Introduction to Threat Containment, Malware & DNS · Threat Intelligence Data to Mitigate Threats...

1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2017 Infoblox Inc. All Rights Reserved.

Introduction to Threat Containment, Malware & DNSBret Pleines | PreSales Sr. Systems Engineer


A very quick review of DNS

There are 3 categories

of DNS

• Internal

• External

• Recursive


Iterative Resolution


DNS Root Servers


Teasers

What happens when someone tries to visit a known bad DNS

domain?

e.g. www.baddomain.com

What happens if data is appended to

a DNS Query?

e.g., 222113333.bret.com

http://www.baddomain.com/


Back in 1982, ET captured our imagination


Malware Uses DNS


Cyber Kill Chain


Dwell Time & Lateral Movement

Our History


What’s needed

Threat Intelligence Security EcosystemRapid Triage

Ineffective threat intelligence

• Multiple unconsolidated sources of

threat intelligence leading to:

• Inefficient use of acquired

threat intelligence often tied to

a single device vendor

• Lack of visibility into the gaps

in acquired intelligence

• Inability to share gathered

intelligence across internal and

external sources

Inability to accelerate

incident handling and

response

• Lack of automation

between islands of security

infrastructure

• No knowledge of threat

context

• Lack of visibility into the

malware control channel

that leverages DNS – DNS

as a Blind Spot

Lack of automation

• Inability to gain context of

threat context of

questionable activities

related to inbound or

outbound DNS

communications

• Inability to investigate

quickly and to understand

the nature of the threat

being dealt with

• Research and context

gathering requires multiple

tools leading to slow

response


Why do you need a commercial DNS Solution?


Multipronged Approach to Threat Detection

Patented streaming

analytics technology

Detect & prevent data

exfiltration

”Machine learning”

Detect & prevent

communications to

malware, C2, ransomware

Government-grade threat

intelligence

Ecosystem

Infrastructure protection

for critical core services

Carrier-grade deep packet

inspection

Instant identification of

popular tunneling tools

SignatureReputation Behavior


Reputational Threat Intelligence & Sharing

Our History


Where does your Threat Intelligence come

from?

Our History


Operationalize

Threat Intelligence

Data

Timely, Consolidated & High Quality Threat Intelligence

Easily Deploy

Threat Intelligence

Data to Mitigate

Threats

Easily Acquire,

Aggregate and

Distribute Threat

Intelligence Data

Out-of-the-box Integration

of native threat intelligence with

DDI for policy enforcement

Distribution of threat intelligence

to existing security infrastructure

to prevent future attacks

Verified and curated threat

intelligence with <.01% historic

rate of false positives


Rapid Triage

& Client ID’d


CustomerStory

• Large Pharma Customer

• ActiveTrust (on-premises)(LOG ONLY)

• Slow Reaction to Cryptolocker

• Cryptolocker spread to EMC Storage

• All EMC Storage had to be restored

from Backup

• Outage

• Loss of Data

• Very long Restore Process


DHCP

The DNS, DHCP and IPAM Data Gold Mine

A DHCP assignment signals

the insertion of a device on to

the network

• Includes context: Device info,

MAC, lease history

• DHCP is an audit trail of

devices on the network

Device Audit Trail

and Fingerprinting

Fixed IP addresses are typically

assigned to high value devices:

• Data center servers, network

devices, etc.

• IPAM provides “metadata” via

Extended Attributes: Owner,

app, security level, location,

ticket number

• Context for accurate risk

assessment and event

prioritization

Application and

Business Context

DNS query data provides a

“client-centric” record of

activity

• Includes internal activity

inside the security perimeter

• Includes BYOD and IoT

devices

• This provides an excellent

basis to profile device & user

activity

Activity Audit Trail

IPAM DNS


Gain Insights with Reporting and AnalyticsUnlock the Value of Core Network Services Data

• Harness rich network data to gain actionable insights

• Visibility into infected endpoints with contextual info(can include DHCP fingerprinting info –

username, MAC address, device type, lease history etc.)

Ensure Compliance

with Historical

Visibility

Identify Security Risks

and Impacted Devices at

Present Time

Plan Future

Requirements with

Predictive Reports

Integrated Data

Collection Engine

Historical

Tracking of DDI

Cost Effective

Deployment

Pre-built Reports

and Customization

Unique Algorithm and

Predictive Reports


Home Dashboard

Our History


Dashboards, Alerts & Reports

Our History


DHCP – Fingerprinting & Lease History

Our History


“What’s on my Network?”

Source: https://www.sans.org/critical-

security-controls

You cannot protect or defend what you cannot see…

CSC #1 – “Actively manage

(inventory, track, and correct) all

devices on the network so that only

authorized devices are given

access, and unauthorized and

unmanaged devices are found and

prevented from gaining “access.”

CSC 1


Network Discovery – Authoritative IPAM for Any PlatformThe Foundation of a Secured, Controlled Network

Any Platform

• IPs, MACs, & Hostnames

• Subnets & VLANs

• Device and End Host Attributes

• When and Where Attached

• User Context

• Topology Views

• Network in-sync with IPAM

• Remediate Rogue & Compromised

End Hosts

• Capacity Management

• Asset Management

• Security Compliance Enforcement

PublicOn-Prem

Private

Cloud

Virtual

NetworksSDNWirelessWired

Public

Hybrid

Secure DNS Network Services(DDI)

Network Automation


Discovered Data Integrated in IPAM

Device Data

IP address

MAC address

Last discovered time

stamp

First discovered time

stamp

NetBIOS name

OS

Device type, model, &

vendor

Device name

Device description

Discovered name

(DNS name)

Port Data

Port vLAN name

Port vLAN

description

Port vLAN number

Port speed

Port duplex

Port admin status

Port operation status

Interface Type

vLAN(s)

Port Model

Media

Vendor

Network Component

Data

Network component IP

Network component port

number


name


description

VMware ESX

Data

ID

Description

Name

Data Center

Entity Name

Host

Host Adapter

Cluster

Entity Type

Virtual Switch


Be Part of a Cybersecurity Ecosystem


Deliver Value to Customers

• See attacks, infections and

data exfiltration attempts in

the network

• Identify unmanaged

networks and devices

• Pinpoint infected devices or

potential rogue employees

that try to steal data

• Protect against DNS attacks,

APTs / malware, data

exfiltration

• Secure platform

• Automated Threat

Intelligence Feed

• Active Blocking of data

exfiltration attempts and

scaling protection to all parts

of the network

• Disrupt APT kill chain,

pinpoint infected devices

and associated users

• Work with industry

standard ecosystems for

data sharing and

centralized mitigation

VISIBILITY PROTECTION RESPONSE

• Operational efficiency

• Speed / save time

• Cost savings

• Employee productivity

• Customer satisfaction

• Revenue protection

• Brand protection

BUSINESS IMPACT


Reduced Dwell Time & Lateral Movement

Our History


Leverage Threat Intel Across Entire Security Infrastructure

Infoblox

SURBL

Marketplace

Custom TI

Single-source of TI management Faster triage Threat prioritizationRESULT:

C&C IP List

Spambot IPs

C&C & Malware Host/Domain

CSV File

JSON

STIX

RBL Zone File

RPZ

Phishing & Malware URLs

WWW

DNS

SIEM

TIDEDefine Data

Policy,

Governance &

Translation

DossierInvestigate

Threats


Have a Research Tool to get more information

Our History


Tunnel Tool Record Types Used Resources to learn more

DNS2TCP KEY, TXThttp://www.aldeid.com/wi

ki/Dns2tcp

DNScat-P A, CNAMEhttp://tadek.pietraszek.or

g/projects/DNScat/

Iodine Protocol v5.00 NULLhttp://code.kryo.se/iodine

/

Iodine Protocol v5.02A, CNAME, MX, NULL,

SRV, TXT

http://code.kryo.se/iodine

/

OzymanDNS A, TXThttp://dankaminsky.com/

2004/07/29/51/

SplitBrain A, TXT

http://www.splitbrain.org/

blog/2008-11/02-

dns_tunneling_made_si

mple

TCP-Over-DNS CNAME, TXT

http://www.sans.org/read

ing-

room/whitepapers/dns/d

etecting-dns-tunneling-

34152

YourFreedom NULL http://your-freedom.net/

DNS Tunnels

& Signatures

http://www.aldeid.com/wiki/Dns2tcp

http://tadek.pietraszek.org/projects/DNScat/

http://code.kryo.se/iodine/

http://code.kryo.se/iodine/

http://dankaminsky.com/2004/07/29/51/

http://www.splitbrain.org/blog/2008-11/02-dns_tunneling_made_simple

http://www.sans.org/reading-room/whitepapers/dns/detecting-dns-tunneling-34152

http://your-freedom.net/


Data Exfiltration over DNS - Behavioral


ProspectStory

• Medium Financial Prospect

• Company writes proprietary software

• One employee was leaving and thought

he’d take the software with him

• Used DNS to leak the software but

was running out of time and had to

speed up the process

• Volumetric alerts exposed the crime

• FBI took over


Solution: Threat Containment, Malware & DNSEase Security Operations with Better Context, Automation and Consolidated Threat Intel

Threat Intelligence

Optimization

Security

EcosystemRapid Triage

• Enforce policy using timely, consolidated & high quality threat intelligence

• Improve incident response with consolidate threat intelligence from multiple sources

• Eliminate silos and accelerate remediation by centralizing threat intelligence

• Maximizes the ROI of the intelligence

acquired by enabling broader

deployment of intelligence

• Enables internal and external sharing of

intelligence to enable better

coordination of defense strategies

• Automatically share DNS IoCs with security ecosystem for more efficient incident response

• Share network context and actionable intelligence (IP address, DHCP fingerprint, lease history etc.) to help assess risk and prioritize alerts

• Adds value to their existing security

infrastructure and tools investment

• Provides context to enable automated

actions for faster response and

remediation

• Provides visibility into the DNS Security

blind spot for other security platforms

• Investigate threats faster to free up security personnel

• Timely access to context for threat indicators

• Improve incident response time

• Improves the efficiency of scarce

security operations staff

• Reduced time to remediation


Malware uses DNS

Secure Your DNS today! Don’t wait!


Try ItFree Trial

• Solution Trials

• ActiveTrust Cloud Plus evaluation

• Engage with Infoblox to find out if we

already integrate with one or more of

your existing security tools

• Follow up with the sales teams for

deep dive on Infoblox products


CustomerStory

• Large Pharma Customer

• 2 R&D Employees paid by competitor in

China to plug in Thumb drives

• Told nobody would ever notice

• Data exfiltrated over DNS queries for

6 months until caught by accident.

• DNS Query Logging & DHCP Lease

History• Loss of Data (estimated at Millions)

• Actual Data loss unknown (no logging)

• Company Reputation took a Hit


Thank you!

Introduction to Threat Containment, Malware & DNS · Threat Intelligence Data to Mitigate Threats...

Documents

Transcript of Introduction to Threat Containment, Malware & DNS · Threat Intelligence Data to Mitigate Threats...