Embed Size (px)
Citation preview
1
Paul de Haan
Systems Engineer bij Infoblox
Marco Berkhout
Consultant Core Network Services
bij Axians
ACTIONABLE(CORE)NETWORK INTELLIGENCE
2
Infoblox
Hostname
IP Address
MAC Address
Username
Switch Name
Switch Port
VLAN/VRF
VHost
VSwitch
Cloud
Device Type
ACTIONABLE NETWORK INTELLIGENCE
• What, When, Where, Who, How, Why• A Single Source of Truth for network
data• Visibility across Public, Private & Cloud
networks• Rapid Security Incident Response• Shared intelligence across Ecosystem• Automated/API Access
3
WHAT WE PROVIDE – COMPLETELY CONNECTED,
DYNAMIC NETWORKS
Integrated Database, 360 Degree View of IP Data
Advanced Reporting
Network Task Automation
Infoblox DNS/DHCP
Microsoft DNS/DHCP
Virtual Discovery Layer 2 and Layer 3 Discovery
Network
Switch/RoutersIP Endpoints
4
INFOBLOX SECURITY STRATEGY
Security Integration & Active Ecosystem
• Our unique position in the network creates a rich data source to be shared with customer security systems and architectures
• Infoblox Grid data provides business context that security systems lack and badly need
DNS Security• DNS is a unique threat vector that deserves a
dedicated solution
• Infoblox is best positioned to plug this increasingly critical gap
Actionable (Core)Network Intelligence │ 17.11.2016 ● INN STYLE ● MAARSSEN
5
INFOBLOX DATA AND ITS RELEVANCE TO
SECURITY
DNS is the first step in almost every activity, good or bad.
DNS query data provides a “client-centric” record of activity
• Includes internal activity inside the security perimeter
• Includes BYOD and IoT devices
• This provides an excellent basis to profile device & user activity
A DHCP assignment signals the insertion of a device on to the network
• Includes context: Device info, MAC, lease history
• DHCP is an audit trail of devices on the network
Fixed IP addresses are typically assigned to important devices:
• Data center servers, network devices, etc.
• IPAM provides “metadata” (additional business context) via EAs: Owner, app, security level, location, ticket number
• And the business importance of the asset determines level of risk!
DNS IPAM
Security Relevant Data and Context Using Network Infrastructure
6
OUR SECURITY ECOSYSTEM –
WHERE INFOBLOX FITS
IPS/Sandboxing
Firewall
7
DNS SECURITY CHALLENGES
Defending against DNS DDoS attacks
Stopping APTs/malware from using DNS
Preventing data exfiltration via DNS
8
GOAL #1: ONLY VALID TRAFFIC IS FORWARDED
OVER PORT 53
Traffic that passes all the analysis steps is forwarded
Reputation
Behavior
DNS Client
Good.com
Signature Threat
Reputation
Signature
Behavior
Actionable (Core)Network Intelligence │ 17.11.2016 ● INN STYLE ● MAARSSEN
9
TARGETING DNS
“Attack To”
Attacks primarily focused on disruption of services by exhausting resources, targeting protocol/platform weaknesses
Infoblox defends against BOTH categories!
“Attack Through”
Attacks that leverage ubiquitous access of DNS as a pipeline in & out of the network for data exfiltration, tunneling and malware propagation
Actionable (Core)Network Intelligence │ 17.11.2016 ● INN STYLE ● MAARSSEN
10
DATA EXFILTRATION OVER DNS QUERIES
Infected endpoint gets access to file containing sensitive data
Converts information into encoded format
Text broken into chunks and sent via well-formed DNS queries
Exfiltrated data reconstructed at the other endINTERNET
ENTERPRISE
NameMarySmith.foo.thief.comMRN100045429886.foo.thief.comDOB10191952.foo.thief.com
NameMarySmith.foo.thief.comMRN100045429886.foo.thief.comDOB10191952.foo.thief.com
Infected endpoint
DNS server
Attacker controller server- thief.com
(C&C)
DataC&C commands
MarySmith.foo.thief.comSSN-543112197.foo.thief.comDOB-04-10-1999.foo.thief.comMRN100045429886.foo.thief.com
Data Exfiltration via host/subdomainSimplified/unencrypted example:
11
DEMONSTRATIES
12
DNS ALS SECURITY DETECTION / PREVENTION
DNS gebruikt malware (botnets, crypto software) voor uitwisselen van data.
DNS open naar Internet.
Gebruik van TXT records.
Blokken van malware via DNS dicht bij bron: de interne DNS server.
Loggen malfide gedrag richting SIEM oplossingen.
Inzicht oorsprong malfide DNS querie inclusief gebruiker.
Actionable (Core)Network Intelligence │ 17.11.2016 ● INN STYLE ● MAARSSEN
13
DNS ALS DATALEK
Gebruik van DNS lekken DATA
Via interne DNS en/of Proxy
Door extern gedrag niet gezien door IPS
Actionable (Core)Network Intelligence │ 17.11.2016 ● INN STYLE ● MAARSSEN
14
15
BEDANKT VOORUW AANDACHT
