CIO Summit
Kumar Rajaram - EfficientIP
Three Main Reasons Why DNS is On the Top of a Hacker’s List
1
2
3
Mission Critical
Easy to Exploit
Not Effectively Protected
Confidential-Property of EfficientIP - All rights reserved-Copyright © 2017
Page 2
Why Is DNS Mission Critical? DNS Services Enable Business Operations by Ensuring Access to Critical Applications & Services
DNS - DHCP - IPAM NETWORK Customers - Employees - Suppliers - Citizens - Students
Confidential-Property of EfficientIP - All rights reserved-Copyright © 2017
Page 3
Why Is DNS Easy to Exploit?
Open Service by Design Connectionless (UDP) Attack Target & Threat Vector Great Attack Variety and Sophistication Not Analyzed by 68% of Companies 1
Confidential-Property of EfficientIP - All rights reserved-Copyright © 2017
Page 4
Diversity & Reality of DNS Threats Stats don’t lie- various types of attacks are on the rise and only getting worse…
NX Domain Attacks
6.50%
DNS Water Torture
5.8%
DNS Attacks Experienced -Past 12 Months-
DNS-Based Malware
16.20%
DNS Tunnelling
10.70%
Zero-Day Vulnerabilities
13.10%
DNS Amplification
15.70%
DoS/DDoS Attacks
21.80%
Cache Poisoning
18.90%
0.00%
5.00%
10.00%
15.00%
20.00%
Confidential-Property of EfficientIP - All rights reserved-Copyright © 2017
25.00%
Page 5
Traditional Security Systems Inefficiency Has Various Costly Impacts! Application downtime
40.40%
Loss of business
20.50%
Compromised web site
27.70%
Intellectual property stolen
14.50%
Brand damages
15.70%
Sensitive information stolen
The Average Cost of an Attack is $1 million
9.50% Confidential-Property of EfficientIP - All rights reserved-Copyright © 2017
Page 6
Case Study Hacker’s Abuse of DNS
It starts with Phishing (Infected PDF)
Confidential-Property of EfficientIP - All rights reserved-Copyright © 2017
… continuing taking control of the infected device
Confidential-Property of EfficientIP - All rights reserved-Copyright © 2017
… and then propagating itself
Confidential-Property of EfficientIP - All rights reserved-Copyright © 2017
…to exfiltrate data over DNS request!
Confidential-Property of EfficientIP - All rights reserved-Copyright © 2017
… while following with a Zero Day attack to hide data exfiltration
Confidential-Property of EfficientIP - All rights reserved-Copyright © 2017
… finishing by a volumetric attack
Confidential-Property of EfficientIP - All rights reserved-Copyright © 2017
No FIREWALL or PROXY secured the network to detect and stop data exfiltration using the DNS Protocol ! 18750 Credit card numbers stolen per minute!
50 Bytes of credit card number dataset capsuled in the DNS Query 100 DNS Queries/Second to stay below the radar = 5Kb/s
Confidential-Property of EfficientIP - All rights reserved-Copyright © 2017
DNS Attack summary Scenario
DNS Malware: infiltration, C&C DNS Tunnel: data exfiltration DNS DoS: 0-Day, Volumetric
Easy to perform: many available tools for free on Google Without dedicated solution
Loss of sensitive information Broken DNS service Business downtime Brand Damage …
Confidential-Property of EfficientIP - All rights reserved-Copyright © 2017
Page 15
Why Existing Security Solutions Don’t Protect Against DNS-Based Data Exfiltration Detection: No complete & real-time DNS transaction analysis Only based on DNS packet frequency, request entropy, payload or data encoding signature – Not purpose-built Statistics are counters only
Mitigation implies high risk to block legitimate traffic Countermeasures limited to block or allow
Complex & expensive to deploy & maintain Threats are dynamic by essence: Relevancy and consistency of filtering rules over time, and it is most of the time too late when modified Confidential-Property of EfficientIP - All rights reserved-Copyright © 2017
DNS Service Functions
Why EfficientIP solution is unique?
Confidential-Property of EfficientIP - All rights reserved-Copyright © 2017
Page 17
EfficientIP DNS Data Exfiltration Protection DNS analytics for behavioural threat detection Complete DNS transaction analysis Real-time domain reputation data feed
Adaptive countermeasures for smart protection Block source IPs of the attacks Quarantine suspected source IPs of attacks – cache function access only (Patented) Rescue Mode (Patented): Ensure service continuity even if the attack source is unidentifiable - cache function access only for all IPs
Effective risk management: stress-free DNS security No need to continuously change filtering rules No risk of excluding legitimate customers (false positives)
Confidential-Property of EfficientIP - All rights reserved-Copyright © 2017
SIEM integration
Confidential-Property of EfficientIP - All rights reserved-Copyright © 2017
EfficientIP 360 DNS Security Holistic Solution to Protect Your Public and Private DNS From External and Internal Threats Strengthen Security Foundation
Absorb Extreme DoS Attacks on Cache Servers
Mitigate Zero-Day Attacks
Enforce Best Practices
Cache Security & Performance
Secure Internet DNS Visibility
Ensure DNS Availability & Protect Your Data
Resiliency & Scalability
Behavioural Threat Detection
Adaptive Countermeasures
Protect Users & Block DNSBased Malware Activity Real-Time Threat Intelligence Confidential-Property of EfficientIP - All rights reserved-Copyright © 2017
Page 20
Three Main Reasons Why DNS is On the Top of a Hacker’s List
1
2
3
Mission Critical
Easy to Exploit
Not Effectively Protected
Confidential-Property of EfficientIP - All rights reserved-Copyright © 2017
Page 2
Why Is DNS Mission Critical? DNS Services Enable Business Operations by Ensuring Access to Critical Applications & Services
DNS - DHCP - IPAM NETWORK Customers - Employees - Suppliers - Citizens - Students
Confidential-Property of EfficientIP - All rights reserved-Copyright © 2017
Page 3
Why Is DNS Easy to Exploit?
Open Service by Design Connectionless (UDP) Attack Target & Threat Vector Great Attack Variety and Sophistication Not Analyzed by 68% of Companies 1
Confidential-Property of EfficientIP - All rights reserved-Copyright © 2017
Page 4
Diversity & Reality of DNS Threats Stats don’t lie- various types of attacks are on the rise and only getting worse…
NX Domain Attacks
6.50%
DNS Water Torture
5.8%
DNS Attacks Experienced -Past 12 Months-
DNS-Based Malware
16.20%
DNS Tunnelling
10.70%
Zero-Day Vulnerabilities
13.10%
DNS Amplification
15.70%
DoS/DDoS Attacks
21.80%
Cache Poisoning
18.90%
0.00%
5.00%
10.00%
15.00%
20.00%
Confidential-Property of EfficientIP - All rights reserved-Copyright © 2017
25.00%
Page 5
Traditional Security Systems Inefficiency Has Various Costly Impacts! Application downtime
40.40%
Loss of business
20.50%
Compromised web site
27.70%
Intellectual property stolen
14.50%
Brand damages
15.70%
Sensitive information stolen
The Average Cost of an Attack is $1 million
9.50% Confidential-Property of EfficientIP - All rights reserved-Copyright © 2017
Page 6
Case Study Hacker’s Abuse of DNS
It starts with Phishing (Infected PDF)
Confidential-Property of EfficientIP - All rights reserved-Copyright © 2017
… continuing taking control of the infected device
Confidential-Property of EfficientIP - All rights reserved-Copyright © 2017
… and then propagating itself
Confidential-Property of EfficientIP - All rights reserved-Copyright © 2017
…to exfiltrate data over DNS request!
Confidential-Property of EfficientIP - All rights reserved-Copyright © 2017
… while following with a Zero Day attack to hide data exfiltration
Confidential-Property of EfficientIP - All rights reserved-Copyright © 2017
… finishing by a volumetric attack
Confidential-Property of EfficientIP - All rights reserved-Copyright © 2017
No FIREWALL or PROXY secured the network to detect and stop data exfiltration using the DNS Protocol ! 18750 Credit card numbers stolen per minute!
50 Bytes of credit card number dataset capsuled in the DNS Query 100 DNS Queries/Second to stay below the radar = 5Kb/s
Confidential-Property of EfficientIP - All rights reserved-Copyright © 2017
DNS Attack summary Scenario
DNS Malware: infiltration, C&C DNS Tunnel: data exfiltration DNS DoS: 0-Day, Volumetric
Easy to perform: many available tools for free on Google Without dedicated solution
Loss of sensitive information Broken DNS service Business downtime Brand Damage …
Confidential-Property of EfficientIP - All rights reserved-Copyright © 2017
Page 15
Why Existing Security Solutions Don’t Protect Against DNS-Based Data Exfiltration Detection: No complete & real-time DNS transaction analysis Only based on DNS packet frequency, request entropy, payload or data encoding signature – Not purpose-built Statistics are counters only
Mitigation implies high risk to block legitimate traffic Countermeasures limited to block or allow
Complex & expensive to deploy & maintain Threats are dynamic by essence: Relevancy and consistency of filtering rules over time, and it is most of the time too late when modified Confidential-Property of EfficientIP - All rights reserved-Copyright © 2017
DNS Service Functions
Why EfficientIP solution is unique?
Confidential-Property of EfficientIP - All rights reserved-Copyright © 2017
Page 17
EfficientIP DNS Data Exfiltration Protection DNS analytics for behavioural threat detection Complete DNS transaction analysis Real-time domain reputation data feed
Adaptive countermeasures for smart protection Block source IPs of the attacks Quarantine suspected source IPs of attacks – cache function access only (Patented) Rescue Mode (Patented): Ensure service continuity even if the attack source is unidentifiable - cache function access only for all IPs
Effective risk management: stress-free DNS security No need to continuously change filtering rules No risk of excluding legitimate customers (false positives)
Confidential-Property of EfficientIP - All rights reserved-Copyright © 2017
SIEM integration
Confidential-Property of EfficientIP - All rights reserved-Copyright © 2017
EfficientIP 360 DNS Security Holistic Solution to Protect Your Public and Private DNS From External and Internal Threats Strengthen Security Foundation
Absorb Extreme DoS Attacks on Cache Servers
Mitigate Zero-Day Attacks
Enforce Best Practices
Cache Security & Performance
Secure Internet DNS Visibility
Ensure DNS Availability & Protect Your Data
Resiliency & Scalability
Behavioural Threat Detection
Adaptive Countermeasures
Protect Users & Block DNSBased Malware Activity Real-Time Threat Intelligence Confidential-Property of EfficientIP - All rights reserved-Copyright © 2017
Page 20
