Presentation is loading. Please wait.

Presentation is loading. Please wait.

Domain Name System (DNS) Network Security Asset or Achilles Heel? Seema Kathuria, Sr. Product Marketing Manager, Infoblox February 19, 2015.

Similar presentations

Presentation on theme: "Domain Name System (DNS) Network Security Asset or Achilles Heel? Seema Kathuria, Sr. Product Marketing Manager, Infoblox February 19, 2015."— Presentation transcript:

1 Domain Name System (DNS) Network Security Asset or Achilles Heel? Seema Kathuria, Sr. Product Marketing Manager, Infoblox February 19, 2015

2 Session Overview/Speaker Info © 2015 Infoblox Inc. All Rights Reserved.2 Domain Name System (DNS) – Network Security Asset or Achilles Heel? Speaker: Seema Kathuria Session Abstract: The DNS is a key building block of the Internet which is fast becoming one of the top-rated vectors for external (“outside-in”) attacks on the infrastructure and internal (“inside out”) attacks from malware. Most IT professionals know very little about the DNS and, subsequently, have done little to protect this critical asset. This session will discuss common vulnerabilities and attack surfaces, different types of DNS threat vectors, and security strategies/techniques to mitigate for this oft ignored security threat to network architecture. If built into a project plan from inception, the right network architecture can be designed to protect against the multitude of DNS attack vectors. Speaker Bio: Seema has 10 years of experience in technology product marketing at various technology and network security companies, including Check Point Software and Imperva. Currently, she is responsible for product messaging and positioning, competitive intelligence, and bringing to market Infoblox’s Secure DNS solutions that protect critical network infrastructure. Seema is responsible for creating market awareness on DNS security through thought leadership assets, presentations at security trade shows, and customer events. Immediately prior to Infoblox, Seema led product marketing and sales enablement activities at Juniper Networks for its high-end firewall and threat intelligence security solutions.

3 Agenda © 2015 Infoblox Inc. All Rights Reserved.3 How to Protect Yourself? -Anatomy of an attack: DNS Hijacking -Anatomy of an attack: Reflection Attack -Anatomy of an attack: Data Exfiltration via DNS Tunneling Common Attack Vectors What is DNS and How Does It Work? Q&A Threat Landscape Trends

4 What is the Domain Name System (DNS)? © 2015 Infoblox Inc. All Rights Reserved.4 Address book for The Internet Translates “” to Invented in 1983 by Paul Mokapetris (UC Irvine) DNS Outage = Business Downtime Without DNS, The Internet & Network Communications Would Stop

5 How Does DNS Work? © 2015 Infoblox Inc. All Rights Reserved.5 ISP DNS SERVER ROOT DNS SERVER “I need directions to “That domain is not in my server, I will ask another DNS Server” “That’s in my cache, it maps to: “That’s in my cache, it maps to: “Great, I’ll put that in my cache in case I get another request” “Great, now I know how to get to

6 For Bad Guys, DNS Is a Great Target © 2015 Infoblox Inc. All Rights Reserved.6 DNS is the cornerstone of the Internet used by every business and government DNS as a protocol is easy to exploit DNS Outage = Business Downtime Traditional protection is ineffective against evolving threats

7 Defense-in-Depth and DNS Security Gap © 2015 Infoblox Inc. All Rights Reserved.7 Firewalls and IDS/IPS devices don’t effectively address DNS security threats Proliferation of BYOD devices, mobile users means threats may be inside the firewall DNS technology is ideal for defending against threats and disrupting APT/malware communications from infected devices Traditional security products generally don’t focus on DNS DNS security layer needed to fill gap

8 The DNS Security Challenges © 2015 Infoblox Inc. All Rights Reserved.8 Defending against DNS attacks including data exfiltration via DNS tunneling 2 Preventing malware from using DNS to communicate to malicious domains 3 Securing the DNS platform 1

9 DNS Attack Vectors © 2015 Infoblox Inc. All Rights Reserved.9

10 Anatomy of an Attack © 2015 Infoblox Inc. All Rights Reserved.10 Syrian Electronic Army

11 Anatomy of an Attack © 2015 Infoblox Inc. All Rights Reserved.11 Distributed Reflection DoS Attack (DrDoS) How the attack works Attacker Internet Spoofed Queries Open Recursive Servers Amplified Reflected Packets Target Victim Combines reflection and amplification Uses third-party open resolvers in the Internet (unwitting accomplice) Attacker sends spoofed queries to the open recursive servers Uses queries specially crafted to result in a very large response Causes DDoS on the victim’s server

12 Anatomy of an Attack © 2015 Infoblox Inc. All Rights Reserved.12 Data Exfiltration via DNS Tunneling 1.File containing sensitive info converted to text, broken into chunks and exfiltrated via DNS 2.Exfiltrated data put back together and decrypted to get the valuable information 3.Used spoofed addresses

13 The Rising Tide of DNS Threats © 2015 Infoblox Inc. All Rights Reserved.13 Are You Prepared? DNS Top attacks DNS amplification: Use amplification in DNS reply to flood victim TCP/UDP/ICMP floods: Flood victim’s network with large amounts of traffic Protocol anomalies: Malformed DNS packets causing server to crash DNS cache poisoning: Corruption of a DNS cache database with a rogue address DNS hijacking: Subverting resolution of DNS queries to point to rogue DNS server DNS tunneling: Tunneling of another protocol through DNS for data ex-filtration Reconnaissance: Probe to get information on network environment before launching attack DNS based exploits: Exploit vulnerabilities in DNS software Fragmentation: Traffic with lots of small out of order fragments DNS reflection/DrDos: Use third party DNS servers to propagate DDoS attack NXDOMAIN: Flood DNS server with requests for non-existent domains Phantom Domain: Force DNS server to resolve multiple non-existent domains and wait for responses

14 APT/Malware Examples © 2015 Infoblox Inc. All Rights Reserved.14 CryptoLocker “Ransomware” and GameOver Zeus CryptoLocker: Targets Windows-based computers Appears as attachment within seemingly legitimate Upon infection, encrypts files: local hard drive and mapped network drives Ransom: 72 hours to pay $300USD If not paid, encryption key deleted and data irretrievable Only way to stop (after executable has started) is by blocking outbound connection to encryption server GameOver Zeus: 500,000 to 1M infections worldwide Hundreds of millions of dollars stolen Highly sophisticated and hard to track Uses P2P communication to control infected devices or botnet Upon infection, it monitors machine for finance-related information Takes control of private online transactions and diverts funds to criminal accounts Responsible for distribution of CryptoLocker, and infected systems can be used for DDoS attacks

15 Security Breaches using APTs/Malware © 2015 Infoblox Inc. All Rights Reserved.15 Q4 Q Q2 Q1

16 Protection Best Practices © 2015 Infoblox Inc. All Rights Reserved.16

17 Help Is On The Way! © 2015 Infoblox Inc. All Rights Reserved.17 Collaboration Dedicated Appliances Monitoring DNSSEC RPZ Advanced DNS Protection

18 Get the Teams Talking – Questions to Ask: © 2015 Infoblox Inc. All Rights Reserved.18 Who in your organization is responsible for DNS Security? What methods, procedures, tools do you have in place to detect and mitigate DNS attacks? Would you know if an attack was happening? Would you know how to stop it? Network Team Security Team IT Apps Team IT OPS Team

19 Hardened DNS Appliances © 2015 Infoblox Inc. All Rights Reserved.19  Dedicated hardware with no unnecessary logical or physical ports  No OS-level user accounts—only admin accts  Immediate updates to new security threats  Secure HTTPS-based access to device management  No SSH or root-shell access  Encrypted device-to-device communication –Many open ports are subject to attack –Users have OS-level account privileges on server –Requires time-consuming manual updates Conventional Server ApproachHardened Appliance Approach Multiple Open Ports Limited Port Access Update Service Secure Access

20 Advanced DNS Protection © 2015 Infoblox Inc. All Rights Reserved.20 Reporting Server Automatic updates Updated Threat- Intelligence Server Advanced DNS Protection (External DNS) Reports on attack types, severity Amplification Cache Poisoning Legitimate Traffic Reconnaissance DNS Exploits Advanced DNS Protection (Internal DNS) Rules distribution Data for Reports

21 © 2015 Infoblox Inc. All Rights Reserved.21 An infected device brought into the office. Malware spreads to other devices on network. 123 Malware makes a DNS query to find “home” (botnet / C&C). DNS Server looks at the DNS response and blocks the connection to the malicious domain. Malicious domains DNS Server with RPZ capability Blocked communication attempt sent to Syslog Malware / APT 12 Malware / APT spreads within network; Calls home 4 Query to malicious domain logged; security teams can now identify requesting endpoint and attempt remediation RPZ regularly updated with malicious domain data using available reputational feeds 4 Reputational Feed: IPs, Domains, etc. of Bad Servers Internet Intranet 32 Response Policy Zones - RPZ Blocking Responses from Malicious Domains

22 Take the DNS Security Risk Assessment © 2015 Infoblox Inc. All Rights Reserved.22 1.Analyzes your organization’s DNS setup to assess level of risk of exposure to DNS threats 2.Provides DNS Security Risk Score and analysis based on answers given Higher score = higher DNS security risk!!

23 © 2015 Infoblox Inc. All Rights Reserved.23 Try DNS Firewall Virtual Evaluation Use DNS to Find Malware/APT Lurking in Your Network Two options: Port Span and Standalone No hardware (100% virtual) Non-disruptive to production network 60-day trial See Malware/APT activity with reports

24 Call to Action © 2015 Infoblox Inc. All Rights Reserved.24 DNS security vulnerabilities pose a significant threat Raise the awareness of DNS and DNS security vulnerabilities in your organization There are many resources available to help Seek help if needed to protect DNS Talk to Infoblox

25 Infoblox Overview © 2015 Infoblox Inc. All Rights Reserved.25 Founded in 1999 Headquartered in Santa Clara, CA with global operations in 25 countries Market leadership DDI market leader (Gartner) 50% DDI market share (IDC) 7,000+ customers 74,000+ systems shipped to 100 countries 45 patents, 27 pending IPO April 2012: NYSE BLOX Leader in technology for network control 32% CAGR $MM Total Revenue (Fiscal Year Ending July 31)

26 IT Analyst Validation © 2015 Infoblox Inc. All Rights Reserved.26 Gartner: “usage of a commercial DDI solution can reduce (network) OPEX by 50% or more.” IDC: Infoblox is the only major DDI vendor to gain market share over the past three years. Gartner: “Infoblox is the DDI market leader in terms of mainstream brand awareness.” Worldwide DDI Market Share – 2013

27 © 2015 Infoblox Inc. All Rights Reserved.27

Download ppt "Domain Name System (DNS) Network Security Asset or Achilles Heel? Seema Kathuria, Sr. Product Marketing Manager, Infoblox February 19, 2015."

Similar presentations

Ads by Google