1. Fernando Zamai – fzamai@cisco.com
Security Consulting
Aug, 2016
Ele pode ser seu vetor de ataques.
Seu DNS está protegido?
2. enterprise network
Attacker
Perimeter
(Inbound)
Perimeter
(Outbound)
Research targets
11
C2 Server
Spear Phishing
(you@acme.com)
2
https://welcome.to.jangle.com/exploit.php
Victim clicks link unwittingly3
Bot installed, back door established and
receives commands from C2 server
4
Scan LAN for vulnerable hosts to exploit &
find privileged users
5
Privileged account found.6
Admin Node
Data exfiltrated7
System compromised and data breached.8
Vulnerabilities, Exploits, Malware
Hacked Mail Server – acme.com
Hacked Web Server – jangle.com
Main Vectors
4. DNS Tunnel
DNS Server
bad.net
10011001
11100010
11010100
10010010
01001000
DNS Query
alknfijuqwelrkmmvclkmzxcladlfmaelrkjalm.bad.net
DNS Answer
alknfijuqwelrkmmvclkmzxcladlfmaelrkjalm.bad.net = 2.100.4.30
10011001
11100010
11010100
10010010
01001000
http://blog.talosintel.com/2016/06/detecting-dns-data-exfiltration.html
Authoritative DNS
root
com.
cisco.com.
5. INTERNET
MALWARE
C2/BOTNETS
PHISHING
AV
AV
AV AV
ROUTER/UTM
AV AV
ROUTER/UTM
SANDBOX
PROXY
NGFW
NETFLOW
AV AV
AV AV
MID LAYER
LAST LAYER
MID LAYER
LAST LAYER
MID LAYER
FIRST
LAYER
Where Do You Enforce Security?
Perimeter
Perimeter Perimeter
Endpoint
Endpoint
CHALLENGES
Too Many Alerts via
Appliances & AV
Wait Until Payloads
Reaches Target
Too Much Time to
Deploy Everywhere
BENEFITS
Alerts Reduced 2-10x;
Improves Your SIEM
Traffic & Payloads
Never Reach Target
Provision Globally in
UNDER 30 MINUTES
8. Our View of the Internet
providing visibility into global Internet activity (e.g. BGP, AS, Whois, DNS)
9. We See Where Attacks Are Staged
using modern data analysis to surface threat activity in unique ways
10. Apply
statistical models and
human intelligence
Identify
probable
malicious sites
Ingest
millions of data
points per second
How Our Security Classification Works
a.ru
b.cn
7.7.1.3
e.net
5.9.0.1
p.com/jpg
12. A New Layer of Breach Protection
Threat Prevention
Not just threat detection
Protects On & Off Network
Not limited to devices forwarding traffic through on-prem
appliances
Turn-Key & Custom API-Based Integrations
Does not require professional services to setup
Block by Domains, IPs & URLs for All Ports
Not just ports 80/443 or only IPs
Always Up to Date
No need for device to VPN back to an on-prem server for
updates
UMBRELLA
Enforcement
13. A Single, Correlated Source of Information
INVESTIGATE
WHOIS record data
ASN attribution
IP geolocation
IP reputation scores
Domain reputation scores
Domain co-occurrences
Anomaly detection (DGAs, FFNs)
DNS request patterns/geo. distribution
Passive DNS database
25. OpenDNS Works With Everything You Use
FUTURE-PROOF
EXTENSIBILITY
ANY
NETWORK
Routers, Wi-Fi,
SDN
ANY
ENDPOINT
VPN, IoE ANY
TECHNOLOGY
Firewalls,
Gateways
SECURE APIs
OPEN TO EVERYONE
SECURITY
PROVIDERS
FireEye, Cisco,
Check Point
NETWORK
PROVIDERS
Meraki, Aruba,
Aerohive
CUSTOMERS
In-house
Security
Systems
26. ENDPOINT
SECURITY
(block by
file, behavior)
How OpenDNS Complements On-Network
Security Stack
NETWORK
FIREWALL
(block by
IP, packet)
WEB
PROXY
(block by
URL, content)
OpenDNS
UMBRELLA
(block by
domain/IP, URL)
28. 1 2 3
CLOUD SERVICE W/FULL
SELF-PROVISIONED TRIAL
Point DNS traffic from one office without
hardware or software and without network
topology changes
or device configuration changes
ADD OFF-NET COVERAGE &
PER-DEVICE VISIBILITY
Protect your weakest links and identify
which specific devices (or users) are
targeted by attacks; self-updating software
is required
EXTEND PROTECTION &
ENRICH DATA VIA APIs
Help SOC teams to get more value out
of existing investments like FireEye and
incident response teams investigate
threats faster
Get Started in 30 Seconds…Really