View
233
Download
5
Category
Preview:
Citation preview
1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2017 Infoblox Inc. All Rights Reserved.
Marcus Jäger– Senior Systems Engineer CEURJanuar 2018 [ mjaeger@infoblox.com / +49151-14058781 ]
DNS – Eine Sicherheitslücke ?!
2 | © 2013 Infoblox Inc. All Rights Reserved. 2 | © 2017 Infoblox Inc. All Rights Reserved.
AGENDA
1. Infoblox allgemein
2. DNS – Eine Sicherheitslücke?!
3. Infoblox DNS Security
4. Live Demo
3 | © 2013 Infoblox Inc. All Rights Reserved. 3 | © 2017 Infoblox Inc. All Rights Reserved.
Infoblox At a Glance
Cloud Network Automation
DDI Cloud Automation & Visibility
Provisioning critical network services for hybrid-
and multi-cloud deployments
External & Internal DNS Security
Threat visibility, protection, and response
Secure DNSCore Network Services
DNS, DHCP, Authoritative IPAM
Integrated DDI for physical and virtual environments
Centralized ManagementPatented GridTM Technology
Reporting and Analytics
4 | © 2013 Infoblox Inc. All Rights Reserved. 4 | © 2017 Infoblox Inc. All Rights Reserved.
DNS, DHCP and IPAM (DDI) are at the foundation: Control Pane of all IP Communication
5 | © 2013 Infoblox Inc. All Rights Reserved. 5 | © 2017 Infoblox Inc. All Rights Reserved.
... DNS-Security ist die “Impfung” für Ihre Infrastrukur
DNS is critical networking
infrastructure
Sicheres DNS ist essenziell im Netzwerk !
Unprotected, DNS increases risk to critical infrastructure and data
#1protocol for volumetric reflection/
amplification attacks
DNS protocol is easy to exploit and
attacks are prevalent
Traditional security is ineffective against
evolving threats
6 | © 2013 Infoblox Inc. All Rights Reserved. 6 | © 2017 Infoblox Inc. All Rights Reserved.
Visibility & control of core network servicesThe Infoblox Advantage – Patented Grid Technology
Collection of high-available HW- and SW-Appliances
Coordinated in realtime through Grid Master
Distributed, semantic realtime Database
Secured Communication via SSL VPN
Realtime IPAM & Discovery
Autom. Failover and DR
Very efficient Update Process
Powerful API & RBAC
Visibility across physical & virtual networks
99.999 service availabilityighly
Visibility into public cloud workloads
RESTful API (In-/Out-Bound) for IT ecosystem integrationAgentless Management of Microsoft DNS & DHCP w/ Full AD Integration
Microsoft DNS, DHCP
Branch Office
Cloud Orchestration
IntegrationVmware,
OpenStack, Hyper-V
AWS
Virtualization & Cloud Integration / Automation
All Centrally Managed
as ONE System
Edge Network/ Remote Office DHCP
Grid MemberDNS / DHCP
Grid Member in virtual
environment
Branch Office
Grid Master
Candidate@Recovery
SiteHQ Grid Master
(HA pair)Integrated
Advanced ReportingEngine
Reporting Server
Network Insight
Network Discovery of all layer-2 & layer-3
devices and end-hosts
The Infoblox
Grid
Grid Member for ext. DNS
7 | © 2013 Infoblox Inc. All Rights Reserved. 7 | © 2017 Infoblox Inc. All Rights Reserved.
DNS – Eine Sicherheitslücke?!
8 | © 2013 Infoblox Inc. All Rights Reserved. 8 | © 2017 Infoblox Inc. All Rights Reserved.
Das Schlachtfeld der Cyberattackenhttps://www.security-insider.de/das-schlachtfeld-der-cyberattacken-v-37759-13274/
9 | © 2013 Infoblox Inc. All Rights Reserved. 9 | © 2017 Infoblox Inc. All Rights Reserved.
10 | © 2013 Infoblox Inc. All Rights Reserved. 10 | © 2017 Infoblox Inc. All Rights Reserved.
11 | © 2013 Infoblox Inc. All Rights Reserved. 11 | © 2017 Infoblox Inc. All Rights Reserved.
Beispiel Dateninfiltrations vom 5. März 2017
"It also illustrates the importance that in addition to inspecting and filtering network protocols such as HTTP/HTTPS, SMTP/POP3, etc. ...the DNS traffic within corporate networks should also be considered a channel that an attacker can use to implement a fully functional, bidirectional C&C infrastructure."
"It also illustrates the importance that in addition to inspecting and filtering network protocols such as HTTP/HTTPS, SMTP/POP3, etc. ...the DNS traffic within corporate networks should also be considered a channel that an attacker can use to implement a fully functional, bidirectional C&C infrastructure."
https://www.infoblox.com/threat-center/
12 | © 2013 Infoblox Inc. All Rights Reserved. 12 | © 2017 Infoblox Inc. All Rights Reserved.
1 year ago...
Mirai Botnet: Consists of compromised "Internet of Things" (IoT) devices
13 | © 2013 Infoblox Inc. All Rights Reserved. 13 | © 2017 Infoblox Inc. All Rights Reserved.
APTs: Die neue Bedrohung• Infizierter Traffic ist in 100% aller
Firmennetzwerke sichtbar1
• Im Minutentakt öffnet ein Host eine infizierteWebseite2
• Die Frage ist nicht OB, sondern WANN IhrNetzwerk angegriffen wird. Wie schnell und effektiv können Sie reagieren?
• APTs setzen zu 100% auf DNS. In verschiedenen Stadien der „Cyber-Kill-Chain“ werden Geräte infiziert, Malware verbreitet und Daten exfiltriert
Quelle: 1. Cisco 2014 Annual Security Report, 2. Check Point 2015 Security Report,
Organized and well funded
Profile organizations using public data/social media
Target key POI’s via spear phishing
“Watering hole” target groups on trusted sites
Leverage tried and truetechniques like SQLi, DDoS & XSS
Coordinated attacks, distract big, strike precisely
Operationalsophistication
APT: Advanced Persistent Threat
14 | © 2013 Infoblox Inc. All Rights Reserved. 14 | © 2017 Infoblox Inc. All Rights Reserved.
DNS in the “Cyber Kill Chain”
1
ReconnaissanceHarvesting email
addresses, conference information, etc.
2
WeaponizationCoupling exploit with backdoor
into deliverable payload
3
DeliveryDelivering weaponized bundle to the victim via email, web, USB, etc.
4
ExploitationExploiting a vulnerability to
execute code on victim’s system
5
InstallationInstalling malware on
the asset
7
Actions on ObjectivesWith “Hands on Keyboard”
access, intruders accomplish their original goal
6
Command & Control (C2)Command channel for remote
manipulation of victim
DNS ReconnaissanceDNS InfiltrationDNS Tunneling
DNS DDoS
DNS TunnelingDNS Exfiltration
DNS DDoS
DNS CallbackDNS Tunneling
DNS Protocol AnomaliesDNS Exploits
DNS HijackingDNS kill switch
15 | © 2013 Infoblox Inc. All Rights Reserved. 15 | © 2017 Infoblox Inc. All Rights Reserved.
INTERNET
ENTERPRISE
Infoblox Automated Threat Intelligence
Service
Infoblox ActiveTrustwith Threat Insight
x
x
xxx
Attacker Thief Badsite?.comGood.com
Badsite1.comBadsite2.com
Badsite3.com
1x23y45z6789.thief.com0a1b01c20d01.thief.com
Updates for DNS attacks and malicious
domains
Legitimate Querypassed
DNS DDoS attacks dropped
Data exfiltration + C&C dropped
Malware site blocked
Firewall
Die Hygine Lösung für Ihr Netzwerk –DNS Security Lösungen von Infoblox
ADP TI DNS-FW
16 | © 2013 Infoblox Inc. All Rights Reserved. 16 | © 2017 Infoblox Inc. All Rights Reserved.
DNS Attack Protection via ADP
Video(4:19): https://www.youtube.com/watch?v=ey6NRMqNwqs
17 | © 2013 Infoblox Inc. All Rights Reserved. 17 | © 2017 Infoblox Inc. All Rights Reserved.
Public DNS / Internal DNS : Threats are not the same
Volumetric/DDoS Attacks
DNS-specific Exploits
Public (Authoritative) DNS
DNS-based exploits
DNS reflection
DNS amplification
TCP/UDP/ICMP floods
Protocol anomalies
DNS hijacking
Reconnaissance
Internal DNS & DNS cache
DNS-based exploits
DNS cache poisoning
Domain lockup attack
DNS tunneling
DNS exfiltration
NXDOMAIN attack
Random subdomain attack
Phantom domain attack
Malware call-home
18 | © 2013 Infoblox Inc. All Rights Reserved. 18 | © 2017 Infoblox Inc. All Rights Reserved.
Entropy
• Does the request contain lots of information?
Frequency/Size
• It is unusual to send many different requests to the same external domain.
Lexical Analysis
• Does it appear to be encoded or encrypted?
n-Gram Analysis
• Does the request contain words in a language?
Proprietary methods
• False positive mitigation
• Other indicators and factors
TI - ThreatInsight - Patentierter AnomalieErkennung von Infoblox
Adds to score Adds to score Adds to scoreSubtractsfrom score Adjusts score
1. Examines all DNS records (e.g.: TXT, A, AAAA)
2. Detects presence of data using lexical and temporal analysis
3. Certain attributes add to a threat score; others subtract from it
4. Final score classifies a request as exfiltration or not
5. If exfiltration is found, automatically adds destinations to special internal RPZ feed
6. Scales protection to other parts of the network
19 | © 2013 Infoblox Inc. All Rights Reserved. 19 | © 2017 Infoblox Inc. All Rights Reserved.
AT - ActiveTrust Standard/Plus/Advanced
569.000
ca. 8 Mio.
20 | © 2013 Infoblox Inc. All Rights Reserved. 20 | © 2017 Infoblox Inc. All Rights Reserved.
Liefert die benötigte Intelligenz zur intelligenten Handlung
Zentrale Visibilität: Reporting & Analytics
• Angriffsdetails nach Kategorie, Member, Regel, Kategorie, und Zeit• Einsicht in die Quelle des Angriffs Aktionen können gezielter erfolgen• Frühe Erkennung und Isolation von Problemen zur korrekten Handlung
21 | © 2013 Infoblox Inc. All Rights Reserved. 21 | © 2017 Infoblox Inc. All Rights Reserved.
Infoblox „Cybersecurity-Ecosystem“
22 | © 2013 Infoblox Inc. All Rights Reserved. 22 | © 2017 Infoblox Inc. All Rights Reserved.
Gemeinsam die Straße ”sauber” halten ...
23 | © 2013 Infoblox Inc. All Rights Reserved. 23 | © 2017 Infoblox Inc. All Rights Reserved.
24 | © 2013 Infoblox Inc. All Rights Reserved. 24 | © 2017 Infoblox Inc. All Rights Reserved.
25 | © 2013 Infoblox Inc. All Rights Reserved. 25 | © 2017 Infoblox Inc. All Rights Reserved.
Beispiel: Cisco ISE
Ecosystem Integration
Authoritative IPAMAuthoritative IPAM Secure DNSSecure DNS
Infoblox DDI is the leader in publishing data to the PxGrid
ecosystem.
Infoblox DDI is the leader in publishing data to the PxGrid
ecosystem.
19 values (Device, User, Domain, SSID...)19 values (Device, User, Domain, SSID...) 21 values (Lease, IP, MAC, Hostname...)21 values (Lease, IP, MAC, Hostname...)
26 | © 2013 Infoblox Inc. All Rights Reserved. 26 | © 2017 Infoblox Inc. All Rights Reserved.
...offene API’s als Technologie-Klebstoff
Infoblox als zentraler Daten-Broker
Cisco ISE
DNS Query to C&C
Infected device
1
Internal DNS Security ActiveTrust +
Threat Insight
Malicious Domain
2
Notify ISE of Indicator of Compromise with IP / MAC data
3
ISE Quarantines Device
4
Infoblox IPAM updated with quarantine status
5
ISE Requests Device Scan and Remediation
6
Rapid7 scans device and remediates threat
7
Reports remediation, updates status to not quarantined
89
27 | © 2013 Infoblox Inc. All Rights Reserved. 27 | © 2017 Infoblox Inc. All Rights Reserved.
https://www.infoblox.com/company/news-events/press-releases/infoblox-partners-with-mcafee-for-unified-security/https://www.infoblox.com/wp-content/uploads/infoblox-solution-brief-infoblox-and-mcafee-for-unified-security.pdf
• WebGW: Infoblox ActiveTrust Cloud with
McAfee Web Gateway Cloud Service – unifies
DNS and web security for detection and
blocking of malicious traffic and data
exfiltration from infected devices.
• ePO: Infoblox DDI and ActiveTrust with
McAfee Data Exchange Layer and McAfee®
ePolicy Orchestrator® – enables ecosystem
solutions that subscribe to DXL topics to take
action on network and security events detected
by Infoblox and contain threats faster
• ESM/SIEM: Infoblox DDI and ActiveTrust with
McAfee® Enterprise Security Manager (SIEM) –
allows for comprehensive threat data
correlation and detection. Infoblox also shares
valuable network context and actionable
intelligence to help assess risk and prioritize
alerts in order to enable more efficient incident
response
IoC: Indicator of Compromise
Infoblox and McAfee for Unified SecurityBroader Protection, Faster Remediation
28 | © 2013 Infoblox Inc. All Rights Reserved. 28 | © 2017 Infoblox Inc. All Rights Reserved.
Our Commitment to Ecosystem Solutions
REST/PERL
API
Third-Party
Proprietary
STIX/TAXII
InfobloxSpecific
Open Standards/3rd Party
Third-Party Technology
Cisco pxGrid
Syslog,
SNMP, etc.
Solutions
OpenStack
29 | © 2013 Infoblox Inc. All Rights Reserved. 29 | © 2017 Infoblox Inc. All Rights Reserved.
Hoch skalierbarer SCHUTZ für On-premise, Roaming und Remote / Branch Office Mitarbeiter
ActiveTrust® Cloud – Funktionsumfang
30 | © 2013 Infoblox Inc. All Rights Reserved. 30 | © 2017 Infoblox Inc. All Rights Reserved.
TIDE / DOSSIER
31 | © 2013 Infoblox Inc. All Rights Reserved. 31 | © 2017 Infoblox Inc. All Rights Reserved.
Modern Networks: Agile & Secure
Data Center(s) SOC
SIEM
Threat Intel
Office Locations
External Endpoints
DDoS
IPs on the Network IPs on the Network
DNS DDoS
C&C
Data Exfiltration
DNS DDoS DNS DDoS
32 | © 2013 Infoblox Inc. All Rights Reserved. 32 | © 2017 Infoblox Inc. All Rights Reserved.
Leverage Threat Intel Across Entire Security Infrastructure
Infoblox
SURBL
Marketplace
Custom TI
Single-source of TI management Faster triage Threat prioritizationRESULT:
C&C IP List
Spambot IPs
C&C & Malware Host/Domain
CSV File
JSON
STIX
RBL Zone File
RPZ
Phishing & Malware URLs
WWW
DNS
SIEM
TIDEDefine Data
Policy, Governance &
Translation
DossierThreat
Investigation Tool
Next Generation FirewallNext Generation IPSProxySIEMContent Security
33 | © 2013 Infoblox Inc. All Rights Reserved. 33 | © 2017 Infoblox Inc. All Rights Reserved.
... worüber sollten Sie nachdenken
• Schutz des DNS Service
• Datacenter Hygiene - unterbinden der unkontrolliertenKommunikation über DNS
• Daten vor Verlust schützen
• Eine Datenbank mit allen Infrastruktur Informationen
• Wirksamer Schutz von IoT- und Thin-/Zero-Client-Umgebungen
• Verbindung von Security Herstellern für übergreifende Workflows
• Sichtbarkeit ”wer kommuniziert wohin”
• Bewertung was ist, was war, was wird sein
• Compliance erfüllen
34 | © 2013 Infoblox Inc. All Rights Reserved. 34 | © 2017 Infoblox Inc. All Rights Reserved.
Infoblox „Security Assessment“
Wir checken Ihr Netzwerk!
Was brauchen wir?
PCAP File (ca. 50 min) TCP Dump, Wireshark, o.ä.
Interesse? Sprechen Sie uns an!
35 | © 2013 Infoblox Inc. All Rights Reserved. 35 | © 2017 Infoblox Inc. All Rights Reserved.
Live Demo
Data Exfiltration:http://dex.infoblox.com
... bitte nachmachen!
36 | © 2013 Infoblox Inc. All Rights Reserved. 36 | © 2017 Infoblox Inc. All Rights Reserved.
37 | © 2013 Infoblox Inc. All Rights Reserved. 37 | © 2017 Infoblox Inc. All Rights Reserved.
Q&A
38 | © 2013 Infoblox Inc. All Rights Reserved. 38 | © 2017 Infoblox Inc. All Rights Reserved.
APPENDIX
39 | © 2013 Infoblox Inc. All Rights Reserved. 39 | © 2017 Infoblox Inc. All Rights Reserved.
Infoblox TIDE improves your organization’s security posture
Video(3:03)-Intro: https://www.infoblox.com/resources/videos/infoblox-activetrust-tide/
Video(8:05)-GUI Demo: https://www.youtube.com/watch?v=1s8LAzK-K4k
40 | © 2013 Infoblox Inc. All Rights Reserved. 40 | © 2017 Infoblox Inc. All Rights Reserved.
Resources Cybersecurity Ecosystem
• Web site: https://www.infoblox.com/products/secure-dns/cybersecurity-ecosystem
• Joint Solution Briefs:
Infoblox + FireEye
Infoblox + Carbon Black
Infoblox + Cisco
Infoblox + LogRhythm
Infoblox + Qualys
41 | © 2013 Infoblox Inc. All Rights Reserved. 41 | © 2017 Infoblox Inc. All Rights Reserved.
DOCS – Infoblox Online Dokumentation Portalhttps://docs.infoblox.com
42 | © 2013 Infoblox Inc. All Rights Reserved. 42 | © 2017 Infoblox Inc. All Rights Reserved.
RESOURCES – detailed Infoblox knowledge
https://www.infoblox.com/resources/
43 | © 2013 Infoblox Inc. All Rights Reserved. 43 | © 2017 Infoblox Inc. All Rights Reserved.
Demo Center – easy way to try
1.) we do need to add your company domain first to the approved domain list – please send us an email
2.) once added, you can register for
a free account on the demo platform
https://demos.infoblox.com
Recommended