Post on 23-May-2018
transcript
1 | © 2015 Infoblox Inc. All Rights Reserved.
Proteggere il DNS per maggiore sicurezza e minori rischi
Gianluca Silvestri System Engineer, Exclusive Networks Italy
3 | © 2015 Infoblox Inc. All Rights Reserved.
Infoblox Overview and Business Update
($MM)
Founded in 1999
Headquartered in Santa Clara, CA,with global operations in 25 countries
Market leadership
• DDI Market Leader (Gartner)
• 50% DDI Market Share (IDC)
7,900+ customers85,000+ systems shipped to 100 countries
53 patents, 30 pending
IPO April 2012: NYSE BLOX
Leader in technologyfor network control
Total Revenue (Fiscal Year Ending July 31)
$35,0
$56,0 $61,7
$102,2
$132,8
$169,2
$225.0
$250,3
$0
$50
$100
$150
$200
$250
$300
FY2007 FY2008 FY2009 FY2010 FY2011 FY2012 FY2013 FY2014
4 | © 2015 Infoblox Inc. All Rights Reserved.
DNS – Domain Name System
DHCP – Dynamic Host Configuration Protocol
IPAM – IP Address Management
DDI
5 | © 2015 Infoblox Inc. All Rights Reserved.
CO
NT
RO
L P
LA
NE
Current Customer Network LandscapeA
UT
OM
AT
ION
END POINTS VIRTUAL MACHINES PRIVATE CLOUD APPLICATIONS
ComplexityRisk & Cost
AgilityFlexibility
QIPMICROSOFT DHCPMICROSOFT DNS VMWARE DNS UNIX BIND
SCRIPTS COMMAND LINE
INF
RA
ST
RU
CT
UR
E
FIREWALLS SWITCHES ROUTERS HYPERVISORS LOAD BALANCERS
7 | © 2015 Infoblox Inc. All Rights Reserved.
InfrastructureSecurity
With Infoblox
Historical / Real-time Reporting & Control
AU
TO
MA
TIO
N
END POINTS VIRTUAL MACHINES PRIVATE CLOUD APPLICATIONS
CO
NT
RO
L P
LA
NE
Infoblox GridTM w/ Real-timeNetwork Database
INF
RA
ST
RU
CT
UR
E
FIREWALLS SWITCHES ROUTERS HYPERVISORS LOAD BALANCERS
10 | © 2015 Infoblox Inc. All Rights Reserved.
What About Today?
4 – 7 IP’s are consumed by every employee at work
SDN
37% of companies are managing > 50,000 IPs
12 | © 2015 Infoblox Inc. All Rights Reserved.
The Use Case for Commercial Grade IPAM
• How do you detect changes?
• What’s the impact of an outage?
• How do you automate ?
• Virtual and cloud networks?
Mobility and IP device growth
IPv6 and DNSSEC
Data center virtualization
• How do you handle audits?
No centralized reporting
No historical trending
No effective audit prep
What are the challenges of Legacy “IPAM”?
15 | © 2015 Infoblox Inc. All Rights Reserved.
IPAM Discovery Information
Detailed view of what’s using that IP
Discovers virtual and physical devices
Search by any field on one or more criteria
Save criteria information to a Smart Folder
• Create custom smart folder of networks and other attributes
• Results updated automatically with any network changes
17 | © 2015 Infoblox Inc. All Rights Reserved.
What is DHCP?
• What is it?
Dynamic Host Configuration Protocol
Dynamically provides IP addresses to devices
• What is it equivalent to?
Borrowing a book from a Library
Or renting a car…
• Who and what needs it?
Laptops & Desktops
Virtual Servers (and sometimes physical)
Non-shared devices (mobile)
Any LAN or WAN device/server
• Performance measured in “Leases per second”
18 | © 2015 Infoblox Inc. All Rights Reserved.
Detect, secure, enforce policy
• Visibility to BYOD device types
• Enforce connectivity by device type
• Enforce corporate device use policy• Block selected OS’s
• Focused DHCP reporting • Lease history w/ DHCP fingerprint data
• Number of device operating systems
• Device OS trend
Infoblox Offers Device Fingerprinting
20 | © 2015 Infoblox Inc. All Rights Reserved.
What is DNS?
What is it?
Domain Name System
Connects devices to Internet
What is it Equivalent to?
Phone book for the internet
What is an Example?
google.com
infoblox.com 205.234.19.21
Who and what needs it?
Web Browsing
Microsoft Active Directory
Everything!
Performance measured in “Queries per second”
20
21 | © 2015 Infoblox Inc. All Rights Reserved.
// Filename: /etc/named.conf
options {directory "/etc/domain";};
//----------------------------------------------------------------------
zone "." {type hint;file "named.root"; // This file should be picked up from}; // ftp://ftp.rs.internic.net/domain/named.root
zone "localhost" {type master;file "localhost";};
zone "0.0.127.in-addr.arpa" {type master;file "127.0.0";
zone "company.xy" { // The file "company.xy" should reside intype master; // the /etc/domain/ directory, and youfile "company.xy"; // have to create it yourself.};
Infoblox GUI/Wizard Or BIND CLI**Command Line Interface
DNS Use Case – Centralization and OPEX
24 | © 2015 Infoblox Inc. All Rights Reserved.
DNS is Now the #2 Attack Vector Protocol
Source: Arbor Networks
DNS 8.94%67% of all known attack vectors were DNS based46% of large companies have experienced a DNS attack76% of those reported a DDoS attack on DNS servers
25 | © 2015 Infoblox Inc. All Rights Reserved.
Why is DNS an Ideal Target?
DNS is the cornerstone of the Internet
DNS traffic has been increasing by 95%
annually since 2012!
DNS protocol is easy to exploit.
DNS has been around for over 30
years!
DNS Outage = Business Down Time
Traditional protection is ineffective against evolving DNS
threats
Companies are at risk of sensitive data loss!
27 | © 2015 Infoblox Inc. All Rights Reserved.
APTs: The New Threat Landscape
• Malicious traffic is visible on 100% of corporate networks1
• Every 1 minute, a bot communicates with its command and control center2
• Malicious attacks can take an average of 256 days to identify3
• Average total cost of data breach is $3.8 million, intangible loss higher3
• APTs rely on DNS at various stages of the cyber kill chain to infect devices, propagate malware, and exfiltrate data
Source: 1. Cisco 2014 Annual Security Report, 2. Check Point 2015 Security Report, 3. The Ponemon Institute 2015 Cost of Data Breach Study: Global Analysis
28 | © 2015 Infoblox Inc. All Rights Reserved.
Malware/APT Trends
• 100% companies are calling malicious malware hosts*
• Point solutions fail because malware is sophisticated
Multiprotocol
Multiple connections
“Encrypted,” which means deep-packet inspection is ineffective
* Source: Cisco 2014 Annual Security Report
© 2014 Infoblox Inc.
29 | © 2015 Infoblox Inc. All Rights Reserved.
• Uses DNS as a covert communication channel to bypass firewalls
• Attacker tunnels other protocols like SSH, TCP, or web within DNS
• Enables attackers to easily pass stolen data or tunnel IP traffic without detection
• A DNS tunnel can be used as a full remote-control channel for a compromised internal host
Impact:
• Data exfiltration or malware insertion can happen through the tunnel
DNS Tunneling
Encoded IP in DNS queries
INTERNET
ENTERPRISE
Client-side tunnel program
DNS terminal server
IP traffic
Internet
30 | © 2015 Infoblox Inc. All Rights Reserved.
Malware Examples
CryptoLocker• Targets Windows-based computers in form of email attachment
• Upon infection, encrypts files on local hard drive and mapped network drives
• If ransom isn’t paid, encryption key deleted and data irretrievable
Gameover Zeus (GOZ)• 500,000 – 1M infections globally and100s of millions of dollars stolen
• Uses P2P communication to control infected devices or botnet
• Takes control of private online transactions and diverts funds to criminal accounts
31 | © 2015 Infoblox Inc. All Rights Reserved.
Malware Steals File Containing Sensitive Data
Data Exfiltration over DNS Queries
• Infected endpoint gets access to file containing sensitive data
• It encrypts and converts info into encoded format
• Text broken into chunks and sent via DNS using hostname.subdomain or TXT records
• Exfiltrated data reconstructed at the other end
• Can use spoofed addresses to avoid detection
INTERNET
ENTERPRISE
NameMarySmith.foo.thief.comMRN100045429886.foo.thief.comDOB10191952.foo.thief.com
NameMarySmith.foo.thief.comMRN100045429886.foo.thief.comDOB10191952.foo.thief.com
Infected endpoint
DNS server
Attacker controller server-
thief.com (C&C)
DataC&C commands
33 | © 2015 Infoblox Inc. All Rights Reserved.
Infoblox Security Approach
Visibility
See attacks, infections, and data-
exfiltration attempts in the network
Protection
Protect infrastructure and data from attacks and malicious agents
Response
Enable rapid response by providing contextual
information on infections
34 | © 2015 Infoblox Inc. All Rights Reserved.
• Deep inspection of DNS traffic to drop attacks and block data exfiltration through DNS tunneling
• Adaptive APT/malware protection to stop propagation of malware and prevent infected devices from stealing data
• Automated threat intelligence feed to provide ongoing protection against new attacks, APTs, and malware
• Comprehensive DNS security without the need for endpoint agents
• Hardware accelerated DNS DDOS mitigation
maintains system integrity under attack
The Solution: Infoblox Internal DNS Security
35 | © 2015 Infoblox Inc. All Rights Reserved.
Internal DNS Security
INTERNET
ENTERPRISE
Infoblox Automated Threat Intelligence Service
Firewall
Infoblox Internal DNS Security
x
xxxx
Attacker Thief Badsite1.comGood.com
Badsite1.comBadsite2.comBadsite3.com
SSN:123456789.foo.thief.comDOB-01012001.foo.thief.com
Updates for DNS attacks and malicious domains
Legitimate Query DNS DDoS attacks detected and dropped
Data exfiltration detected and dropped
Malware site blocked
36 | © 2015 Infoblox Inc. All Rights Reserved.
Protection Against APTs/Malware
An infected device brought into the office. Malware spreads to other devices on network.
1Malware makes a DNS query to find “home” (botnet / C&C). DNS Firewall looks at the DNS response and takes admin-defined action (disallows communication to malware site or redirects traffic to a landing page or “walled garden” site).
2Pinpoint. Infoblox Reporting lists DNS Firewall action as well as the:
• Device IP address• Device MAC address• Device type (DHCP fingerprint)• Device host name• Device lease history
3 An update will occur every 2 hours (or more often for significant threat).4
Additional threat intelligence from sources outside Infoblox can also be used by DNS Firewall (e.g. FireEye)
5
Malware/APT
Infoblox Internal DNS SecurityFireEye detonates and detect SPT based Malware
Malicious Domains
Infoblox threat update deviceIPs, Domains, ect. of Bad Servers
Blocked communication attempt sent to Syslog
Malware/APT spreads within network; calls home
INTERNET
INTRANET
37 | © 2015 Infoblox Inc. All Rights Reserved.
Types of APT/Malware Blocked
Fast flux Rapid changing of domains and IP addresses by malicious domains to obfuscate ID and location
DGA Malware that randomly generates domains to connect to malicious networks or botnets
APT Malware designed to spread, morph, and hide within IT infrastructure to perpetrate long-term attack
Geo-Based
Can block access to geos with many malicious domains or that have economic sanctions by governance
38 | © 2015 Infoblox Inc. All Rights Reserved.
Protection Against Data Exfiltration via DNS Tunnel
• Focuses on large size requests and responses
• Detects too-many, too-large requests in a given timeframe
• Drops beyond these thresholds
• Signatures are used to detect well known tunneling tools
39 | © 2015 Infoblox Inc. All Rights Reserved.
Intelligence Needed to Take Action
Contextual Reporting
• Attack details by category, member, rule, severity, and time
• Drill-down analytics and visualization of entire network
• List of top infected clients with associated user names (enabled by Microsoft AD integration)
• CISO/Executive report with top APT/malware threats
40 | © 2015 Infoblox Inc. All Rights Reserved.
Infoblox Complements Other Solutions
Solution Focus Infoblox Complements Each Solution
Nextgeneration firewall
Perimeter protection from network and application threats and usually allows DNS traffic
• DNS threat intelligence feed offers defense-in-depth protection against APT/malware-based communications to C&C servers
• Because of its unique position in the network, can more easily identify and protect against advanced DNS evasion techniques like Fast Flux and DGAs
IDS/IPS Anomaly detection and heuristics to detect and block malware
• Identifies and protects against advanced DNS evasion techniques like Fast Flux and DGAs
• Detects attacks disguised within encrypted communications• Identifies infected endpoints based on user ID, IP address, MAC address
Web proxy/gateway
Filtering of unwanted software and malware from internal user-initiated web/Internet traffic
• Detects malware within multiple types of traffic, not just Web• Identifies and protects against advanced DNS evasion techniques like
Fast Flux and DGAs• Identifies infected endpoints based on user ID, IP address, MAC address
and other unique identifiers
Anti-malware
Protecting the endpoint against viruses, worms and other malware by means of signatures
• Provides defense-in-depth by stopping a broad set of malware• Provides easy coverage for endpoints that can’t or don’t have endpoint
agents installed• Identifies infected endpoints based on user ID, IP address, MAC address
41 | © 2015 Infoblox Inc. All Rights Reserved.
Key Benefits of Infoblox DNS Firewall
• Proactive detection and mitigation of APT/malware threats
• FireEye integration for DNS level APT disruption
• Help prevent data exfiltration
• Pinpointing infected devices
• Threat severity and impact data
• Contextual reporting, alerts, and incident notification
• Automated threat-update service
• No downtime/patching
• Scalable protection
PROACTIVE INSIGHTFUL ADAPTABLE
43 | © 2015 Infoblox Inc. All Rights Reserved.
Send Us Your PCAP Files
• Infoblox analyzes and provides insights on malicious activity in seconds
• Report on findings to take back to management
44 | © 2015 Infoblox Inc. All Rights Reserved.
Scopo del programma
• Lo scopo del Malware Assessment Program (MAP) è informare i tuoi clienti, potenziali ed esistenti, dei malware che si trovano all'interno del loro ambiente, fornendo loro un dettagliato rapporto sulla loro infrastruttura.
• Tale rapporto mostrerà le query rivolte tramite i loro server DNS a siti o indirizzi pericolosi noti e illustrerà al cliente come proteggersi dai malware integrando la propria infrastruttura di sicurezza corrente con Infoblox DNS Firewall™.
• Infoblox fornirà le informazioni necessarie a rendere consapevoli i tuoi clienti, potenziali ed esistenti, dei rischi all'interno dei loro ambienti e lo scopo è quello di far sì che effettuino una packet capture (PCAP) in modo che possiamo individuare il traffico dannoso all'interno del loro ambiente.
Malware Assessment Program
45 | © 2015 Infoblox Inc. All Rights Reserved.
Come effettuare una packet capture (PCAP)
• Una packet capture ci aiuta a individuare la comunicazione malware con DNS in posizioni dannose note.
• Per catturare il traffico, andrà individuato il Server DNS interno nell'ambiente del tuo cliente. Andrà poi chiesto al cliente di effettuare una packet capture di 15-20 minuti sul traffico in entrata e in uscita sul server DNS. Se il cliente è in grado di farlo, andrà richiesto che la cattura del traffico filtri solo il traffico basato sul DNS.
• Potrete salvare e caricare la packet capture effettuata sulla Cartella di archiviazione Infoblox online al seguente link: https://infoblox.box.com/s/q8r0a37jgq5is6rcw6kpiffe26hp1hbi
Malware Assessment Program
46 | © 2015 Infoblox Inc. All Rights Reserved.
Cosa ti offriamo in cambio
Malware Assessment Program
• Infoblox prenderà la packet capture e la riproporrà al nostro feed RPZ per trovare i dettagli di traffico relativi al malware che sta cercando di contattare siti pericolosi noti tramite indirizzo IP o nomi DNS.
• Genereremo un rapporto personalizzato che individua il tipo di malware associato alla query dannosa e ne classifica il livello di pericolo. Tale rapporto può essere trasmesso al tuo cliente per determinare i passi successivi
47 | © 2015 Infoblox Inc. All Rights Reserved.
Cosa ci guadagni?
• Diventerai il punto di riferimento affidabile e competente per tutti i tuoi clienti che hanno questo tipo di problema.
• Aumenterai le tue opportunità di vendita sul budget di security dei tuoi clienti
• Una carta regalo da $250 per ogni PCAP approvata!!!
• La richiesta deve essere inviata tramite Partner Central e approvata da Infoblox. Le informazioni del cliente saranno trasmesse nel modulo di richiesta. Contattare il tuo commerciale di riferimento per qualsiasi informazione.
Malware Assessment Program