset determines level of risk!
DNS IPAM
Security Relevant Data and Context Using Network Infrastructure
![Page 6: ACTIONABLE (CORE)NETWORK INTELLIGENCE - Axians · 2016-11-18 · • Infoblox Grid data provides business context that security systems lack and badly need DNS Security • DNS is](https://reader033.fdocuments.in/reader033/viewer/2022042320/5f0a88d57e708231d42c1b94/html5/thumbnails/6.jpg)
6
OUR SECURITY ECOSYSTEM –
WHERE INFOBLOX FITS
IPS/Sandboxing
Firewall
![Page 7: ACTIONABLE (CORE)NETWORK INTELLIGENCE - Axians · 2016-11-18 · • Infoblox Grid data provides business context that security systems lack and badly need DNS Security • DNS is](https://reader033.fdocuments.in/reader033/viewer/2022042320/5f0a88d57e708231d42c1b94/html5/thumbnails/7.jpg)
7
DNS SECURITY CHALLENGES
Defending against DNS DDoS attacks
Stopping APTs/malware from using DNS
Preventing data exfiltration via DNS
![Page 8: ACTIONABLE (CORE)NETWORK INTELLIGENCE - Axians · 2016-11-18 · • Infoblox Grid data provides business context that security systems lack and badly need DNS Security • DNS is](https://reader033.fdocuments.in/reader033/viewer/2022042320/5f0a88d57e708231d42c1b94/html5/thumbnails/8.jpg)
8
GOAL #1: ONLY VALID TRAFFIC IS FORWARDED
OVER PORT 53
Traffic that passes all the analysis steps is forwarded
Reputation
Behavior
DNS Client
Good.com
Signature Threat
Reputation
Signature
Behavior
Actionable (Core)Network Intelligence │ 17.11.2016 ● INN STYLE ● MAARSSEN
![Page 9: ACTIONABLE (CORE)NETWORK INTELLIGENCE - Axians · 2016-11-18 · • Infoblox Grid data provides business context that security systems lack and badly need DNS Security • DNS is](https://reader033.fdocuments.in/reader033/viewer/2022042320/5f0a88d57e708231d42c1b94/html5/thumbnails/9.jpg)
9
TARGETING DNS
“Attack To”
Attacks primarily focused on disruption of services by exhausting resources, targeting protocol/platform weaknesses
Infoblox defends against BOTH categories!
“Attack Through”
Attacks that leverage ubiquitous access of DNS as a pipeline in & out of the network for data exfiltration, tunneling and malware propagation
Actionable (Core)Network Intelligence │ 17.11.2016 ● INN STYLE ● MAARSSEN
![Page 10: ACTIONABLE (CORE)NETWORK INTELLIGENCE - Axians · 2016-11-18 · • Infoblox Grid data provides business context that security systems lack and badly need DNS Security • DNS is](https://reader033.fdocuments.in/reader033/viewer/2022042320/5f0a88d57e708231d42c1b94/html5/thumbnails/10.jpg)
10
DATA EXFILTRATION OVER DNS QUERIES
Infected endpoint gets access to file containing sensitive data
Converts information into encoded format
Text broken into chunks and sent via well-formed DNS queries
Exfiltrated data reconstructed at the other endINTERNET
ENTERPRISE
NameMarySmith.foo.thief.comMRN100045429886.foo.thief.comDOB10191952.foo.thief.com
NameMarySmith.foo.thief.comMRN100045429886.foo.thief.comDOB10191952.foo.thief.com
Infected endpoint
DNS server
Attacker controller server- thief.com
(C&C)
DataC&C commands
MarySmith.foo.thief.comSSN-543112197.foo.thief.comDOB-04-10-1999.foo.thief.comMRN100045429886.foo.thief.com
Data Exfiltration via host/subdomainSimplified/unencrypted example:
![Page 11: ACTIONABLE (CORE)NETWORK INTELLIGENCE - Axians · 2016-11-18 · • Infoblox Grid data provides business context that security systems lack and badly need DNS Security • DNS is](https://reader033.fdocuments.in/reader033/viewer/2022042320/5f0a88d57e708231d42c1b94/html5/thumbnails/11.jpg)
11
DEMONSTRATIES
![Page 12: ACTIONABLE (CORE)NETWORK INTELLIGENCE - Axians · 2016-11-18 · • Infoblox Grid data provides business context that security systems lack and badly need DNS Security • DNS is](https://reader033.fdocuments.in/reader033/viewer/2022042320/5f0a88d57e708231d42c1b94/html5/thumbnails/12.jpg)
12
DNS ALS SECURITY DETECTION / PREVENTION
DNS gebruikt malware (botnets, crypto software) voor uitwisselen van data.
DNS open naar Internet.
Gebruik van TXT records.
Blokken van malware via DNS dicht bij bron: de interne DNS server.
Loggen malfide gedrag richting SIEM oplossingen.
Inzicht oorsprong malfide DNS querie inclusief gebruiker.
Actionable (Core)Network Intelligence │ 17.11.2016 ● INN STYLE ● MAARSSEN
![Page 13: ACTIONABLE (CORE)NETWORK INTELLIGENCE - Axians · 2016-11-18 · • Infoblox Grid data provides business context that security systems lack and badly need DNS Security • DNS is](https://reader033.fdocuments.in/reader033/viewer/2022042320/5f0a88d57e708231d42c1b94/html5/thumbnails/13.jpg)
13
DNS ALS DATALEK
Gebruik van DNS lekken DATA
Via interne DNS en/of Proxy
Door extern gedrag niet gezien door IPS
Actionable (Core)Network Intelligence │ 17.11.2016 ● INN STYLE ● MAARSSEN
![Page 14: ACTIONABLE (CORE)NETWORK INTELLIGENCE - Axians · 2016-11-18 · • Infoblox Grid data provides business context that security systems lack and badly need DNS Security • DNS is](https://reader033.fdocuments.in/reader033/viewer/2022042320/5f0a88d57e708231d42c1b94/html5/thumbnails/14.jpg)
14
![Page 15: ACTIONABLE (CORE)NETWORK INTELLIGENCE - Axians · 2016-11-18 · • Infoblox Grid data provides business context that security systems lack and badly need DNS Security • DNS is](https://reader033.fdocuments.in/reader033/viewer/2022042320/5f0a88d57e708231d42c1b94/html5/thumbnails/15.jpg)
15
BEDANKT VOORUW AANDACHT