Is DNS a Part of Your Cyber Strategy?

20 December
12:00-13:00 GMT

Dr. Adrian Davis Gary Cox

Managing Director System Engineering Manager
(ISC)2 EMEA Infoblox
 (ISC)2:
(ISC)2: Who we are

Vision
Inspiring a Safe and Secure Cyber World

Mission
Support and provide members and
constituents with credentials, resources, and
leadership to address cyber, information,
software and infrastructure security to deliver
value to society

Visit www.isc2.org and follow us

on…
 Strength in Membership
Certifying the World’s Information Security Professionals

A membership community made up of certified cyber, information, software and

infrastructure security professionals making a difference and helping to advance the
industry

125,000+ 23,000+
members members
worldwide EMEA
 Bringing the Professional Community Together
Tackling issues and challenges in cybersecurity

Member-Driven (ISC)² Secure Summits Chapters Events and Tools and

Initiatives and Award programmes Member Receptions Resources

Register Online
#ISC2SUMMITS

Visit www.isc2.org/memberbenefits
 (ISC)2 EMEA Secure Webinars

Security Briefings

eSummits

ThinkTank Roundtables

CISO Says

Watch this space! Join the

(www.isc2.org/News-and-Events/Webinars/EMEA-Webinars) discussion
…and your emails for updates! on Twitter
#ISC2EMEA
5
 Today’s Webinar

Housekeeping

• Please type your questions as we go along

• We will answer as many as we can after the presentation

• Please rate your experience!
• CPEs will be submitted on (ISC)2 members’ behalf within 5 business days
(minimum viewing time 45 minutes)
• For any questions on CPEs, email membersupportemea@isc2.org

6
 More CPE Events with Infoblox
Earn automatic (ISC)2 CPEs by attending any of Infoblox’s Exchange Security & Data Center
EMEA Road Tour events

http://www.infobloxemea.com/roadtour/

7
 Is DNS Part of Your Cyber Strategy?
Gary Cox, CISSP – Technical Director, UK and Ireland
December 20th 2017
8
8 || ©©2017
2013 Infoblox
Infoblox Inc.
Inc. All All Rights
Rights Reserved.
Reserved. COMPANY CONFIDENTIAL
9
9 || ©©2017
2013 Infoblox
Infoblox Inc.
Inc. All All Rights
Rights Reserved.
Reserved. COMPANY CONFIDENTIAL
About Infoblox…..

Building on almost twenty years of industry

experience with Domain Name System
(DNS), Dynamic Host Configuration Protocol
(DHCP), and IP address management
(IPAM) services (DDI), Infoblox has
developed the Actionable Network
Intelligence Platform.

This platform goes beyond DDI to enable

organizations to harness insights derived
from the rivers of core services data moving i
through their networks to enhance all
aspects of management, security, agility,
and cost control
What is DNS?

Often called the phone book of the Internet, DNS converts IP

Addresses to human readable names

You may not think you know much about the Domain Name
System (DNS) but whenever you use the Internet, you use
DNS. Every time you send electronic mail or surf the World
Wide Web, you rely on the Domain Name System.
 0%
5%
10%
15%
25%
30%
35%
40%
45%
50%

20%
Threats

Ransomware

Insider threat

Denial of service (e.g., lack

of availability)

Spoofing of identity or
access credentials

Elevation of privilege into

sensitive systems

Questionable transactions

Data tampering, such as

unauthorized modification or
destruction
Identity theft (including
payment card fraud or
medical identity theft)
Breaches in cloud-based,
multitenant architectures
times in the past 12 months.

Corporate or foreign
government espionage
Compromise of DNS
infrastructure enabling
stealing and exfiltrating data
Information disclosure, such
as to Wikileaks
Once

Other
Multiple Times
What do you consider to be the top threats to the security of your sensitive data? Please indicate whether these have occurred in your organization one or more
Ransomware, DDoS and Data Loss Remain Top

12
In last 12 months:

Sensitive Data At Risk,

Data Protection Survey

Results of the SANS 2017
• 78% have seen two or

• 68% have experienced

more different types of
threats in last 12 months

same threat multiple times

 How could DNS be used/exploited?
DNS Protocol Anomalies
DNS Exploits DNS Callback
DNS Hijacking DNS Tunneling
DNS kill switch

Weaponization Exploitation Command & Control (C2)

Coupling exploit with backdoor Exploiting a vulnerability to Command channel for remote
into deliverable payload execute code on victim’s system manipulation of victim

2 4 6

1 3 5 7

Reconnaissance Delivery Installation Actions on Objectives

Harvesting email Delivering weaponized Installing malware on With “Hands on Keyboard”
addresses, conference bundle to the victim via the asset access, intruders accomplish
information, etc. email, web, USB, etc. their original goal

DNS Infiltration DNS Tunneling

DNS Reconnaissance DNS Tunneling DNS Exfiltration
DNS DDoS DNS DDoS
Assessing the risk
Reviewing the gaps from outside to inside

Check good DNS practise is in place

Control DNS communication
Understand/Review how DNS is exploited
Registrar security
Risk mitigation for DDoS
Process to deal with a “kill switch”
Blocking malware C&C communication
Exfiltration of data
Leverage DNS based Indicators of Compromise
Test data exfiltration via DNS (don’t assume)
Recommendation
You will do some of this based on risk assessment
Internet
DNS

Signature
DO NOT allow
Any -> Port 53
“packet inspection”

Proxies & DMZ DNS Reputation

Choke Point
Gateways
X
Cache
“List of IoCs”
X “Rules & Policy”

Only known internal Internal DNS

DNS servers can
use the DMZ DNS VISIBILITY of Behaviour
cache query source
X ”Machine Learning”

Internal
Clients
So where does DNS fit in the Cyber Strategy?

•To detect
More and block
places suspicious
than you mightand malicious traffic
think.…
•As highly focused indicators of compromise
•As part of your DLP Strategy

•Pro-active security with Newly Observed Domains

•To enhance the capabilities of other security controls

•As part of your DDoS defences

•DNSSEC / DMARC, DKIM, SPF

FQDN based Indicators of Compromise

So let’s talk about false positives…

Dnsduck10[.]duckdns[.]org – Specific C2 indicator hit

within the parent domain

192[.]169[.]69[.]25 – 415 possible domain hits!

Do you want to sift through >400 other results?

DNS based Data Exfiltration

DNS can be used as a covert back channel, to exfiltrate

data, download malware or issue remote commands.

There are many off the shelf packages available:

DNS2TCP, TCP-over-DNS, OzymanDNS, Iodine, SplitBrain,
DNScat-P/DNScat2, DNScapy, TUNS, PSUDP, YourFreedom
etc.
 Not DLP! But this is exfiltration over DNS

Sophisticated (zero-day)
Infected endpoint gets access to file containing
sensitive data Attacker controller
It encrypts and converts info into encoded format server- thief.com

INTERNET
NameMarySmith.foo.thief.com
(C&C) MRN100045429886.foo.thief.com
DOB10191952.foo.thief.com
Text broken into chunks and sent via DNS using
C&C commands
hostname.subdomain or TXT records Data

Exfiltrated data reconstructed at the other end

Can use spoofed addresses to avoid detection

ENTERPRISE
Data Exfiltration via host/subdomain DNS server
Simplified/unencrypted example:
NameMarySmith.foo.thief.com
MRN100045429886.foo.thief.com
MarySmith.foo.thief.com DOB10191952.foo.thief.com

Infected
SSN-543112197.foo.thief.com endpoint
DOB-04-10-1999.foo.thief.com
MRN100045429886.foo.thief.com
DNS based Data Exfiltration (cont.)

So how can you monitor and prevent DNS tunnelling?

Signature based detection and blocking

Reputation based detection and blocking
Behavioural based detection and blocking
Newly Observed Domains (NODs)

Adding NODs into your strategy is a game changer…..

Block that Phishing domain before its campaign even starts

Prevent communication to C2 domains before they become
widely known
Leverage NODs for enhanced Spam Filtering
Newly Observed Domains (Cont.)

Here is an example….
Infoblox Cyber Security Ecosystem

ActiveTrust® - Threat Intelligence Providers ActiveTrust® – Security Operations Partners

JSON CSV
REST CEF
Data Connector STIX CEF
RPZ STIX
Custom REST

Infoblox On-Premise Ecosystem Partners

As part of your DDoS Defences

Correct architecture is critical…..

Service Separation – don’t have all your eggs in one

basket.
Leverage Anycast.
Use hardened DNS Servers which can detect and drop
attack traffic.
Other ways to leverage DNS

DNSSEC – Chain of trust for your DNS Entries

DMARC Policy – Part of your anti-spam defenses

DKIM and SPF – Key based authentication for mail servers and Sender
Policy Framework, both needed for DMARC policies to function correctly.
Summary

•To detect and block suspicious and malicious traffic

•As highly focused indicators of compromise

•As part of your DLP Strategy

•Pro-active security with Newly Observed Domains

•To enhance the capabilities of other security controls

•As part of your DDoS defences

•DNSSEC / DMARC, DKIM, SPF

 Q&A

27 | | ©©2017
27 2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved. COMPANY CONFIDENTIAL
Further reading

•https://community.infoblox.com/t5/Security-Blog/SURBL-amp-Threat-
Intelligence/ba-p/8972
•https://www.farsightsecurity.com/solutions/threat-intelligence-
team/newly-observed-domains/
•https://www.infoblox.com/solutions/cybersecurity-ecosystem/
•https://www.infoblox.com/glossary/domain-name-system-security-
extensions-dnssec/
•https://dmarcguide.globalcyberalliance.org/#/
 MARCHITECTURE: WHERE IT FITS | SOLUTION DIAGRAM

Cloud-based Recursive/Caching
(ActiveTrust® Cloud)

29 | | ©©2017
29 2013 Infoblox
Infoblox Inc.
Inc. All All Reserved.
Rights Rights Reserved. COMPANY CONFIDENTIAL
 More CPE Events with Infoblox
Earn automatic (ISC)2 CPEs by attending any of Infoblox’s Exchange Security & Data Center
EMEA Road Tour events

http://www.infobloxemea.com/roadtour/

30
Q&A

31
 1 CPE for this session will be uploaded to (ISC)2 members’ accounts

within 5 business days

If you have CPE related questions, email

(ISC)2 Member Support EMEA
membersupportemea@isc2.org

adavis@isc2.org @adrian_adavis Adrian Davis, MBA, FBCS CITP, CISSP

http://uk.linkedin.com/in/adriandaviscitp

https://www.isc2.org/

32
If you would like to deliver a webinar, get your company involved or have
any content related questions, email Patricia

Patricia Reiner van Heerden

preiner@isc2.org

https://www.isc2.org/

33
 Thank you for listening

And Wishing You All Happy Holidays from the

(ISC)2 EMEA Team!

www.isc2.org

34