Possessive Adjectives. WHAT’S THE MISSING WORD? ……… name is Susan. What’s ………… name? MY YOUR.
What’s Missing In Your Security Stack? - c.ymcdn.com · What’s Missing In Your Security Stack?...
Transcript of What’s Missing In Your Security Stack? - c.ymcdn.com · What’s Missing In Your Security Stack?...
4 CONFIDENTIAL
VPN
EMAIL GATEWAY
WEB PROXY
DLP
NEW OFFICE
REPLACEMENT BOX
FAILOVER
Another problem?
ANOTHER BOX! Keep Stacking…
SANDBOX
FASTER ROUTER
FIREWALL
5 CONFIDENTIAL
FIREWALL
VPN
EMAIL SECURITY
WEB SECURITY
DLP
PERSISTENT THREATS
FASTER ROUTER
NEW OFFICE
REPLACEMENT BOX
FAILOVER
BUT,
your users have left the building…
7 CONFIDENTIAL
DarkHotel Attack
OFF NETWORK AND SUPPLIERS
BRANCH OFFICE/ STORE/CLINIC
HQ
Attackers are Targeting the
Weakest Links
8 CONFIDENTIAL
What are the Most Common Blind Spots?
INTELLIGENCE
on Where Attacks
Are Staged
VISIBILITY
of Requests
Before Connections
xyz.com 1.2.3.4
COVERAGE
for Off-Network
Internet Traffic
9 CONFIDENTIAL
VISIBILITY: Blind to Requests Before Connections
1.2.3.4
1.1.1.1
2.2.2.2
3.3.3.3
IP-only intelligence for non-Web
connections is prone to error
~
~
Domain plus IP intelligence for connections over any
port & protocol has the best accuracy
xxx.com
yyy.com
zzz.com
xyz.com IP
Fast
Flux
3 Sites
on
1 Host
10 CONFIDENTIAL
COVERAGE: Blind to Off-Network Internet Traffic
On Network
NGFW in-line (and proxy?) blocks by IP or app
SWG proxy (and in-line?) blocks by URL or content
Email Security blocks by sender
or content
WEB TRAFFIC
ALL OTHER
TRAFFIC
EMAIL TRAFFIC
Email Security blocks by sender
or content
Off Network
WEB TRAFFIC
ALL OTHER
TRAFFIC
EMAIL TRAFFIC
INTERNET INTERNET
11 CONFIDENTIAL
INTELLIGENCE: Blind to Where Attacks Are Staged
RECON STAGE
Attacker discovers trusted email & website addresses; also probes networks & systems for weaknesses
Attacker builds or acquires payload as well as builds or shares Internet infrastructure
TARGET
LAUNCH EXPLOIT INSTALL
Attacker sends or spoofs emails, or injects malicious ads or scripts into websites
Vulnerable software executes code or user is tricked to execute code
Code infects system, modifies privileges, scans environment then connects to malware drop host
COMPROMISE
CALLBACK PERSIST
Attacker gains command and control to receive new instructions, or if target data is acquired, steal it
Attacker maintains persistence until actions on their objectives are fully achieved
BREACH
PIVOT
NGFW
SWG
14 CONFIDENTIAL
First, A Quick Refresher on DNS…
AUTHORITATIVE DNS
Owns and publishes
the “phone books”
DOMAIN REGISTRAR
Maps and records names
to #s in “phone books”
RECURSIVE DNS
Looks up & remembers
the #s for each name
15 CONFIDENTIAL
Enterprise Location A
Internal InfoBlox
Appliance
Enterprise Location C
Internal BIND Server
Enterprise Location B
Internal Windows DNS Server
Home Users
Roaming Laptops
Mobile Devices
Remote Sites
ISP 1
mobile
carrier
ISP 2
ISP 3
ISP ?
ISP ?
ISP ?
CHALLENGES
Multiple Internet Service Providers
Direct-to-Internet Branch Offices
Users Forget to Always Turn VPN On
Different DNS Log Formats
Who Resolves Your DNS Requests?
Authoritative DNS for Intranet Domains
Recursive DNS for Internet Domains
16 CONFIDENTIAL
BENEFITS
Global Internet Activity Visibility
Network Security w/o Adding Latency
Consistent Policy Enforcement
Internet-Wide Cloud App Visibility
Home Users
Roaming Laptops
Mobile Devices
Remote Sites
ISP 1
mobile
carrier
ISP 2
ISP 3
ISP ?
ISP ?
ISP ?
Enterprise Location A
Internal InfoBlox Appliance
Enterprise Location C
Internal BIND Server
Enterprise Location B
Internal Windows DNS Server
Authoritative DNS for Intranet Domains
Recursive DNS for Internet Domains
Leveraging a Single Global Recursive DNS Service
18 CONFIDENTIAL
OpenDNS blocks by domain as well as IP or URL
OpenDNS blocks by domain, as well as IP or URL
DNS Precedes Your Existing Security without Added Latency
On Network
NGFW in-line (and proxy?) blocks by IP or app
SWG proxy (and in-line?) blocks by URL or content
Email Security blocks by sender
or content
WEB TRAFFIC
ALL OTHER
TRAFFIC
EMAIL TRAFFIC
Email Security blocks by sender
or content
Off Network
WEB TRAFFIC
ALL OTHER
TRAFFIC
EMAIL TRAFFIC
INTERNET INTERNET
19 CONFIDENTIAL
Request Patterns
Used to detect:
• Compromised systems • Command & control callbacks • Malware & phishing attempts • Algorithm-generated domains • Domain co-occurrences • Newly registered domains
Any Device
Authoritative Logs
Used to detect:
• Newly staged infrastructures • Malicious domains, IPs, ASNs • DNS hijacking • Fast flux domains • Related domains
Recursive DNS
DNS Data Produces Rich Threat Intelligence
Authoritative DNS
root
com.
domain.com.
20 CONFIDENTIAL
DNS Requests Per Day
70B BGP Peering Partners
500
Daily Active Users
65M Enterprise Customers
10K
Our Perspective Diverse Set of Data
21 CONFIDENTIAL
Apply statistical models and
human intelligence
Identify probable
malicious sites
Ingest millions of data
points per second
How Our Security Classification Works
a.ru
b.cn
7.7.1.3
e.net
5.9.0.1
p.com/jpg
22 CONFIDENTIAL
Works with Your Existing Security Investments
THREAT ANALYSIS & INTEL FEEDS
THREAT INTEL PLATFORMS
OTHERS +
CUSTOM +
Indicators of
Compromise
THREAT DETECTION
OTHERS +
Logs or blocks domains sent from partner or custom systems
23 CONFIDENTIAL
Keep DNS Logs Forever with Amazon S3
BENEFITS
Triple Redundant & Encrypted Storage
Pre-Built SIEM/Log Analytic Integrations
Elastic: Pay Only For The Storage Used
Trusted by Nasdaq, Netflix, Pinterest, …
TAP
every 10min
HTTPS
27 CONFIDENTIAL
Past successful “targets”
Things I learned
1 Ice Cream companies do NOT spend a lot of money on security
2 Pretty easy to gain access to accounting systems to siphon $$ out
31 CONFIDENTIAL
Target Research
Ohhh, Facebook. You never let me down.
Congrats on the marriage, Jane!
Jane cares about:
Bowman ... currently
lives in Ferrisburgh,
Vermont with her
son CJ.
Search: Jane, Vermont, Ben & Jerry’s
33 CONFIDENTIAL
Setup my Infrastructure
1 Purchase Malware: RAT (Remote Access Trojan) payload
2 Found Domain
3 Use email address to register
34 CONFIDENTIAL
Sweet. I am already partially setup.
4 Use my existing web servers
5 Create Webpage
6 Load Malware for download
7 Write Alumni Email
38 CONFIDENTIAL
I’m Edward.
I am the Security Guy for Ben &
Jerry’s. Which might be the awesomest job ever.
39 CONFIDENTIAL
Umbrella Enforcement Connect with confidence on any device, anywhere, anytime
Investigate Intelligence Discover and predict attacks before they happen
PRODUCTS & TECHNOLOGIES
Edward <3 OpenDNS
44 CONFIDENTIAL
You witnessed NLP Rank
Edit Distance: We determine how statistically different a fraudulent domain is from a legitimate domain
ASN Telemetry: Different ASNs for closely related domain names
HTML Script: Different code used on each website
MichiganState ASN = 46551
www.michiganstate.edu
Re
al S
ite
Fa
ke
Sit
e
CloudFlare ASN = 133877
www.michiiganstate.com
45 CONFIDENTIAL
If that didn’t catch it...
The Web Server IPs were previously blocked, and were likely added into a static threat-intelligence feed
We incorporate data from 30+ threat intelligence feeds
Our IP-Reputation algorithm would have seen the new michiiganstate.com mapped to a known, bad IP address and blocked.
Remember the attacker used the same web servers from past attacks?
46 CONFIDENTIAL
If THAT didn’t catch it... Remember the attacker bought a Malware Remote-Access-Trojan (RAT)?
NLP Rank can catch the Command and Control (CnC) domain if it was spoofing a brand-name.
RAT
Attacker’s command node. Legit looking domain so traffic doesn’t
look suspicious.
Bad commands sent between Jane’s machine and attacker
www.benandjerrrrrys.com
Jane’s laptop
47 CONFIDENTIAL
And IF THAT didn’t catch it... Remember he used an email address registering a domain?
See what other bad domains
this email has registered...
www.haagendazzzzs.us
www.bjerries.com
48 CONFIDENTIAL
The Moral of the Story
Attackers re-use infrastructure.
They leave behind fingerprints.
We use these fingerprints to help us map out the good & bad in the internet.
Make DNS a part of your security stack.