Extending Your Security beyond Traditional Safe
advertisement
SESSION ID: GPS1-R09 Extending Your Security beyond Traditional Safe Borders with OpenDNS #RSAC Demetris Booth Head, Product & Solutions Marketing – APJC Cisco Systems July 2016 #RSAC Today’s Objective Security Challenges Against Sophisticated Attacks Introduce a Different Method of Extending Security Deeper View Into More Holistic DNS-Layer Security Block Presenter’s Company Logo – replace on master slide 2 #RSAC The Security Problem Subhead if needed #RSAC Are we Completely secure? Presenter’s Company Logo – replace on master slide #RSAC Typical Attack Victim clicks link unwittingly 3 http://welcome.to.jangle.com/exploit.php Perimeter (Inbound) 4 2 1 Research targets (SNS) Spear Phishing (you@gmail.com) Bot installed, back door established and receives commands from C2 server 5 Scan LAN for vulnerable hosts to exploit & retain alternative back door + find privileged users Lateral Movement Attacker enterprise network (Scanning, Pivoting, Privilege Privileged account found.etc.) Occupy Escalation,6 Brute Force, directory service. Access to database C2 Server backup, then copy them to staging server Admin Node 8 Block Presenter’s Company Logo – replace on master slide System compromised and data breached. Retain backdoor to collect more targeted data, otherwise erase all traces or wipe whole disk (e.g. Shamoon malware) Perimeter (Outbound) 7 Zip data, slice it to multiple files, and send those out to external site over HTTPS Major Challenge: Where Do You Enforce Security? NGFW NETFLOW PROXY SANDBOX AV Endpoint AV Endpoint AV Perimeter Perimeter Perimeter ROUTER/UTM ROUTER/UTM Block AV AV Presenter’s Company Logo – replace on master slide #RSAC CHALLENGES AV AV AV INTERNET MALWARE C2/BOTNETS PHISHING AV AV Too Many Alerts via Appliances & AV Wait Until Payloads Reaches Target Too Much Time to Deploy Everywhere #RSAC DNS: Major Security Blind Spot 91.3% of malware uses DNS Block Presenter’s Company Logo – replace on master slide 68% of organizations don’t monitor it #RSAC OpenDNS Security Subhead if needed #RSAC DNS is the fastest way to establish Security Everywhere IOCs VPN DNS off on Block Presenter’s Company Logo – replace on master slide DNS is the Internet’s control plane Where Do You Enforce Security? INTERNET MALWARE C2/BOTNETS PHISHING #RSAC MID LAYER LAST LAYER NGFW NETFLOW PROXY SANDBOX AV B l o c k AV You Gain: Endpoint AV AV AV AV MID LAYER Perimeter Perimeter ROUTER/UTM Block FIRST LAYER AV AV Presenter’s Company Logo – replace on master slide MID LAYER Perimeter ROUTER/UTM AV AV Endpoint LAST LAYER Reduced Alerts to Improves Your SIEM Traffic & Payloads Never Reach Target Quickly Provision #RSAC You know one IOC OpenDNS knows all its relationships Your local intelligence Global context Presenter’s Company Logo – replace on master slide Leverage a Single Global Recursive Who Resolves Your DNS Requests? DNS Service #RSAC ISP ?? ISP CHALLENGES BENEFITS Multiple Internet Global Internet Service Visibility Providers Activity Home Users mobile mobile carrier carrier Mobile Devices Direct-to-Internet Network Security Branch Offices w/o Adding Latency B l o c k Users Forget to Consistent Policy Always Turn VPN On Enforcement Different DNS Internet-Wide Log Formats Cloud App Visibility Block Presenter’s Company Logo – replace on master slide ISP ?? ISP Roaming Laptops Enterprise Location A ISP 11 Internal Infoblox Appliance Enterprise Location B ISP 22 ISP Internal Windows DNS Server Enterprise Location C Internal BIND Server ISP ?? ISP Remote Sites Authoritative DNS for Intranet Domains Recursive DNS for Internet Domains ISP 33 #RSAC Security Built into the Internet Fabric Block Presenter’s Company Logo – replace on master slide #RSAC See where attacks are staged Presenter’s Company Logo – replace on master slide #RSAC Deeper View Subhead if needed #RSAC How Stuff Works: Intelligent Proxy Internet Locations Connections are only made to safe Internet locations by modifying the original destination Security Controls DNS provides Internet-wide enforcement, then proxy provides deep inspection at URL-level Block Page Block Presenter’s Company Logo – replace on master slide Original Destination 1010101110100100100 1010101100010110010 0010101000111100010 1010001010010101011 DNS Resolver Proxy Powered by Security Graph Distributed in Global Network ✓ ✕ Network Traffic On- and off-network devices send requests to our resolvers, then connections are implicitly enforced Content Modified Destination STEP 1: DNS Request three (3) possible IP responses per domain query ✕ ✓ ? STEP 2: TCP/IP Connection three (3) possible routes per connection #RSAC Security Classification Ingest Apply Identify millions of data points per second statistical models and human intelligence probable malicious sites a.ru b.cn 7.7.1.3 e.net p.com/jpg Block Presenter’s Company Logo – replace on master slide 5.9.0.1 #RSAC The power behind this: Security Graph Live & historical DNS Live Internet Routes (BGP) Security Graph Block Presenter’s Company Logo – replace on master slide Partner Feeds Predictive Intelligence #RSAC How Security Labs Develops Models Method 1 1 Analyze DNS logs and apply data mining techniques 2 Identify patterns and abnormalities 3 Write logic and create a model Method 1: Data Driven Block Presenter’s Company Logo – replace on master slide 4 Tune by feeding more data and analyzing output #RSAC Example: C-Rank Model (Domain Co-Occurrences) Other domains looked up in rapid succession of a given domain uncovers related domains that could be associated with an attack Block 1 2 3 4 Analyzed raw DNS log files Applied visualization/data mining techniques; identified patterns Wrote logic and created a model Trained and tuned model Presenter’s Company Logo – replace on master slide #RSAC How Security Labs Develops Models Method 2 1 2 Start with a list of domains related to a specific attack Check our data and extract relevant information 3 4 Write logic and create a model Tune by feeding more data and analyzing output Method 2: Attack/Incident Driven Block Presenter’s Company Logo – replace on master slide #RSAC NLPRank Model (natural language processing) Identifies malicious domain-squatting and targeted C2 or phishing domains 1 Read APT reports 2 3 4 Patterns in domains used in attacks Checked data & confirmed intuition Built model and continue to tune Domain spoofing used to obfuscate Often saw brand names and terms like “update” Examples: update-java[.]net adobe-update[.]net Block Presenter’s Company Logo – replace on master slide Dictionary words & company names merged Changed small # of characters to obfuscate Domains hosted on ASNs unassociated w/company Different webpage fingerprints Detects fraudulent brand domains: 1inkedin.net linkedin.com #RSAC Anomaly Detection: Live DGA Detection N-gram” analysis Do letter pairings match normal language patterns? yfrscsddkkdl.com qgmcgoqeasgommee.org iyyxtyxdeypk.com diiqngijkpop.ru Block Presenter’s Company Logo – replace on master slide Does the probability distribution of letters appear random? #RSAC Reputation Analysis SecureRank Score Infected hosts often connect to known bad sites Domains requested primarily by infected host are most likely malicious Block Presenter’s Company Logo – replace on master slide IP/subnet/ASN Reputation Malicious hosts often found in the same areas Flags “sketchy” neighborhoods based on the number of malicious sites hosted there #RSAC Determining a Malicious Domain Traffic patterns Check hosting infrastructure Determine it’s a fast flux domain Hosted by hundreds of different IPs across 28+ countries Low TTL Compromised domain model Determine it’s an exploit kit domain Users are redirected to this domain from another compromised site Based on aggregation of output from multiple models Co-occurrences Block Presenter’s Company Logo – replace on master slide DGA detection #RSAC Co-Occurrences • Identifies other domains looked up in rapid succession of a given domain • Correlations uncover other domains related to an attack NLPrank Model (Natural Language Processing) • Detect domain names that spoof brand and tech terms in real-time Spike Rank (Sprank) OpenDNS Statistical Models • Detect domains with sudden spikes in traffic • Finds domains involved in active attacks Predictive IP Space Monitoring • Analyzes how servers are hosted to detect future malicious domains • Identifies steps that precede malicious activity And Many Other Models… Block Presenter’s Company Logo – replace on master slide Early & Accurate Predictions & Classifications #RSAC Wrap-Up Subhead if needed #RSAC Key To OpenDNS Protection xyz.com DNS 1.2.3.4 Global Network Using Recursive DNS Predictive Intelligence Using Statistical Models Off-Network Security Using Lightweight Agent just point DNS from your network devices, our virtual appliance, or our roaming client to our global network observes relationships in global DNS requests & BGP routes to discover where attacks are staged does not scan system or run in kernel space, so it will not crash, hog memory, or pester the end user Block Presenter’s Company Logo – replace on master slide Top Use Cases to Add DNS Security to Your Security Stack #RSAC OFFNETWORK SECURITY SECURE DIRECT-TONET OFFICES NEW LAYER OF PREDICTIVE SECURITY SPEED UP INCIDENT RESPONSE AUTOMATE ENFORCEMENT & VISIBILITY 50% of PCs are already mobile1 70% of offices already go direct2 70-90% of malware is unique to each org3 Only 4% of alerts are investigated per week mean time-to-contain threats 26-39 hours4 WHY? Presenter’s Company Block Logo – replace on master slide Sources: (1) Gartner, (2) Forrester, (3) Verizon, and (4) Ponemon What We’ve Covered Need For Extending Security Beyond Current Perimeters Ransomware/Malware Impact Need To Go Beyond Deeper View on OpenDNS How it Works OpenDNS Architecture Use Cases Block Presenter’s Company Logo – replace on master slide 30 #RSAC #RSAC Thank You – Questions? Subhead if needed
