This document discusses how DNS can be used as an attack vector and the importance of DNS security. It provides examples of how attackers can use DNS for command and control of botnets, data exfiltration, and domain generation algorithms. The document also describes Cisco's Umbrella security solution, which uses DNS enforcement and threat intelligence to protect networks and devices from internet malware, C2 botnets, phishing, and other threats.

1. Fernando Zamai – fzamai@cisco.com
Security Consulting
Aug, 2016
Ele pode ser seu vetor de ataques.
Seu DNS está protegido?

2. enterprise network
Attacker
Perimeter
(Inbound)
Perimeter
(Outbound)
Research targets
11
C2 Server
Spear Phishing
(you@acme.com)
2
https://welcome.to.jangle.com/exploit.php
Victim clicks link unwittingly3
Bot installed, back door established and
receives commands from C2 server
4
Scan LAN for vulnerable hosts to exploit &
find privileged users
5
Privileged account found.6
Admin Node
Data exfiltrated7
System compromised and data breached.8
Vulnerabilities, Exploits, Malware
Hacked Mail Server – acme.com
Hacked Web Server – jangle.com
Main Vectors

3. HARD-CODED IP
@23.4.24.1
“FAST FLUX”
@23.4.24.1
bad.com?
@34.4.2.110
@23.4.34.55
@44.6.11.8
@129.3.6.3
DOMAIN GENERATION
ALGORITHM
bad.com?
@34.4.2.11
0
baa.ru?
bid.cn
@8.2.130.3
@12.3.2.1
@67.44.21.1
Evolution of Command & Control Callbacks

4. DNS Tunnel
DNS Server
bad.net
10011001
11100010
11010100
10010010
01001000
DNS Query
alknfijuqwelrkmmvclkmzxcladlfmaelrkjalm.bad.net
DNS Answer
alknfijuqwelrkmmvclkmzxcladlfmaelrkjalm.bad.net = 2.100.4.30
10011001
11100010
11010100
10010010
01001000
http://blog.talosintel.com/2016/06/detecting-dns-data-exfiltration.html
Authoritative DNS
root
com.
cisco.com.

5. INTERNET
MALWARE
C2/BOTNETS
PHISHING
AV
AV
AV AV
ROUTER/UTM
AV AV
ROUTER/UTM
SANDBOX
PROXY
NGFW
NETFLOW
AV AV
AV AV
MID LAYER
LAST LAYER
MID LAYER
LAST LAYER
MID LAYER
FIRST
LAYER
Where Do You Enforce Security?
Perimeter
Perimeter Perimeter
Endpoint
Endpoint
CHALLENGES
Too Many Alerts via
Appliances & AV
Wait Until Payloads
Reaches Target
Too Much Time to
Deploy Everywhere
BENEFITS
Alerts Reduced 2-10x;
Improves Your SIEM
Traffic & Payloads
Never Reach Target
Provision Globally in
UNDER 30 MINUTES

6. What We Observe
On The Internet

7. Requests
Per Day
80B Countries
160+
Daily Active
Users
65M Enterprise
Customers
10K
Our Perspective
Diverse Set of Data

8. Our View of the Internet
providing visibility into global Internet activity (e.g. BGP, AS, Whois, DNS)

9. We See Where Attacks Are Staged
using modern data analysis to surface threat activity in unique ways

10. Apply
statistical models and
human intelligence
Identify
probable
malicious sites
Ingest
millions of data
points per second
How Our Security Classification Works
a.ru
b.cn
7.7.1.3
e.net
5.9.0.1
p.com/jpg

11. PRODUCTS & TECHNOLOGIES
UMBRELLA
Enforcement
Network security service
protects any device, anywhere
INVESTIGATE
Intelligence
Threat intelligence about domains
& IPs across the Internet

12. A New Layer of Breach Protection
Threat Prevention
Not just threat detection
Protects On & Off Network
Not limited to devices forwarding traffic through on-prem
appliances
Turn-Key & Custom API-Based Integrations
Does not require professional services to setup
Block by Domains, IPs & URLs for All Ports
Not just ports 80/443 or only IPs
Always Up to Date
No need for device to VPN back to an on-prem server for
updates
UMBRELLA
Enforcement

13. A Single, Correlated Source of Information
INVESTIGATE
WHOIS record data
ASN attribution
IP geolocation
IP reputation scores
Domain reputation scores
Domain co-occurrences
Anomaly detection (DGAs, FFNs)
DNS request patterns/geo. distribution
Passive DNS database

20. Investigate
ouvidoria@acirpsjriopreto.com.br
ACIRP - Associação Comercial e
Empresarial de São José do Rio Preto
http://www.acirpsjriopreto.com.br/
culturaembrasilia.com
php-code Imprimir.php

21. Suspect Behaviour

22. Suspect Behaviour

25. OpenDNS Works With Everything You Use
FUTURE-PROOF
EXTENSIBILITY
ANY
NETWORK
Routers, Wi-Fi,
SDN
ANY
ENDPOINT
VPN, IoE ANY
TECHNOLOGY
Firewalls,
Gateways
SECURE APIs
OPEN TO EVERYONE
SECURITY
PROVIDERS
FireEye, Cisco,
Check Point
NETWORK
PROVIDERS
Meraki, Aruba,
Aerohive
CUSTOMERS
In-house
Security
Systems

26. ENDPOINT
SECURITY
(block by
file, behavior)
How OpenDNS Complements On-Network
Security Stack
NETWORK
FIREWALL
(block by
IP, packet)
WEB
PROXY
(block by
URL, content)
OpenDNS
UMBRELLA
(block by
domain/IP, URL)

27. Branch
Campus
Edge
Operational
Technology
Cloud
Data Center
Endpoint
Security Everywhere
Cisco’s Strategy

28. 1 2 3
CLOUD SERVICE W/FULL
SELF-PROVISIONED TRIAL
Point DNS traffic from one office without
hardware or software and without network
topology changes
or device configuration changes
ADD OFF-NET COVERAGE &
PER-DEVICE VISIBILITY
Protect your weakest links and identify
which specific devices (or users) are
targeted by attacks; self-updating software
is required
EXTEND PROTECTION &
ENRICH DATA VIA APIs
Help SOC teams to get more value out
of existing investments like FireEye and
incident response teams investigate
threats faster
Get Started in 30 Seconds…Really