Strengthen and Optimize Your Security Posture

from the Foundation Up

Presenter

Date:

1 | © Infoblox Inc. All rights reserved.

 The Threat Landscape Evolution

Host-Based Network Perimeter Global Reputation, Intelligence &

RESPONSE (Anti-virus) (IDS/IPS/FW) NGFW and Sandboxing Analytics
2000 2005 2010 Today

DNS Exploitation
Increased Attack Surface
Mobility & Cloud
APTs/Cyberware

Worms Spyware/Rootkits

THREATS

2 | © Infoblox Inc. All rights reserved.

Traditional Security Model Inadequate in Today’s World
Cloud is the SD-WAN drives network IoT leads to explosion of
New Network transformation devices
Branch Office
Branch Office

SD-WAN

Shifting perimeter. Direct Direct connection to Internet with Endpoint security cannot be
access to cloud applications no ability to replicate full HQ deployed on lightweight IoT
from everywhere security stack devices

But, new risk does not always equal need for a new tool!
3 | © Infoblox Inc. All rights reserved.
Malware Can Infiltrate from Any Point
More ways in…
Mobile

Saas

Internet
Branch Office
Campus
PoS

Data Center Internet

Remote Office

IoT
Cloud
Saas

More ways out…

4 | © Infoblox Inc. All rights reserved.
Business Disruptions are Costly and Impacts Brand

$40M $119B 196 DAYS

Norsk Hydro's Wiped off from Average time to
initial loss from Facebook’s market identify a breach
ransomware cap after Cambridge
attack Analytica breach

Sources: Ponemon Institute, The Guardian

5 | © Infoblox Inc. All rights reserved.

Operational Challenges Continue to Mount

of companies get more And We Can’t Throw More People

92% than 500 alerts per day;

a single cyber analyst
can handle only 10
at the Problem

of alerts, only, are

4% investigated; not enough

humans to keep
organizations safe

30+
security tools in
operation, with staff and
expertise to manage 12

ISC2 Cybersecurity Workforce Study, 2018

6 | © Infoblox Inc. All rights reserved.

Things to Consider in a Security Solution

How can I do
more with less?
How do I
simplify?

Build adaptive
security Protect data and
architectures critical
Improve infrastructure
compliance

7 | © Infoblox Inc. All rights reserved.

 Common Attack Steps Review

User directed to malicious

1 site Malicious Site
DNS

2
Website Request
Website delivers
2 initial exploit
CnC Request
1

3 INTERNET
Initial dropper

Exploit contacts Command Malicious Payload

3 and Control (CnC) server
4

Malicious payload CnC Server

4 downloaded
DNS is used for all outbound traffic requests

8 | © Infoblox Inc. All rights reserved.

 Leveraging DDI Intelligence for Foundational Security

Your DNS server will see malicious activity

Threat Intel before a Firewall does.
Curated threat intelligence 1 Malicious Site
1 for DNS
DNS
DNS

2
X X
Website Request

CnC Request
Connection to malicious
2 website blocked at DNS
Initial dropper INTERNET

Malicious Payload 3

If already infected, system

3 blocked from connecting to CnC Server
CnC at DNS
Secure DNS breaks the attack chain from the start

9 | © Infoblox Inc. All rights reserved.

 Data Exfiltration over DNS

2
Malware on device seeks
1 sensitive data DNS

1 Data extracted over DNS

Malware uses DNS channel 3
2 to send data
INTERNET
DNS
= OK

Core Security
Traditional security does not Compromised Device Stack
3 inspect
DNS traffic
Sensitive data tunnelled over DNS protocols to avoid detection

10 | © Infoblox Inc. All rights reserved.

 Protecting Against Data Exfiltration over DNS

2
DNS with threat intelligence
1 and analytics DNS
1 DNS

Data extracted over DNS X 3

Machine learning analytics
2 inspects DNS traffic, detects
data exfil
INTERNET

Core Security
Data prevented from exiting Compromised Device Stack
enterprise by blocking DNS
3 request
to destination
Attempted data exfiltration over DNS protocols detected and blocked

11 | © Infoblox Inc. All rights reserved.

Market Trends in DNS Privacy
• Two evolving improvements to DNS privacy have recently made the
news:
– DNS over TLS (Transport Layer Security) or "DoT”
– DNS over HTTPS or "DoH”

• Mechanisms promote consumer privacy but allow users to circumvent

established enterprise DNS controls.
– Exposure to data exfiltration and malware proliferation

12 | © Infoblox Inc. All rights reserved.

 DoT/DoH: Bypass of Enterprise DNS is a Challenge

Device (TLS) or browser

1 (HTTPS) is configured with 3
unauthorized DNS Resolver DNS 4

Encrypted DNS queries sent

2
to external resolver

1 2
Internal DNS Resolver DoH INTERNET
3 bypassed, and DNS traffic DoT
DNS
(TLS or
not inspected Encrypted
Encrypted HTTPS)
DNS
DNS
Query
Network Device
Query Core Security
Stack Unauthorized
Resolver
Attackers can exploit DoT
4
for their own purpose
DoT/DoH “HIDES” DNS traffic from your security tools

13 | © Infoblox Inc. All rights reserved.

 DoT/DoH Best Practices

Circumventing internal
1 1 3
DNS is a bad idea DNS
TLS

Block Access to
2 unauthorized DNS
servers

4 2
Use internal DNS vendor that DoH INTERNET
3 supports DoT to retain DoT X DNS
(TLS or
control and security Encrypted
Encrypted HTTPS)
DNS
DNS
Query
Network Device
Query Core Security
Stack Unauthorized
Block DoH using Threat Resolver
4 Intel List of Canary and
unauthorized resolvers DoT/DoH Best Practices protects your users and devices

14 | © Infoblox Inc. All rights reserved.

Threat Intelligence (Purpose Built for DNS) + Analytics +
Infoblox Cyber Intelligence Unit = Advanced Threat Detection
• Behavioral Models - Machine learning
based analytics Entropy
– DNS Data Exfiltration
– DGA, Fast Flux, Whitelist
– Fileless Malware, Zero-day
Size Lexical

• High accuracy IOCs Analysis

– Extensive IOC collection network Model
– Reverse engineering, hunting
– High accuracy scoring algorithms
– Protection against modern malware -
Frequency N-Gram
ransomware, malware C&C, phishing,
exploit kits, APTs

15 | © Infoblox Inc. All rights reserved.

 Infoblox Security

NEXT LEVEL NETWORKING

• Contextual
Reporting & Advanced
Analytics DNS Intelligence
Protection

DNS, DHCP NEXT LEVEL NEXT LEVEL NEXT LEVEL

RELIABILITY AUTOMATION SECURITY Network
& IPAM (DDI)
Insight

SECURE CLOUD-MANAGED NETWORK SERVICES

BloxOneTM Threat Defense

DNS
Dossier Ecosystem TIDE Threat Insight Firewalling/RPZ • Infrastructure Load
• Alerts

16 | © Infoblox Inc. All rights reserved.

BloxOneTM Threat Defense Pushes Capabilities While Lowering Cost

Precise Enhanced Extreme Endless Proven

Visibility Automation Scale Flexibility ROI

Cloud

IoT

Remote Locations

17 | © Infoblox Inc. All rights reserved.

 Architecture
Cloud Email
Filter
• Scalable, foundational security
DNS Firewall Threat Insight
IPS
for traditional networks and
DNS Traffic Threat feeds
Firewall
digital transformations using
Roaming clients/ Dossier Threat TIDE
DNS as first line of defense
Remote offices Research
TIPs

• SOC efficiency through data

SIEM enrichment and integrations
Vul.
On-Premises
Forwarder
Scanner
• Visibility across on-premises
Data Connector On-Premises
DNS Firewall NAC and multi cloud environments
N/w and security Endpoint
events, context;
DNS data, user info
Security • Hybrid architecture
On-Premises Threat
Ecosystem
Insight APT
Detection
On-Premises

18 | © Infoblox Inc. All rights reserved.

 Optimizes Infrastructure with Expanded Enforcement
Preserving Perimeter Security

Network Devices Giving Back Scalability

• Offloading blocking of known threats

• Reducing “junk” traffic to NGFWs,

DHCP, IPAM, DNS (DDI)

Next-gen Firewall SWGs and IDS/TPS

Corporate Network
• Preserving processing power of
IoT
perimeter security
Secure Web
Gateway
Protect All Devices
IDS/IPS
• Foundation of DHCP, IPAM, DNS
Rogue Devices
• Widespread protection for
• All enterprise devices
• All IoT devices
Legitimate
Traffic • Rogue devices
Malicious
Traffic BloxOneTM
Threat Defense

19 | © Infoblox Inc. All rights reserved.

Improves Productivity and Enhances Automation

Investigation

Next-gen
Endpoint Security

Vulnerability Analysts
Management

Network Access
Control (NAC) Security Alerts

SIEM / SOAR

ITSM

20 | © Infoblox Inc. All rights reserved.

Improves Productivity and Enhances Automation

Context

DNS
• Malicious activity inside the security
Next-gen perimeter
Endpoint Security DHCP • Includes BYOD and IoT device
• Profile device & user activity
Vulnerability Analysts
IPAM
Management
DHCP
DNS Device Audit Trail and Fingerprinting
Network Access • Device info, MAC, lease history
Control (NAC) BloxOneTM Security Alerts
Threat Defense IPAM
Application and Business Context
• “Metadata” via Extended Attributes:
Owner, app, security level, location,
ticket number
Enriched SIEM / SOAR • Context for accurate risk assessment
and event prioritization
Automated ITSM

21 | © Infoblox Inc. All rights reserved.

Integrations, DDI Data and Threat Intel Context Powers SOAR
Platforms and Automates Response

Network
Vulnerability Access Control Next-gen
Management Endpoint Security DNS
• Malicious activity inside the security
perimeter
Web
SIEM Gateway • Includes BYOD and IoT device
• Profile device & user activity

Threat
Intelligence
ITSM
DHCP
Platform (TIP) Device Audit Trail and
Fingerprinting
• Device info, MAC, lease history

Advanced
Threat SOAR
Detection
IPAM
Application and Business Context
• “Metadata” via Extended Attributes:
Owner, app, security level, location,
ticket number
• Context for accurate risk assessment
Prioritize 100s of alerts | Automate incident response | Reduce cost of human touch/error and event prioritization

22 | © Infoblox Inc. All rights reserved.

Hybrid Model: Works Wherever You are Deployed

Remote user
• Detect more threats in the
Data center
cloud

• Full integration with on-

premises ecosystem

• Resiliency and
redundancy
HQ,
Branch offices
“The hybrid cloud will be used more regularly. Organizations looking to exercise the advantages
of the cloud without giving up proximity to data and security will invoke the hybrid cloud.” - Comport
Technology Solutions

23 | © Infoblox Inc. All rights reserved.

ROI: Reduces Cost of Existing Tech Stack

2/3
reduction in threat
3x
more productivity
response time from threat analysts

Drastic reduction in malicious traffic sent

to NGFWs

Based on real customer data

24 | © Infoblox Inc. All rights reserved.

Customer story: A consumer appliance manufacturer detects
infected HVAC 3. SECOPS team identified 1. Appliance manufacturer added
the top infected device as an DNS security in log-only mode
HVAC controller

4. Findings further validated

using syslog and IPAM data IPAM

5. Infoblox switched
to block mode
2. A ‘how’s it going’ visit
shortly after revealed several
malware hits in reports

Value to customer:
• Ability to quickly identify and prioritize what client IP is most
concerning and act in real-time to block the threats
• Leverage IPAM data and syslog for discovery/investigation
• Allow security team to see threat before causing further damage

25 | © Infoblox Inc. All rights reserved.

Customer story: A US Children's Hospital Protects Patient
Data
1. Hospital highly concerned 2. Infoblox implemented in 3. Within 24 hrs, Infoblox detected a
about data exfiltration pass through mode data exfil threat previously thought to
have been corrected

4. A secondary tool in use by 5. SECOPS pleased to discover

SECOPS team also detected issue Infoblox had already detected threat 2
and alerted (but no action taken) days earlier. Infoblox deployed to
blocking mode.

Value to customer:
• Ease of deployment: Ability to seamlessly enhance existing DDI
infrastructure with security
• Data Protection: Ability to detect and block data exfil in real time
• Brand protection: Help protect the Hospitals name, reputation

26 | © Infoblox Inc. All rights reserved.

 How We Can Help You Be Successful

Highly skilled 24x7x365 Support Options Expert Community

BloxCare Associates Global Coverage That work for you community.infoblox.com

Certified Support & R&D 4 Support Centers BloxCare Premium 5000+ Discussions
Manage 70000+ Appliances (US, India, Malaysia, The Netherlands) BloxCare Elite Blogs. Tech Articles.
Phone, Online Support Technical Account
Portal, 22 HW Hundreds of Experts
Manager
Replacement Depots Learn. Share. Network.

27 | © Infoblox Inc. All rights reserved.

 Infoblox provides foundational
security for gaining efficiencies
• Reduces tools
• Reduces complexity

Why • Expands capabilities of

existing investments

Automation/integrations - faster
incident response than non-
integrated security tools

Security on Internal DNS that

protects against internal, external,
inside out threats and in the cloud

28 | © Infoblox Inc. All rights reserved.

 Backup

29 | © Infoblox Inc. All rights reserved.

Product Packaging for BloxOneTM Threat Defense
Business –
Essentials Business - Cloud Advanced
On-Premises
DNS Firewall Yes Yes Yes Yes

Threat Feeds Basic (8) Intermediate (19) Intermediate (19) Advanced (26)

Content No No Yes. Restricts access to Yes, in the cloud. Restricts

Categorization/filtering objectionable content access to objectionable content
Ecosystem No Grid Wide Data Connector Only Grid Wide

Threat Insight Yes Yes No Yes

On-Premises
Threat Insight in the No Yes Yes Yes
Cloud
Dossier Queries Basic threat lookup via 32,000 32,000 queries/year 64,000 queries/year
Cloud Services Portal queries/year
for investigating hits
TIDE No No No Yes
30 | © Infoblox Inc. All rights reserved.
 Threat Feeds
Business On-Premises and
Essentials Advanced
Business Cloud

• Base Hostnames • Base Hostnames • Base Hostnames • Extended Base &

• Anti-malware • Anti-malware • Anti-malware antimalware hostnames
• Ransomware • Ransomware • Ransomware • Extended malware IPs
• Bogon • Bogon • Bogon • Extended TOR Exit Node IPs
• DHS_AIS_IP • DHS_AIS_IP • DHS_AIS_IP • Extended Ransomware IPs
• DHS_AIS_ Hostname • DHS_AIS_ Hostname • DHS_AIS_ Hostname • Extended Exploit Kits IPs
• DHS AIS NCCIC Watch list • DHS AIS NCCIC Watch list • DHS AIS NCCIC Watch list • SpamBot IPs
Hostnames and Domains Hostnames and Domains Hostnames and Domains • Spambot IPs DNSBL
• DHS AIS NCCIC Watch list IPs • DHS AIS NCCIC Watch list Ips • DHS AIS NCCIC Watch list IPs
• DoH Public IPs and • DoH Public IPs and • DoH Public IPs and
Hostnames Hostnames Hostnames
• Malware IPs • Malware IPs
• Bot IPs • Bot IPs
• Exploit Kit IPs • Exploit Kit IPs
• Malware DGA hostnames • Malware DGA hostnames
• TOR Exit Node IPs • TOR Exit Node IPs
• SURBL Multi domains • SURBL Multi domains
• SURBL Multi Lite domains • SURBL Multi Lite domains
• SURBL Fresh domains • SURBL Fresh domains
• US OFAC Sanctions IPs • US OFAC Sanctions IPs
• EECN IPs • EECN IPs
• Cryptocurrency hostnames • Cryptocurrency hostnames
and domains and domains
31 | © Infoblox Inc. All rights reserved.
DNS Hijackings
• A domain’s registration
information modified
(most often at the
domain registrar) to point
to rogue DNS server
• User gets redirected to
bogus site controlled by
hackers that looks like the
real thing
• Hackers acquire user
names, passwords and
credit card information

32 | © Infoblox Inc. All rights reserved.

 October 21, 2016

Dyn DDoS Attack

• Botnet consisted of compromised IoT devices (IP CCTV
cameras, Digital video recorders)
• Previously used in DDoS attack against krebsonsecurity.com
• Hurled traffic at Dyn’s name servers
̶ Said to peak at 1.2 Tbps
̶ Unclear whether it was junk traffic (e.g., SYN, GRE) or legitimate DNS
queries
̶ Name servers rendered unresponsive

IMPACT: Several customers of Dyn like Twitter, Spotify, Reddit experienced

outages and slow response
̶ 8% of Dyn’s customer base stopped using their services

RECOMMENDATION: Customers should have redundant

architecture using on-prem DNS w/ DDoS protection as backup

33 | © Infoblox Inc. All rights reserved.

Malware Exploiting DNS - Examples
Ransomware – CryptoLocker, WannaCry, Jaff
• Use different exploitation techniques– e.g. Microsoft SMB vulnerabilities, email phishing
• Upon infection, uses DNS for callback to C&C server and attain encryption software
• Encrypts files on local hard drive and mapped network drives
• If ransom isn’t paid, encryption key deleted and data irretrievable
Financial and Banking Malware/Trojans also use DNS
• GameOver Zeus (GOZ)
̶ 500,000 – 1M infections globally and100s of millions of dollars stolen
̶ Takes control of private online transactions and diverts funds to criminal accounts
• Poseidon
̶ Point-of-sale (POS) malware
̶ Builds upon previous Trojans like Zeus and BlackPOS that affected retail stores like
Target and Home Depot.
Wiper malware
• Targets Windows-based servers by exploiting network file shares
• “Dropper” installs itself as a Windows service when executed
• Attempts to connect to C&C network – requires DNS callbacks
• Accesses the hard drive, exfiltrates data, and wipes all content

34 | © Infoblox Inc. All rights reserved.

 Ransomware
• Ransomware is a type of malicious software, or malware
– It is designed to deny access to a computer system or data until a ransom is
paid
• Ransomware can be devastating to an individual or an organization
– Anyone with important data stored on their computer or network is at risk
– Those especially at risk include government or law enforcement agencies
and healthcare systems or other critical infrastructure entities
• Cities are prime targets
– IT teams are often small with few cyber security members if any
– Cities have a history of paying the ransom
⚬ Riviera Beach in Florida paid a $600k ransom in June 2019
• Recovery can be a difficult and very costly process
– Recovery may require the services of a reputable data recovery specialist
– Some victims pay to recover their files
⚬ However, there is no guarantee that individuals will recover their files if they pay
the ransom

35 | © Infoblox Inc. All rights reserved.

 Ransomware Attack Methodology

• Phishing emails
– Emails that include malicious attachments
• Drive-by web attacks
– Occurs when a person visits an infected website where malware is
downloaded and installed without the person’s knowledge
• Watering Hold Sites
– Malicious files or links on “watering hole” sites that are known to be visited
by intended victims

36 | © Infoblox Inc. All rights reserved.

 Ransomware
Cities are Prime Targets, Recovery is costly

37 | © Infoblox Inc. All rights reserved.

 Ransomware Prevention, Detection, and
Mitigation with Infoblox Solutions
• Infoblox can help immediately by enabling the implementation of a DNS
Response Policy Zone (RPZ) to prevent resolution to all domains known to be
associated to malware
– Infoblox threat intelligence feeds include domains used in ransomware attacks and
provides protection against malicious domains
• The Infoblox Activity Report and Dossier tool can be used to get more
context on malware attacks taking place, and to identify the source of the
campaigns
• The DNS, DHCP and IPAM data that Infoblox collects and reports provides
detailed visibility into infections and can be used for prioritizing remediation
• Once a malicious threat is detected, Infoblox can share that event
information and context with security tools like a SIEM, vulnerability scanners
and NAC solutions
38 | – These tools can be triggered to either scan the device for vulnerabilities or prevent
© Infoblox Inc. All rights reserved.
 Malicious domains

DNS RPZ
How it Works DNS threat intelligence
service
IPs, domains, etc. of bad
servers
INTERNET

Malware/APT INTRANET
DNS Server

Malware/APT spreads within Blocked communication

network; calls home attempt/Indicator of Compromise
Security solutions (FireEye, Carbon
Black, Cisco ISE) exchange data

1 An infected device brought into the office. Malware

spreads to other devices on network.
3 Pinpoint. SIEM or Reporting lists RPZ hits & action
as well as
4 Anoftenupdate will occur every 2 hours (or more
for significant threat).

2 Malware makes a DNS query to find “home” (botnet /

C&C). DNS Firewalling feature looks at the DNS response
•
•
User name
Device IP address 5 Threat intelligence from multiple sources can be
used by DNS
and takes admin-defined action (disallows communication • Device MAC address
to malware site or redirects traffic to a landing page or • Device type (DHCP fingerprint)
“walled garden” site). • Device host name
• Device lease history

39 | © Infoblox Inc. All rights reserved.

Aligning with Industry Standards: NIST Cybersecurity Framework

Category Function Infoblox solutions

Identifier
ID AM Asset Management IPAM/DHCP/DNS – Single source of truth for network assets
Network Insight – Automated device discovery, vulnerability scanner integration
ID RA Risk Assessment NetMRI – Device Audit, Vulnerability Scanner Integration

PR RC Access Control DNS

NAC Integration
DE AE Anomalies and Events DNS Analytics - Data Exfiltration & DNS Tunneling

DE CM Security Continuous Monitoring DNS Query/Response Data – Data Connector

DE DP Detection Processes DNS Firewalling & Threat Intelligence for Malware Detection
Advanced DNS Protection – DDoS Detection
RS MI Mitigation DNS Firewalling – STIX, REST APIs

RS AN Analysis Passive DNS

40 | © Infoblox Inc. All rights reserved.

 Block Known, Protocol Specific and Unknown Threats

Reputation Signature Behavior

Detect & block malware Patented Streaming Analytics
communications to command Carrier-grade deep packet Technology
& control sites inspection
“Machine Learning”
Government-grade Threat Instant identification of
Intelligence popular DNS tunneling tools Detect & Prevent Zero-day
Data Exfiltration, DGA, Fast
Flux, Fileless malware

41 | © Infoblox Inc. All rights reserved.

Trusted Source of Threat Intelligence

Timely Every data entry includes an appropriate expiration, so it

doesn’t get stale

Reliable Over 10 years in the business. We publish hundreds of

thousands of valuable indicators daily

Accurate Verified data sets with less than .01% false positives

Contextual Data include why it’s a threat, and what other indicators
are related to it

Easy-to-Use Available in many forms and many channels

42 | © Infoblox Inc. All rights reserved.

Threat Intel Data Sharing
Reduce cost of threat feeds while improving effectiveness across entire security portfolio

Infoblox C&C IP List

Phishing &
Government Malware URLs Various WWW

TIDE* file
Marketplace Define Data Policy, Spambot IPs formats
Governance &
Translation
Custom TI C&C & Malware
Host/Domain DNS

Falcon
Intelligence

Emerging Threats
Dossier
Investigate SIEM
Threats
Threat Track
* Threat Intelligence Data Exchange

Automate Orchestrate common security policy

Single-source of TI management
investigation & triage across multi-vendor infrastructure
43 | © Infoblox Inc. All rights reserved.
Extends and Enriches NGFWs

NGFW DNS

• Routing + Access Control + • Complements NGFW by providing a

Application control + IPS + URL DNS layer defense
filtering + antivirus inspection
• Covers DNS security gaps like data
• Gaps: exfiltration, DGA
o Lacks visibility on DNS traffic
o Can’t protect off premises • Informs NGFW to create additional
unless VPN is used policy on the fly
o Typically allows port 53 traffic
through without inspection • Improves visibility with DHCP, IPAM
information

44 | © Infoblox Inc. All rights reserved.

Contextual Reporting and Network Admin
Granular Policy Management • Time based operational and usage reports

Insights to Monitor, Analyze and Secure the Network, Devices and Applications • Information on active devices

Security Admin
• Malware C&C • DGA and Fast Flux
• Malware download • DNS tunneling
• See response hits per security policy, top malicious
• Exploit kits • Data Exfiltration domains, top clients with hits
• APT • DNS Messenger • Double click on threat categories, sub categories
• Get IP metadata
• Apply different policies for different user segments
• Set policy precedence for various categories

Security Researcher
• Drill down details on origin of malicious activity, device
and logged in user
• Schedule any report to be emailed at specified time-
periods

45 | © Infoblox Inc. All rights reserved.

 SaaS Benefits

IT Business

• Reduced IT overhead—no infrastructure to • Immediately improve security posture

manage
• Easily extend Infoblox on-premise DNS
• Lower upfront costs, with predictable costs
Immediate access to new innovations and
thereafter
features
• Faster deployment, seamless upgrades
• Easily try new capabilities before deploying
• Pay as you go, scale as you grow broadly

46 | © Infoblox Inc. All rights reserved.

 Security, Data Privacy, and SLAs

Security and Data

SLAs
Privacy
• Encrypted communications and data • Designed for anytime anywhere access with reliable
service delivery (Infoblox will use commercially reasonable
• Penetration testing, static, and dynamic code efforts to make DNS query services available at least
analysis 99.99% of the time during each calendar month of
service*)
• Patched software
• Continuous monitoring by Infoblox NOC
• Restricted access based on location, IP addresses
and role • Disaster recovery, and worldwide datacenters

• Data privacy and unique API key for authentication • Daily backup for configurations, policy, and device data

• Superior support, alerts on planned outages or when

license limits are about to be reached

* Doesn’t include scheduled maintenance

47 | © Infoblox Inc. All rights reserved.
 DNS - a Back Door to Sensitive Data
• Malware uses DNS as a covert communication channel to
bypass firewalls Attacker controller
server NameMarySmith.foo.thief.com

• Attacker tunnels other protocols like SSH, or web within MRN100045429886.foo.thief.com

DOB10191952.foo.thief.com

DNS
commands Data
• Enables attackers to easily insert malware, pass stolen INTERNET

data or tunnel IP traffic without detection

ENTERPRISE

• A DNS tunnel can be used as a full remote-control channel

for a compromised internal host
• Examples DNS server

– Iodine
NameMarySmith.foo.thief.com
– OzymanDNS MRN100045429886.foo.thief.com
DOB10191952.foo.thief.com

– SplitBrain Infected
endpoint
– DNS2TCP

48 | © Infoblox Inc. All rights reserved.

 Creating Viable Lookalike Domains
“All the good domain names are gone!”

Domains Long and Hard to Dots and

are now… Complex read dashes

1 versus I With or without Character Substitution

УАНОО versus YAHOO § 136,000 available rnicrosoft[.]com

Unicode characters facebooksecurelogin[.]com
§ 829+ million lookalike paypal-security-services[.]com
options for “Infoblox”
APPLE-ID-COM[.]com

account.paypal.co.uk[.]rlsg4

49 | © Infoblox Inc. All rights reserved.

 The Threat Landscape: Lookalike Domain Misuse

Attack ROI using Lookalike Global

User Awareness
Popular Brands Complexity Lookalike Risk

50 | © Infoblox Inc. All rights reserved.

Lookalike Domain Use By Targeted Victims

• Customers targeted by impersonating your organization

– Phishing emails, social media, mobile messaging, brandjacking, etc.
– Deliver malware or host malicious sites that look legitimate
– Impact: Negative Brand reputation. Recovery takes time.

• Employee targeted attacks

– Impersonate business partners, vendors or service providers
– Impersonate employee benefit partners (Gyms, vacation clubs, etc.)
– Impersonate popular local gathering spots (new restaurant, sports bars, etc.)
– Impact: Direct compromise or as a foothold to move laterally across the network

51 | © Infoblox Inc. All rights reserved.

 Custom Lookalike Domain Monitoring
Protecting Customer, Employees and Brand Reputation

1 Customers Submit Domains

… such as their organization’s own domain, or
domains frequently visited by or controlled by the organization

2 Infoblox Cyber Intelligence Unit

… determines high-risk lookalike domains for
initial assessment and monitoring

3 Customers are notified

… of suspicious activity related to these lookalike domains
for visibility and as an advanced warning for proactive response

52 | © Infoblox Inc. All rights reserved.

DGA and Dictionary DGA
• DGA is Domain Generation Algorithm
● Technique used by hackers to establish stealth communication
● Used by malware in C2 communications to evade blacklist based blocking
mechanisms like firewall
• Examples
Normal DGA: Lexical Feature - Random Characters: nn4rzw6r4yv4ezapuu.ru,
1raqjrrzjj3x1127cx9d1vsxhof.net
Dictionary DGA: Lexical Feature – Words from Dictionary: facegone.net, ballpull.net

• DGAs are used by C2 botnets to establish communications, a critical step of to malicious

activity lifecycle
• Dictionary - DGA has been used by malware families like Suppobox and Matsnu
• Suppobox is a very active family, representing about 10% of all DGA Malware activity

53 | © Infoblox Inc. All rights reserved.

 Dynamically Generated Domains

Attacker uses Dynamically Registered Domains

1 algorithm for dynamic
DNS
TW9uZGF5LCAxc.com
V2VkbmVzZGF5L.com
domain creation
RnJpZGF5LCA1d.com
U3VuZGF5LCA3d.com
X X 1

2
Malware uses same
2 algorithm to “look”
for CnC server
INTERNET
9uZGF5LCA.com
V2VkbmVzZ.com
TW9uZGF5LCAxc.com
3
Core Security
Successful domain allows Compromised Device Stack
3 malware to connect to TW9uZGF5LCAxc.com
malicious destination
Threat Intel is ineffective against this attack method

54 | © Infoblox Inc. All rights reserved.

How Infoblox Detects DGA, Dictionary DGA

• Dictionary DGA detection is based on graph analysis

• Ability to catch about 95% of the domains with a very low false
positive rate *
• Delivered as a part of cloud based analytics

55 | © Infoblox Inc. All rights reserved.

 Infoblox Dossier – Threat Investigation
• Threat research tool that provides contextual information from
multiple data sources into a single view simultaneously

• Data includes open source, proprietary and premium commercial

sources

• Information includes historical registration, reputation,

infrastructure relationships

• API available for large batch requests

• Allows user to stay anonymous (we cloak identity of the customer

performing queries)

56 | © Infoblox Inc. All rights reserved.

Cloud Managed Data Connector for SIEM Optimization

Data Connector
gathers DDI data,
filters out legitimate
activity and sends
suspicious event info
to SIEM

SOC teams can easily connect the dots when investigating

incidents, while keeping costs low

57 | © Infoblox Inc. All rights reserved.

Comprehensive Security Reports
• High-level Visibility
– DNS activity
– Device activity
– Web activity

• Threat Risk Trends

– Threats detected
– Attacker statistics
– Threat Intelligence use

• Flexible Reporting Periods

58 |
• Helps Guide Security Analysts
© Infoblox Inc. All rights reserved.
 BloxOne® Threat Defense Advanced
SIEM

Unified Cloud Services Ecosystem I/O Vuln

Reporting Portal Data Connector
APIs Scanner

Firewall

Threat Insight Reputational DNS Firewall TIP

Behavioral Threat Intel Dossier Threat TIDE
Research Intel Sharing Etc……
Cloud/On-Prem/Hybrid

Globally available recursive DNS and web filtering

OnPrem Cloud Endpoint Remote Office

Infoblox Grid Public, private Client DNS Forwarding Proxy

59 | © Infoblox Inc. All rights reserved.