DNS infrastructure provides ubiquitous visibility into networks and is a critical point for security enforcement. It can be leveraged for malware detection, threat hunting, and distributing security policies. DNS data combined with DHCP data provides important network context for tasks like event correlation, incident response, and investigating threat actors. DNS is also a frequent target for attacks like DDoS and data exfiltration, making DNS security important for service availability. The document argues that DNS should be viewed as a strategic security asset rather than just a network liability.
Developer Data Modeling Mistakes: From Postgres to NoSQL
From security liability to asset: how DNS can strengthen your security posture
1. From security liability
to asset: the role DNS
should be playing in
your security
architecture and
operations
2. DNS Infrastructure – Ubiquitous Observation and
Control Point of the Infrastructure
• Ubiquitous visibility for malware detection and threat
hunting
• Internet Scale enforcement point with simple inbuilt
threat distribution mechanism
• Provides rich network data, device inventory info
• Provides business context for prioritization
• Critical in its own right as an essential network
service
3. Infoblox
Grid
Grid member DNS/DHCP
with ActiveTrust
Network Insight
Grid Member
DNS / DHCP with
ActiveTrust
Threat data feeds for
use in ecosystem
Grid Member
Network and Security
events with context;
User information
Device
discovery
Network infrastructure (Switches,
Routers, Firewalls etc.)
Infoblox
ActiveTrust
TIDE Public
cloud IaaS
Private
Cloud IaaS
DNS related
threat intelligence
Perimeter
security, F/W,
IDS/IPS etc.
DNS: The Ubiquitous Visibility and Enforcement Point
External
threat feeds
Network automation
and visibility
Threat intel
platforms
Firewall
SIEM
Vulnerability
Scanner
NAC
Endpoint
Security
APT/Malware
Detection
Internal
Clients
Advanced DNS
Protection
4. APT/malware uses DNS at every stage
Motion of Malware through Networks: “PIE”
Download malware to
the infected host
Infection
Transport the data
offsite
Exfiltration
Query malicious domains
and report to C&C
Penetration
P I E
DNS
server
5. ActiveTrust with Infoblox DNS Firewall
Malware/APT
Infoblox with DNS Firewall
Malicious Domains ActiveTrust
3rd Party Ecosystem
API’s
INTERNET
INTRANET
• Scalable Threat Distribution using a Standard
Based mechanism (Response Policy Zones)
• Leverages existing infrastructure
• Access to contextual data for visibility and
remediation (IP, Host, Username mapping)
• Extensive API’s for integration into existing
security infrastructure
6. • Uses DNS as a covert communication channel to bypass
firewalls
• Attacker tunnels other protocols like SSH, or web within DNS
• Enables attackers to easily insert malware, pass stolen
data or tunnel IP traffic without detection
• A DNS tunnel can be used as a full remote-control channel
for a compromised internal host
Examples
Exfiltrating Data via DNS Tunneling
Encoded
IP/Data
in DNS queries
INTERNET
ENTERPRISE
Client-side
tunnel program
DNS
server
IP traffic/
Data
Internet
7. DNS, DHCP for Threat Investigation and Hunting
Event Correlation (DHCP)
̶ How can you correlate
events for a single device if
the IP address changes?
̶ DHCP is critical for
identifying which events
in your SIEM relate to a
given device under
investigation
Incident Response/Scope of
Breach (DNS)
̶ How do you evaluate the scope
of a breach if you don’t know
what the compromised host has
accessed?
̶ DNS provides an audit trail of
all the internal and external
resources that the host has
tried to discover
Threat Actor Investigation
̶ How do you know what your
adversary is doing?
̶ DNS Domain Registration
data allows you to map out
their infrastructure
̶ Commercially sourced
passive DNS data identifies
which of the infrastructure
is currently active
9. DNS: The DDOS Sweet Spot
DNS Attacks
Amplification/Reflection | Floods | Exploits | Protocol Anomalies | Reconnaissance | Hijacking | NXDOMAIN
78% 84% >$500
Of
reflection/amplific
ation attacks use
DNS1
Per min cost of
downtime due to
DDoS attack2
DNS: most
common application
layer attacks1
Average cost per
year to deal with
DNS attacks2
$1.5M
1. Arbor WISR2016 Report 2. Ponemon Institute Study – The Cost of Denial-of-Service Attacks. March 2016
Your network is down!!
DDoS attacks can significantly affect
service & application availability.
Recovery is often complex
and labor intensive
10. Collateral Damage: Lessons learned from the Dyn Attack
An architectural approach to DNS based DDOS mitigation
ns1.provider ns2.provider ns1.corp ns2.corp
Normal RTT 17 ms 12 ms 53 ms 61 ms
Duress RTT 999 ms 911 ms 53 ms 61 ms
DNS hosting
provider
Malware
Malware
11. Summary
• DNS Infrastructure is a ubiquitous
visibilty and enforcement point
̶ You have to have it anyway!
̶ You’re probably not using it
• DHCP and DNS data are essential
contextual data for
̶ Event Correlation
̶ Incident Response
̶ Adversary Assessment
• DNS is the critical common denominator
for service availability
̶ No DNS, no Network
12. Get in
touch…
Except where otherwise noted,
this work is licensed under CC-BY
Craig Sanderson
Vice President, Product Management
csanderson@infoblox.com