1 CONFIDENTIAL

James Brown

james@opendns.com

October 2015

What’s Missing In Your Security Stack?

2 CONFIDENTIAL

Agenda

Our Blind Spots

Your Quickest “WIN”

A Somewhat Real Example

3 CONFIDENTIAL

Last 20 years of security:

Got a problem?

BUY A BOX FIREWALL

4 CONFIDENTIAL

VPN

EMAIL GATEWAY

WEB PROXY

DLP

NEW OFFICE

REPLACEMENT BOX

FAILOVER

Another problem?

ANOTHER BOX! Keep Stacking…

SANDBOX

FASTER ROUTER

FIREWALL

5 CONFIDENTIAL

FIREWALL

VPN

EMAIL SECURITY

WEB SECURITY

DLP

PERSISTENT THREATS

FASTER ROUTER

NEW OFFICE

REPLACEMENT BOX

FAILOVER

BUT,

your users have left the building…

6 CONFIDENTIAL

AND,

your apps are in the Cloud…

7 CONFIDENTIAL

DarkHotel Attack

OFF NETWORK AND SUPPLIERS

BRANCH OFFICE/ STORE/CLINIC

HQ

Attackers are Targeting the

Weakest Links

8 CONFIDENTIAL

What are the Most Common Blind Spots?

INTELLIGENCE

on Where Attacks

Are Staged

VISIBILITY

of Requests

Before Connections

xyz.com 1.2.3.4

COVERAGE

for Off-Network

Internet Traffic

9 CONFIDENTIAL

VISIBILITY: Blind to Requests Before Connections

1.2.3.4

1.1.1.1

2.2.2.2

3.3.3.3

IP-only intelligence for non-Web

connections is prone to error

~

~

Domain plus IP intelligence for connections over any

port & protocol has the best accuracy

xxx.com

yyy.com

zzz.com

xyz.com IP

Fast

Flux

3 Sites

on

1 Host

10 CONFIDENTIAL

COVERAGE: Blind to Off-Network Internet Traffic

On Network

NGFW in-line (and proxy?) blocks by IP or app

SWG proxy (and in-line?) blocks by URL or content

Email Security blocks by sender

or content

WEB TRAFFIC

ALL OTHER

TRAFFIC

EMAIL TRAFFIC

Email Security blocks by sender

or content

Off Network

WEB TRAFFIC

ALL OTHER

TRAFFIC

EMAIL TRAFFIC

INTERNET INTERNET

11 CONFIDENTIAL

INTELLIGENCE: Blind to Where Attacks Are Staged

RECON STAGE

Attacker discovers trusted email & website addresses; also probes networks & systems for weaknesses

Attacker builds or acquires payload as well as builds or shares Internet infrastructure

TARGET

LAUNCH EXPLOIT INSTALL

Attacker sends or spoofs emails, or injects malicious ads or scripts into websites

Vulnerable software executes code or user is tricked to execute code

Code infects system, modifies privileges, scans environment then connects to malware drop host

COMPROMISE

CALLBACK PERSIST

Attacker gains command and control to receive new instructions, or if target data is acquired, steal it

Attacker maintains persistence until actions on their objectives are fully achieved

BREACH

PIVOT

NGFW

SWG

12 CONFIDENTIAL

Your Quickest “WIN”

13 CONFIDENTIAL

14 CONFIDENTIAL

First, A Quick Refresher on DNS…

AUTHORITATIVE DNS

Owns and publishes

the “phone books”

DOMAIN REGISTRAR

Maps and records names

to #s in “phone books”

RECURSIVE DNS

Looks up & remembers

the #s for each name

15 CONFIDENTIAL

Enterprise Location A

Internal InfoBlox

Appliance

Enterprise Location C

Internal BIND Server

Enterprise Location B

Internal Windows DNS Server

Home Users

Roaming Laptops

Mobile Devices

Remote Sites

ISP 1

mobile

carrier

ISP 2

ISP 3

ISP ?

ISP ?

ISP ?

CHALLENGES

Multiple Internet Service Providers

Direct-to-Internet Branch Offices

Users Forget to Always Turn VPN On

Different DNS Log Formats

Who Resolves Your DNS Requests?

Authoritative DNS for Intranet Domains

Recursive DNS for Internet Domains

16 CONFIDENTIAL

BENEFITS

Global Internet Activity Visibility

Network Security w/o Adding Latency

Consistent Policy Enforcement

Internet-Wide Cloud App Visibility

Home Users

Roaming Laptops

Mobile Devices

Remote Sites

ISP 1

mobile

carrier

ISP 2

ISP 3

ISP ?

ISP ?

ISP ?

Enterprise Location A

Internal InfoBlox Appliance

Enterprise Location C

Internal BIND Server

Enterprise Location B

Internal Windows DNS Server

Authoritative DNS for Intranet Domains

Recursive DNS for Internet Domains

Leveraging a Single Global Recursive DNS Service

17 CONFIDENTIAL

DNS is Used by Every Device on Your Network

18 CONFIDENTIAL

OpenDNS blocks by domain as well as IP or URL

OpenDNS blocks by domain, as well as IP or URL

DNS Precedes Your Existing Security without Added Latency

On Network

NGFW in-line (and proxy?) blocks by IP or app

SWG proxy (and in-line?) blocks by URL or content

Email Security blocks by sender

or content

WEB TRAFFIC

ALL OTHER

TRAFFIC

EMAIL TRAFFIC

Email Security blocks by sender

or content

Off Network

WEB TRAFFIC

ALL OTHER

TRAFFIC

EMAIL TRAFFIC

INTERNET INTERNET

19 CONFIDENTIAL

Request Patterns

Used to detect:

• Compromised systems • Command & control callbacks • Malware & phishing attempts • Algorithm-generated domains • Domain co-occurrences • Newly registered domains

Any Device

Authoritative Logs

Used to detect:

• Newly staged infrastructures • Malicious domains, IPs, ASNs • DNS hijacking • Fast flux domains • Related domains

Recursive DNS

DNS Data Produces Rich Threat Intelligence

Authoritative DNS

root

com.

domain.com.

20 CONFIDENTIAL

DNS Requests Per Day

70B BGP Peering Partners

500

Daily Active Users

65M Enterprise Customers

10K

Our Perspective Diverse Set of Data

21 CONFIDENTIAL

Apply statistical models and

human intelligence

Identify probable

malicious sites

Ingest millions of data

points per second

How Our Security Classification Works

a.ru

b.cn

7.7.1.3

e.net

5.9.0.1

p.com/jpg

22 CONFIDENTIAL

Works with Your Existing Security Investments

THREAT ANALYSIS & INTEL FEEDS

THREAT INTEL PLATFORMS

OTHERS +

CUSTOM +

Indicators of

Compromise

THREAT DETECTION

OTHERS +

Logs or blocks domains sent from partner or custom systems

23 CONFIDENTIAL

Keep DNS Logs Forever with Amazon S3

BENEFITS

Triple Redundant & Encrypted Storage

Pre-Built SIEM/Log Analytic Integrations

Elastic: Pay Only For The Storage Used

Trusted by Nasdaq, Netflix, Pinterest, …

TAP

every 10min

HTTPS

24 CONFIDENTIAL

DNS is the easy way to achieve Security Everywhere

25 CONFIDENTIAL

26 CONFIDENTIAL

The Attacker

27 CONFIDENTIAL

Past successful “targets”

Things I learned

1 Ice Cream companies do NOT spend a lot of money on security

2 Pretty easy to gain access to accounting systems to siphon $$ out

28 CONFIDENTIAL

29 CONFIDENTIAL

New Target

30 CONFIDENTIAL

Target Research

Thanks LinkedIn!

Appreciate it, Google!

31 CONFIDENTIAL

Target Research

Ohhh, Facebook. You never let me down.

Congrats on the marriage, Jane!

Jane cares about:

Bowman ... currently

lives in Ferrisburgh,

Vermont with her

son CJ.

Search: Jane, Vermont, Ben & Jerry’s

32 CONFIDENTIAL 32

33 CONFIDENTIAL

Setup my Infrastructure

1 Purchase Malware: RAT (Remote Access Trojan) payload

2 Found Domain

3 Use email address to register

hubbav1tch@gmail.com

34 CONFIDENTIAL

Sweet. I am already partially setup.

4 Use my existing web servers

5 Create Webpage

6 Load Malware for download

7 Write Alumni Email

35 CONFIDENTIAL

Send it.

36 CONFIDENTIAL

WAIT

37 CONFIDENTIAL 37

The Security

Guy

38 CONFIDENTIAL

I’m Edward.

I am the Security Guy for Ben &

Jerry’s. Which might be the awesomest job ever.

39 CONFIDENTIAL

Umbrella Enforcement Connect with confidence on any device, anywhere, anytime

Investigate Intelligence Discover and predict attacks before they happen

PRODUCTS & TECHNOLOGIES

Edward <3 OpenDNS

40 CONFIDENTIAL

Edward was hanging out, watching the Dashboard...

41 CONFIDENTIAL

42 CONFIDENTIAL

Sweet. Edward is going to get a cup of coffee.

43 CONFIDENTIAL

OpenDNS Methods

44 CONFIDENTIAL

You witnessed NLP Rank

Edit Distance: We determine how statistically different a fraudulent domain is from a legitimate domain

ASN Telemetry: Different ASNs for closely related domain names

HTML Script: Different code used on each website

MichiganState ASN = 46551

www.michiganstate.edu

Re

al S

ite

Fa

ke

Sit

e

CloudFlare ASN = 133877

www.michiiganstate.com

45 CONFIDENTIAL

If that didn’t catch it...

The Web Server IPs were previously blocked, and were likely added into a static threat-intelligence feed

We incorporate data from 30+ threat intelligence feeds

Our IP-Reputation algorithm would have seen the new michiiganstate.com mapped to a known, bad IP address and blocked.

Remember the attacker used the same web servers from past attacks?

46 CONFIDENTIAL

If THAT didn’t catch it... Remember the attacker bought a Malware Remote-Access-Trojan (RAT)?

NLP Rank can catch the Command and Control (CnC) domain if it was spoofing a brand-name.

RAT

Attacker’s command node. Legit looking domain so traffic doesn’t

look suspicious.

Bad commands sent between Jane’s machine and attacker

www.benandjerrrrrys.com

Jane’s laptop

47 CONFIDENTIAL

And IF THAT didn’t catch it... Remember he used an email address registering a domain?

See what other bad domains

this email has registered...

www.haagendazzzzs.us

www.bjerries.com

48 CONFIDENTIAL

The Moral of the Story

Attackers re-use infrastructure.

They leave behind fingerprints.

We use these fingerprints to help us map out the good & bad in the internet.

Make DNS a part of your security stack.

49 CONFIDENTIAL

Get Started in 30 seconds signup.opendns.com