1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2017 Infoblox Inc. All Rights Reserved.
Introduction to Threat Containment, Malware & DNSJohn Leible| Account Manager
2 | © 2013 Infoblox Inc. All Rights Reserved. 2 | © 2017 Infoblox Inc. All Rights Reserved.
A very quick review of DNS
There are 3 categories
of DNS
• Internal
• External
• Recursive
3 | © 2013 Infoblox Inc. All Rights Reserved. 3 | © 2017 Infoblox Inc. All Rights Reserved.
Iterative Resolution
4 | © 2013 Infoblox Inc. All Rights Reserved. 4 | © 2017 Infoblox Inc. All Rights Reserved.
DNS Root Servers
5 | © 2013 Infoblox Inc. All Rights Reserved. 5 | © 2017 Infoblox Inc. All Rights Reserved.
Teasers
What happens when someone tries to visit a known bad DNS
domain?
e.g. www.baddomain.com
What happens if data is appended to
a DNS Query?
e.g., 222113333.bret.com
6 | © 2013 Infoblox Inc. All Rights Reserved. 6 | © 2017 Infoblox Inc. All Rights Reserved.
Back in 1982, ET captured our imagination
7 | © 2013 Infoblox Inc. All Rights Reserved. 7 | © 2017 Infoblox Inc. All Rights Reserved.
Malware Uses DNS
8 | © 2013 Infoblox Inc. All Rights Reserved. 8 | © 2017 Infoblox Inc. All Rights Reserved.
Cyber Kill Chain
9 | © 2013 Infoblox Inc. All Rights Reserved. 9 | © 2017 Infoblox Inc. All Rights Reserved.
Dwell Time & Lateral Movement
Our History
10 | © 2013 Infoblox Inc. All Rights Reserved. 10 | © 2017 Infoblox Inc. All Rights Reserved.
What’s needed
Threat Intelligence Security EcosystemRapid Triage
Ineffective threat intelligence
• Multiple unconsolidated sources of
threat intelligence leading to:
• Inefficient use of acquired
threat intelligence often tied to
a single device vendor
• Lack of visibility into the gaps
in acquired intelligence
• Inability to share gathered
intelligence across internal and
external sources
Inability to accelerate
incident handling and
response
• Lack of automation
between islands of security
infrastructure
• No knowledge of threat
context
• Lack of visibility into the
malware control channel
that leverages DNS – DNS
as a Blind Spot
Lack of automation
• Inability to gain context of
threat context of
questionable activities
related to inbound or
outbound DNS
communications
• Inability to investigate
quickly and to understand
the nature of the threat
being dealt with
• Research and context
gathering requires multiple
tools leading to slow
response
11 | © 2013 Infoblox Inc. All Rights Reserved. 11 | © 2017 Infoblox Inc. All Rights Reserved.
Why do you need a commercial DNS Solution?
12 | © 2013 Infoblox Inc. All Rights Reserved. 12 | © 2017 Infoblox Inc. All Rights Reserved.
Multipronged Approach to Threat Detection
Patented streaming
analytics technology
Detect & prevent data
exfiltration
”Machine learning”
Detect & prevent
communications to
malware, C2, ransomware
Government-grade threat
intelligence
Ecosystem
Infrastructure protection
for critical core services
Carrier-grade deep packet
inspection
Instant identification of
popular tunneling tools
SignatureReputation Behavior
13 | © 2013 Infoblox Inc. All Rights Reserved. 13 | © 2017 Infoblox Inc. All Rights Reserved.
Reputational Threat Intelligence & Sharing
Our History
14 | © 2013 Infoblox Inc. All Rights Reserved. 14 | © 2017 Infoblox Inc. All Rights Reserved.
Where does your Threat Intelligence come
from?
Our History
15 | © 2013 Infoblox Inc. All Rights Reserved. 15 | © 2017 Infoblox Inc. All Rights Reserved.
Operationalize
Threat Intelligence
Data
Timely, Consolidated & High Quality Threat Intelligence
Easily Deploy
Threat Intelligence
Data to Mitigate
Threats
Easily Acquire,
Aggregate and
Distribute Threat
Intelligence Data
Out-of-the-box Integration
of native threat intelligence with
DDI for policy enforcement
Distribution of threat intelligence
to existing security infrastructure
to prevent future attacks
Verified and curated threat
intelligence with <.01% historic
rate of false positives
16 | © 2013 Infoblox Inc. All Rights Reserved. 16 | © 2017 Infoblox Inc. All Rights Reserved.
Rapid Triage
& Client ID’d
17 | © 2013 Infoblox Inc. All Rights Reserved. 17 | © 2017 Infoblox Inc. All Rights Reserved.
CustomerStory
• Large Pharma Customer
• ActiveTrust (on-premises)(LOG ONLY)
• Slow Reaction to Cryptolocker
• Cryptolocker spread to EMC Storage
• All EMC Storage had to be restored
from Backup
• Outage
• Loss of Data
• Very long Restore Process
18 | © 2013 Infoblox Inc. All Rights Reserved. 18 | © 2017 Infoblox Inc. All Rights Reserved.
DHCP
The DNS, DHCP and IPAM Data Gold Mine
A DHCP assignment signals
the insertion of a device on to
the network
• Includes context: Device info,
MAC, lease history
• DHCP is an audit trail of
devices on the network
Device Audit Trail
and Fingerprinting
Fixed IP addresses are typically
assigned to high value devices:
• Data center servers, network
devices, etc.
• IPAM provides “metadata” via
Extended Attributes: Owner,
app, security level, location,
ticket number
• Context for accurate risk
assessment and event
prioritization
Application and
Business Context
DNS query data provides a
“client-centric” record of
activity
• Includes internal activity
inside the security perimeter
• Includes BYOD and IoT
devices
• This provides an excellent
basis to profile device & user
activity
Activity Audit Trail
IPAM DNS
19 | © 2013 Infoblox Inc. All Rights Reserved. 19 | © 2017 Infoblox Inc. All Rights Reserved.
Gain Insights with Reporting and AnalyticsUnlock the Value of Core Network Services Data
• Harness rich network data to gain actionable insights
• Visibility into infected endpoints with contextual info(can include DHCP fingerprinting info –
username, MAC address, device type, lease history etc.)
Ensure Compliance
with Historical
Visibility
Identify Security Risks
and Impacted Devices at
Present Time
Plan Future
Requirements with
Predictive Reports
Integrated Data
Collection Engine
Historical
Tracking of DDI
Cost Effective
Deployment
Pre-built Reports
and Customization
Unique Algorithm and
Predictive Reports
20 | © 2013 Infoblox Inc. All Rights Reserved. 20 | © 2017 Infoblox Inc. All Rights Reserved.
Home Dashboard
Our History
21 | © 2013 Infoblox Inc. All Rights Reserved. 21 | © 2017 Infoblox Inc. All Rights Reserved.
Dashboards, Alerts & Reports
Our History
22 | © 2013 Infoblox Inc. All Rights Reserved. 22 | © 2017 Infoblox Inc. All Rights Reserved.
DHCP – Fingerprinting & Lease History
Our History
23 | © 2013 Infoblox Inc. All Rights Reserved. 23 | © 2017 Infoblox Inc. All Rights Reserved.
“What’s on my Network?”
Source: https://www.sans.org/critical-
security-controls
You cannot protect or defend what you cannot see…
CSC #1 – “Actively manage
(inventory, track, and correct) all
devices on the network so that only
authorized devices are given
access, and unauthorized and
unmanaged devices are found and
prevented from gaining “access.”
CSC 1
24 | © 2013 Infoblox Inc. All Rights Reserved. 24 | © 2017 Infoblox Inc. All Rights Reserved.
Network Discovery – Authoritative IPAM for Any PlatformThe Foundation of a Secured, Controlled Network
Any Platform
• IPs, MACs, & Hostnames
• Subnets & VLANs
• Device and End Host Attributes
• When and Where Attached
• User Context
• Topology Views
• Network in-sync with IPAM
• Remediate Rogue & Compromised
End Hosts
• Capacity Management
• Asset Management
• Security Compliance Enforcement
PublicOn-Prem
Private
Cloud
Virtual
NetworksSDNWirelessWired
Public
Hybrid
Secure DNS Network Services(DDI)
Network Automation
25 | © 2013 Infoblox Inc. All Rights Reserved. 25 | © 2017 Infoblox Inc. All Rights Reserved.
Discovered Data Integrated in IPAM
Device Data
IP address
MAC address
Last discovered time
stamp
First discovered time
stamp
NetBIOS name
OS
Device type, model, &
vendor
Device name
Device description
Discovered name
(DNS name)
Port Data
Port vLAN name
Port vLAN
description
Port vLAN number
Port speed
Port duplex
Port admin status
Port operation status
Interface Type
vLAN(s)
Port Model
Media
Vendor
Network Component
Data
Network component IP
Network component port
number
Network component port
name
Network component port
description
VMware ESX
Data
ID
Description
Name
Data Center
Entity Name
Host
Host Adapter
Cluster
Entity Type
Virtual Switch
26 | © 2013 Infoblox Inc. All Rights Reserved. 26 | © 2017 Infoblox Inc. All Rights Reserved.
Be Part of a Cybersecurity Ecosystem
27 | © 2013 Infoblox Inc. All Rights Reserved. 27 | © 2017 Infoblox Inc. All Rights Reserved.
Deliver Value to Customers
• See attacks, infections and
data exfiltration attempts in
the network
• Identify unmanaged
networks and devices
• Pinpoint infected devices or
potential rogue employees
that try to steal data
• Protect against DNS attacks,
APTs / malware, data
exfiltration
• Secure platform
• Automated Threat
Intelligence Feed
• Active Blocking of data
exfiltration attempts and
scaling protection to all parts
of the network
• Disrupt APT kill chain,
pinpoint infected devices
and associated users
• Work with industry
standard ecosystems for
data sharing and
centralized mitigation
VISIBILITY PROTECTION RESPONSE
• Operational efficiency
• Speed / save time
• Cost savings
• Employee productivity
• Customer satisfaction
• Revenue protection
• Brand protection
BUSINESS IMPACT
28 | © 2013 Infoblox Inc. All Rights Reserved. 28 | © 2017 Infoblox Inc. All Rights Reserved.
Reduced Dwell Time & Lateral Movement
Our History
29 | © 2013 Infoblox Inc. All Rights Reserved. 29 | © 2017 Infoblox Inc. All Rights Reserved.
Leverage Threat Intel Across Entire Security Infrastructure
Infoblox
SURBL
Marketplace
Custom TI
Single-source of TI management Faster triage Threat prioritizationRESULT:
C&C IP List
Spambot IPs
C&C & Malware Host/Domain
CSV File
JSON
STIX
RBL Zone File
RPZ
Phishing & Malware URLs
WWW
DNS
SIEM
TIDEDefine Data
Policy,
Governance &
Translation
DossierInvestigate
Threats
30 | © 2013 Infoblox Inc. All Rights Reserved. 30 | © 2017 Infoblox Inc. All Rights Reserved.
Have a Research Tool to get more information
Our History
31 | © 2013 Infoblox Inc. All Rights Reserved. 31 | © 2017 Infoblox Inc. All Rights Reserved.
Tunnel Tool Record Types Used Resources to learn more
DNS2TCP KEY, TXThttp://www.aldeid.com/wi
ki/Dns2tcp
DNScat-P A, CNAMEhttp://tadek.pietraszek.or
g/projects/DNScat/
Iodine Protocol v5.00 NULLhttp://code.kryo.se/iodine
/
Iodine Protocol v5.02A, CNAME, MX, NULL,
SRV, TXT
http://code.kryo.se/iodine
/
OzymanDNS A, TXThttp://dankaminsky.com/
2004/07/29/51/
SplitBrain A, TXT
http://www.splitbrain.org/
blog/2008-11/02-
dns_tunneling_made_si
mple
TCP-Over-DNS CNAME, TXT
http://www.sans.org/read
ing-
room/whitepapers/dns/d
etecting-dns-tunneling-
34152
YourFreedom NULL http://your-freedom.net/
DNS Tunnels
& Signatures
32 | © 2013 Infoblox Inc. All Rights Reserved. 32 | © 2017 Infoblox Inc. All Rights Reserved.
Data Exfiltration over DNS - Behavioral
33 | © 2013 Infoblox Inc. All Rights Reserved. 33 | © 2017 Infoblox Inc. All Rights Reserved.
ProspectStory
• Medium Financial Prospect
• Company writes proprietary software
• One employee was leaving and thought
he’d take the software with him
• Used DNS to leak the software but
was running out of time and had to
speed up the process
• Volumetric alerts exposed the crime
• FBI took over
34 | © 2013 Infoblox Inc. All Rights Reserved. 34 | © 2017 Infoblox Inc. All Rights Reserved.
Solution: Threat Containment, Malware & DNSEase Security Operations with Better Context, Automation and Consolidated Threat Intel
Threat Intelligence
Optimization
Security
EcosystemRapid Triage
• Enforce policy using timely, consolidated & high quality threat intelligence
• Improve incident response with consolidate threat intelligence from multiple sources
• Eliminate silos and accelerate remediation by centralizing threat intelligence
• Maximizes the ROI of the intelligence
acquired by enabling broader
deployment of intelligence
• Enables internal and external sharing of
intelligence to enable better
coordination of defense strategies
• Automatically share DNS IoCs with security ecosystem for more efficient incident response
• Share network context and actionable intelligence (IP address, DHCP fingerprint, lease history etc.) to help assess risk and prioritize alerts
• Adds value to their existing security
infrastructure and tools investment
• Provides context to enable automated
actions for faster response and
remediation
• Provides visibility into the DNS Security
blind spot for other security platforms
• Investigate threats faster to free up security personnel
• Timely access to context for threat indicators
• Improve incident response time
• Improves the efficiency of scarce
security operations staff
• Reduced time to remediation
35 | © 2013 Infoblox Inc. All Rights Reserved. 35 | © 2017 Infoblox Inc. All Rights Reserved.
Malware uses DNS
Secure Your DNS today! Don’t wait!
36 | © 2013 Infoblox Inc. All Rights Reserved. 36 | © 2017 Infoblox Inc. All Rights Reserved.
Try ItFree Trial
• Solution Trials
• ActiveTrust Cloud Plus evaluation
• Engage with Infoblox to find out if we
already integrate with one or more of
your existing security tools
• Follow up with the sales teams for
deep dive on Infoblox products
37 | © 2013 Infoblox Inc. All Rights Reserved. 37 | © 2017 Infoblox Inc. All Rights Reserved.
CustomerStory
• Large Pharma Customer
• 2 R&D Employees paid by competitor in
China to plug in Thumb drives
• Told nobody would ever notice
• Data exfiltrated over DNS queries for
6 months until caught by accident.
• DNS Query Logging & DHCP Lease
History• Loss of Data (estimated at Millions)
• Actual Data loss unknown (no logging)
• Company Reputation took a Hit
38 | © 2013 Infoblox Inc. All Rights Reserved. 38 | © 2017 Infoblox Inc. All Rights Reserved.
Thank you!