Importance of Product Provisioning in improving Network Security <br />Sandeep<br />Discussed at WHP Local Meet<br />Refer...
<ul><li>Smart Work required by Security Professional to stay ahead of malicious attacks
Motivated Hackers using Botnets other resources for attacks
Low Risk of Being Caught & Prosecuted</li></ul>Current Network Security Threats<br />info@whitehatpeople.com<br />
Network Traffic Divided into three parts -<br />Good Traffic: trusted traffic that should pass through the network, unimpe...
<ul><li>Bad Devices can be identified on IP & DNS Addresses and the traffic they spew can be blocked. These Devices are us...
Botnet CnC servers constantly moving to evade detection, block efforts from security and network personnel
Techniques used by Botnet Masters to avoid being discovered are as follows:
Use of IRC, P2P and HTTP Traffic allows to </li></ul>bypass traditional firewalls and some IPS <br />Security Measures <br...
<ul><li>Use of Dynamic Algorithms to select CnC Servers, impossible to be blocked using Firewall ACL’s
Uses both DNS & IP Addresses for identifying CnC Servers</li></ul>“Bad” Devices<br /><ul><li>Identifying botnet CnC server...
Malware Depots: Two Types<br />Websites designed to lure victims and then infect their devices<br />Web sites of legitimat...
Look up mechanism always DNS Address</li></ul>“Bad” Devices<br />info@whitehatpeople.com<br />
Malware Depot Identification Process:<br />Monitoring for malware downloads and tracking their origin<br />Evaluating data...
Phishing Sites:<br /><ul><li>50,0004 or more new phishing sites introduced to the Internet monthly</li></ul>Tow types of P...
Upcoming SlideShare
Loading in …5
×

Improving Network Security with IP &DNS Reputation Services

962 views

Published on

This is a presentation discussed in the whitehat 'People' local meet. This presentation details the importance of IP & DNS Reputation and Product Provisioning for IP & DNS Reputation in improving an organization's network security

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
962
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
12
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Improving Network Security with IP &DNS Reputation Services

  1. 1. Importance of Product Provisioning in improving Network Security <br />Sandeep<br />Discussed at WHP Local Meet<br />Reference: Improved network security with IP & DNS Reputation Services, A Business Whitepaper by HP Tipping Point Solutions<br />
  2. 2. <ul><li>Smart Work required by Security Professional to stay ahead of malicious attacks
  3. 3. Motivated Hackers using Botnets other resources for attacks
  4. 4. Low Risk of Being Caught & Prosecuted</li></ul>Current Network Security Threats<br />info@whitehatpeople.com<br />
  5. 5. Network Traffic Divided into three parts -<br />Good Traffic: trusted traffic that should pass through the network, unimpeded and uninspected<br />Bad Traffic: traffic that should be blocked proactively before it can attempt to compromise the network<br />Ugly Traffic: untrusted traffic that requires deep packet inspection to determine if it is “good” (legitimate) or “bad” (malicious)<br />Categories of Cyber Threats<br />info@whitehatpeople.com<br />
  6. 6. <ul><li>Bad Devices can be identified on IP & DNS Addresses and the traffic they spew can be blocked. These Devices are used as:</li></ul>Botnet Command and Control (CnC) sites: <br /><ul><li>5,000 to 6,000 botnet command and control sites worldwide
  7. 7. Botnet CnC servers constantly moving to evade detection, block efforts from security and network personnel
  8. 8. Techniques used by Botnet Masters to avoid being discovered are as follows:
  9. 9. Use of IRC, P2P and HTTP Traffic allows to </li></ul>bypass traditional firewalls and some IPS <br />Security Measures <br />“Bad” Devices<br />info@whitehatpeople.com<br />
  10. 10. <ul><li>Use of Dynamic Algorithms to select CnC Servers, impossible to be blocked using Firewall ACL’s
  11. 11. Uses both DNS & IP Addresses for identifying CnC Servers</li></ul>“Bad” Devices<br /><ul><li>Identifying botnet CnC servers requires detailed botnet analysis and </li></ul>frequent updating of CnC lists.<br />Malware depots:<br /><ul><li>2,5002 to 50,0003 devices acting as malware depots or hosting malicious content discovered daily worldwide </li></ul>info@whitehatpeople.com<br />
  12. 12. Malware Depots: Two Types<br />Websites designed to lure victims and then infect their devices<br />Web sites of legitimate businesses that are compromised because they haven’t been properly secured. <br /><ul><li>Depots used malware drop sites, and for hosting malware software updates
  13. 13. Look up mechanism always DNS Address</li></ul>“Bad” Devices<br />info@whitehatpeople.com<br />
  14. 14. Malware Depot Identification Process:<br />Monitoring for malware downloads and tracking their origin<br />Evaluating data hosting sites worldwide.<br />“Bad” Devices<br />info@whitehatpeople.com<br />
  15. 15. Phishing Sites:<br /><ul><li>50,0004 or more new phishing sites introduced to the Internet monthly</li></ul>Tow types of Phishing Sites:<br />Purpose Built sites <br />Sites that appear to be part of a known credible business<br />“Bad” Devices<br />info@whitehatpeople.com<br />
  16. 16. Compromised Hosts: Most commonly compromised by Bot malware<br />Stay under the control of a remote botnet master through botnet CnC sites<br />Compromised host can be used by botnet master to conduct variety of malicious attacks:<br /><ul><li>Spreading Malware
  17. 17. Compromising additional hosts to create more botnet devices</li></ul>“Bad” Devices<br />info@whitehatpeople.com<br />
  18. 18. <ul><li>Performing reconnaissance scans
  19. 19. Providing access to local networks for further compromise
  20. 20. Conducting Distributed Denial of Service (DDoS) attacks
  21. 21. Conducting email spam or phishing campaigns
  22. 22. Conducting online-click fraud scams</li></ul>“Bad” Devices<br />Compromised host can be used by botnet master to <br />conduct variety of malicious attacks (Contd..) :<br />info@whitehatpeople.com<br />
  23. 23. <ul><li>Determine if a device is “behaving badly”
  24. 24. Block Access to and from Devices that have a known bad reputation
  25. 25. A need of a reputation database with significant metadata on each of these badly behaving devices—identified through IPv4 or IPv6 addresses or DNS names</li></ul>Device ReputationA Critical First Step <br />info@whitehatpeople.com<br />
  26. 26. <ul><li>A Security Research Team that can:
  27. 27. Collect large amounts of device data
  28. 28. Correlate these large data sets
  29. 29. Validate the results of the data sets
  30. 30. Provide Frequent Database updates
  31. 31. Assign a reputation score</li></ul>Device ReputationA Critical First Step <br />info@whitehatpeople.com<br />
  32. 32. <ul><li>The Research Team must:
  33. 33. Collect real-time attack events with very detailed attack data from a large worldwide community of sensors
  34. 34. Analyze Web traffic and crawl Web sites of interest to collect data on sites hosting malicious content or scams
  35. 35. Conduct careful malware analysis to identify botnet CnC sites, and botnet and malware drop sites
  36. 36. Analyze attacks and scams to identify the devices that are participating in or conducting the attacks</li></ul>Device ReputationA Critical First Step <br />info@whitehatpeople.com<br />
  37. 37. Note: The most important component in building a strong reputation service is the depth of the database. Database quality depends heavily on the size, scope, and distribution of the attack collection sites, and the quality and depth of the collected attack data<br />Recommendation: HP Tipping Point IP & DNS Reputation Services by HP<br />Reference: Improved network security with IP and DNS reputation<br />Business white paper by HP Tipping Point Solutions<br />Conclusion<br />info@whitehatpeople.com<br />
  38. 38. whitehat‘People’<br />Aboutwhitehat ‘People’<br />whitehat‘People’ is a an ‘open consortium’of national intellects delved to security being the sole intent; <br />trained and specialized in the conception of solutions in all areas of our technical consulting services.<br />whitehat‘People’ produces white papers for the industry, present at symposiums, technology and <br />business conferences nationwide, and provide "thought leadership" for next generation technologies <br />which are currently being deployed in a rapidly changing and fluid market place. The members include <br />security researchers and consultants who are up-to-date with developments in technology from <br />hardware and software vendors to ensure they are leading, and not following the market. <br />Whitehat‘People’ adhere to the following ideals:<br />1. "Help government and industry maximize the value of Information security in information technology."2. "Deliver leading-edge information technology and services, support, training and education."3. "Function as a strategic arm for the clients by leveraging new concepts to support strategic goals <br />and conceptual plans."<br />info@whitehatpeople.com<br />

×