SlideShare ist ein Scribd-Unternehmen logo

The DNS Tunneling Blindspot

Als PPTX, PDF herunterladen
Brian A. McHenry
Brian A. McHenry

Primer on DNS tunneling used as a vector for data theft via malware and insider threats with mitigation techniques and pointers on improving outbound DNS security architecture.

Technologie
1 von 23
Stopping the bad guys and what you can do about itBrian A. McHenry Sr. Security Solutions Architect bam@f5.com @bamchenry
Enterprise Blindspots in the Age of Malware & Insider ThreatsBrian A. McHenry Sr. Security Solutions Architect bam@f5.com @bamchenry
Who is this guy? • Brian A. McHenry, Sr. Security Solutions Architect, F5 Networks • 9 years at F5, focused on application security solutions • Regular contributor on DevCentral.f5.com & InformationSecurityBuzz.com • Follow me on Twitter @bamchenry
Greatest threats to data loss? External • Injection attacks • SQL, cmd, etc. • Open TCP ports • SSH, Telnet, FTP, etc. • Phishing Internal • Undetected malware • Servers, desktops, laptops, etc. • Employees, contractors • Disgruntled or Careless • Unverified backup systems
Detecting Malware
Mitigate Malicious Communication - RPZ Open Service DNS Query Filtering by Reputation Prevent malware and sites hosting malicious content from ever communicating with a client. Live updates BIG-IP Inhibit the threat at the earliest opportunity. Internet activity starts with a DNS request. Domain Reputation Mitigate DNS threats by blocking access to malicious IPs. Reduce malware and virus infections. Select Your Service Response Policy Zone (RPZ) Live Feed DNS Server/Proxy
Protecting the Client The internet isn’t an altogether safe place MALICIOUS THREATS UNDESIRABLE CONTENT DUPING THE USER BotNets Inadvertently downloaded and used to mount distributed attacks. Viruses Once installed, causes malicious activity on end-user device, sometimes for ransom. OS Vulnerabilities Unprotected, unpatched devices are extremely vulnerable. Phishing scams and Man in the Middle Websites which impersonate real websites, often linked from email or a website. Scammers aim to capture credentials. Site redirection DNS traffic is captured and sent to a malicious DNS server serving bad DNS results. Offensive Content may violate HR or local rules. Violation of decency standards. Be age inappropriate. Irrelevant Distractive content incompatible with job function or policy. Illegal content File sharing or sites identified as hosting banned material.
DNS IP and Name Reputation Choices RESPONSE POLICY ZONES URL FILTERING IP REPUTATION Screens a DNS request against domains with a bad reputation. Intercept a DNS request in iRules. Categorize & make a decision. Intercept a DNS response in iRules. Categorize & make a decision. INHIBITS THREATS BY FQDN INHIBITS THREATS BY IP INHIBITS THREATS BY FQDN POLICY CONTROL BY FQDN
Technical Use Cases http://www.badsite.com http://194.71.107.15 http://www.facebook.com IP REPUTATION URL FILTERINGTHREAT TYPE Virus, malware etc. DNS lookup required. Virus, malware etc No DNS lookup issued Social networking Against corp policy. RPZ No DNS lookup to filter. Cover malicious content only. Limited to IP address reputation. Limited to IP address reputation. No URL or FQDN to examine.
Prevent malware and sites hosting malicious content from ever communicating with a client. Internet activity starts with a DNS request. Inhibit the threat at the earliest opportunity. Live updates CACHE RESOLVER PROTOCOL VALIDATION SCRIPTING IPV4/V6 LISTENER REPUTATION DATABASE SPECIAL HANDLING DNS Server or Proxy Use Case – User Protection Prevent subscribers from reaching known bad domains RPZ live feed
Use Case – ISP Layered Client Protection QUERY: WWW.DOMAIN.COM DNS Policy CACHE RESOLVER iConto l Subscriber Policy RPZ IP Reputation URL Filtering EGRESS DNS PATH INGRESS DNS PATH • Response Policy Zones (RPZ) filters out and provides NXDOMAIN / Redirect for know bad domains. • URL Filtering further provides granular policy controls using categories. • IP Intelligence blocks based on the resolved IP. • It can also be used in the data path for other protocols. RPZ Feed IP Rep Feed URL Feed Policy
Thank you! http://www.informationsecuritybuzz.com/articles/mutating-malware-and-data- center-blind-spots-in-2016/ http://www.slideshare.net/bamchenry https://www.linkedin.com/in/bamchenry https://twitter.com/bamchenry
Title and Content Layout with List • Add your first bullet point here • Add your second bullet point here • Add your third bullet point here
Title and Content Layout with Chart 0 1 2 3 4 5 6 Category 1 Category 2 Category 3 Category 4 Series 1 Series 2 Series 3
Two Content Layout with Table • First bullet point here • Second bullet point here • Third bullet point here Class Group 1 Group 2 Class 1 82 95 Class 2 76 88 Class 3 84 90
Title and Content Layout with SmartArt Step 1 Title Task description Task description Task description Task description Step 2 Title Task description Task description Task description Step 3 Title Task description Task description Step 4 Title Task description Task description
Add a Slide Title - 1
Add a Slide Title - 2
Add a Slide Title - 3
Add a Slide Title - 4
Add a Slide Title - 5

Empfohlen

Taking the Fear out of WAF
Taking the Fear out of WAFTaking the Fear out of WAF
Taking the Fear out of WAF
Brian A. McHenry
 
F5 TLS & SSL Practices
F5 TLS & SSL PracticesF5 TLS & SSL Practices
F5 TLS & SSL Practices
Brian A. McHenry
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training Program
OpenDNS
 
F5 EMEA Webinar Oct'15: http2 how to ease the transition
F5 EMEA Webinar Oct'15: http2 how to ease the transitionF5 EMEA Webinar Oct'15: http2 how to ease the transition
F5 EMEA Webinar Oct'15: http2 how to ease the transition
Dmitry Tikhovich
 
DNS Security, is it enough?
DNS Security, is it enough? DNS Security, is it enough?
DNS Security, is it enough?
Zscaler
 
Standardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower CostsStandardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower Costs
OpenDNS
 
Umbrella for MSPs: Enterprise Grade Malware Protection & Containment
Umbrella for MSPs: Enterprise Grade Malware Protection & ContainmentUmbrella for MSPs: Enterprise Grade Malware Protection & Containment
Umbrella for MSPs: Enterprise Grade Malware Protection & Containment
OpenDNS
 
Fully Automate Application Delivery with Puppet and F5 - PuppetConf 2014
Fully Automate Application Delivery with Puppet and F5 - PuppetConf 2014Fully Automate Application Delivery with Puppet and F5 - PuppetConf 2014
Fully Automate Application Delivery with Puppet and F5 - PuppetConf 2014
Puppet
 

Empfohlen

Taking the Fear out of WAF
Taking the Fear out of WAFTaking the Fear out of WAF
Taking the Fear out of WAF
Brian A. McHenry
 
F5 TLS & SSL Practices
F5 TLS & SSL PracticesF5 TLS & SSL Practices
F5 TLS & SSL Practices
Brian A. McHenry
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training Program
OpenDNS
 
F5 EMEA Webinar Oct'15: http2 how to ease the transition
F5 EMEA Webinar Oct'15: http2 how to ease the transitionF5 EMEA Webinar Oct'15: http2 how to ease the transition
F5 EMEA Webinar Oct'15: http2 how to ease the transition
Dmitry Tikhovich
 
DNS Security, is it enough?
DNS Security, is it enough? DNS Security, is it enough?
DNS Security, is it enough?
Zscaler
 
Standardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower CostsStandardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower Costs
OpenDNS
 
Umbrella for MSPs: Enterprise Grade Malware Protection & Containment
Umbrella for MSPs: Enterprise Grade Malware Protection & ContainmentUmbrella for MSPs: Enterprise Grade Malware Protection & Containment
Umbrella for MSPs: Enterprise Grade Malware Protection & Containment
OpenDNS
 
Fully Automate Application Delivery with Puppet and F5 - PuppetConf 2014
Fully Automate Application Delivery with Puppet and F5 - PuppetConf 2014Fully Automate Application Delivery with Puppet and F5 - PuppetConf 2014
Fully Automate Application Delivery with Puppet and F5 - PuppetConf 2014
Puppet
 
Web Services Discovery for Devices
Web Services Discovery for DevicesWeb Services Discovery for Devices
Web Services Discovery for Devices
Jorgen Thelin
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
Stephan Borosh
 
KHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionKHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack Prevention
APNIC
 
ASM 11.6 DDoS profile- lior rotkovitch
ASM 11.6 DDoS profile- lior rotkovitchASM 11.6 DDoS profile- lior rotkovitch
ASM 11.6 DDoS profile- lior rotkovitch
Lior Rotkovitch
 
Denial of Service - Service Provider Overview
Denial of Service - Service Provider OverviewDenial of Service - Service Provider Overview
Denial of Service - Service Provider Overview
MarketingArrowECS_CZ
 
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, TripwireMITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
MITRE - ATT&CKcon
 
Monitoring for DNS Security
Monitoring for DNS SecurityMonitoring for DNS Security
Monitoring for DNS Security
ThousandEyes
 
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian HilemanAre your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
EC-Council
 
PLNOG15 :Scale and Secure the Internet of Things with Intelligent DNS Services
PLNOG15 :Scale and Secure the Internet of Things with Intelligent DNS ServicesPLNOG15 :Scale and Secure the Internet of Things with Intelligent DNS Services
PLNOG15 :Scale and Secure the Internet of Things with Intelligent DNS Services
PROIDEA
 
DDoS 101: Attack Types and Mitigation
DDoS 101: Attack Types and MitigationDDoS 101: Attack Types and Mitigation
DDoS 101: Attack Types and Mitigation
Cloudflare
 
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
EC-Council
 
Tech t18
Tech t18Tech t18
Tech t18
SelectedPresentations
 
The Art of Cyber War [From Black Hat Brazil 2014]
The Art of Cyber War [From Black Hat Brazil 2014]The Art of Cyber War [From Black Hat Brazil 2014]
The Art of Cyber War [From Black Hat Brazil 2014]
Radware
 
DDoS Threat Landscape - Ron Winward CHINOG16
DDoS Threat Landscape - Ron Winward CHINOG16DDoS Threat Landscape - Ron Winward CHINOG16
DDoS Threat Landscape - Ron Winward CHINOG16
Radware
 
Secure Communication with an Insecure Internet Infrastructure
Secure Communication with an Insecure Internet InfrastructureSecure Communication with an Insecure Internet Infrastructure
Secure Communication with an Insecure Internet Infrastructure
webhostingguy
 
BSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointBSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPoint
Andrew McNicol
 
How to Protect Yourself From Heartbleed Security Flaw
How to Protect Yourself From Heartbleed Security FlawHow to Protect Yourself From Heartbleed Security Flaw
How to Protect Yourself From Heartbleed Security Flaw
ConnectSafely
 
Network Intelligence for a secured Network (2014-03-12)
Network Intelligence for a secured Network (2014-03-12)Network Intelligence for a secured Network (2014-03-12)
Network Intelligence for a secured Network (2014-03-12)
Andreas Taudte
 
DDosMon A Global DDoS Monitoring Project
DDosMon A Global DDoS Monitoring ProjectDDosMon A Global DDoS Monitoring Project
DDosMon A Global DDoS Monitoring Project
APNIC
 
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Florian Roth
 
Dns tunnelling its all in the name
Dns tunnelling its all in the nameDns tunnelling its all in the name
Dns tunnelling its all in the name
Security BSides London
 
Network tunneling techniques
Network tunneling techniquesNetwork tunneling techniques
Network tunneling techniques
inbroker
 

Weitere ähnliche Inhalte

Was ist angesagt?

Web Services Discovery for Devices
Web Services Discovery for DevicesWeb Services Discovery for Devices
Web Services Discovery for Devices
Jorgen Thelin
 
The Art of Cyber War [From Black Hat Brazil 2014]
The Art of Cyber War [From Black Hat Brazil 2014]The Art of Cyber War [From Black Hat Brazil 2014]
The Art of Cyber War [From Black Hat Brazil 2014]
Radware
 
Secure Communication with an Insecure Internet Infrastructure
Secure Communication with an Insecure Internet InfrastructureSecure Communication with an Insecure Internet Infrastructure
Secure Communication with an Insecure Internet Infrastructure
webhostingguy
 

Was ist angesagt? (20)

Web Services Discovery for Devices
Web Services Discovery for DevicesWeb Services Discovery for Devices
Web Services Discovery for Devices
 
External to DA, the OS X Way
External to DA, the OS X WayExternal to DA, the OS X Way
External to DA, the OS X Way
 
KHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionKHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack Prevention
 
ASM 11.6 DDoS profile- lior rotkovitch
ASM 11.6 DDoS profile- lior rotkovitchASM 11.6 DDoS profile- lior rotkovitch
ASM 11.6 DDoS profile- lior rotkovitch
 
Denial of Service - Service Provider Overview
Denial of Service - Service Provider OverviewDenial of Service - Service Provider Overview
Denial of Service - Service Provider Overview
 
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, TripwireMITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
 
Monitoring for DNS Security
Monitoring for DNS SecurityMonitoring for DNS Security
Monitoring for DNS Security
 
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian HilemanAre your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
 
PLNOG15 :Scale and Secure the Internet of Things with Intelligent DNS Services
PLNOG15 :Scale and Secure the Internet of Things with Intelligent DNS ServicesPLNOG15 :Scale and Secure the Internet of Things with Intelligent DNS Services
PLNOG15 :Scale and Secure the Internet of Things with Intelligent DNS Services
 
DDoS 101: Attack Types and Mitigation
DDoS 101: Attack Types and MitigationDDoS 101: Attack Types and Mitigation
DDoS 101: Attack Types and Mitigation
 
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
DNS – Strategies for Reducing Data Leakage & Protecting Online Privacy – Hack...
 
Tech t18
Tech t18Tech t18
Tech t18
 
The Art of Cyber War [From Black Hat Brazil 2014]
The Art of Cyber War [From Black Hat Brazil 2014]The Art of Cyber War [From Black Hat Brazil 2014]
The Art of Cyber War [From Black Hat Brazil 2014]
 
DDoS Threat Landscape - Ron Winward CHINOG16
DDoS Threat Landscape - Ron Winward CHINOG16DDoS Threat Landscape - Ron Winward CHINOG16
DDoS Threat Landscape - Ron Winward CHINOG16
 
Secure Communication with an Insecure Internet Infrastructure
Secure Communication with an Insecure Internet InfrastructureSecure Communication with an Insecure Internet Infrastructure
Secure Communication with an Insecure Internet Infrastructure
 
BSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointBSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPoint
 
How to Protect Yourself From Heartbleed Security Flaw
How to Protect Yourself From Heartbleed Security FlawHow to Protect Yourself From Heartbleed Security Flaw
How to Protect Yourself From Heartbleed Security Flaw
 
Network Intelligence for a secured Network (2014-03-12)
Network Intelligence for a secured Network (2014-03-12)Network Intelligence for a secured Network (2014-03-12)
Network Intelligence for a secured Network (2014-03-12)
 
DDosMon A Global DDoS Monitoring Project
DDosMon A Global DDoS Monitoring ProjectDDosMon A Global DDoS Monitoring Project
DDosMon A Global DDoS Monitoring Project
 
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
Sigma Hall of Fame - EU ATT&CK User Workshop, October 2021
 

Andere mochten auch

Fast flux hosting and DNS
Fast flux hosting and DNSFast flux hosting and DNS
Fast flux hosting and DNS
amiable_indian
 

Andere mochten auch (16)

Dns tunnelling its all in the name
Dns tunnelling its all in the nameDns tunnelling its all in the name
Dns tunnelling its all in the name
 
Network tunneling techniques
Network tunneling techniquesNetwork tunneling techniques
Network tunneling techniques
 
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS AttacksDNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
DNSSEC: The Antidote to DNS Cache Poisoning and Other DNS Attacks
 
Pseudo Random DNS Query Attacks and Resolver Mitigation Approaches
Pseudo Random DNS Query Attacks and Resolver Mitigation ApproachesPseudo Random DNS Query Attacks and Resolver Mitigation Approaches
Pseudo Random DNS Query Attacks and Resolver Mitigation Approaches
 
Fast flux
Fast fluxFast flux
Fast flux
 
Botconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server DetectionBotconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server Detection
 
Fast flux hosting and DNS
Fast flux hosting and DNSFast flux hosting and DNS
Fast flux hosting and DNS
 
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
 
OpenDNS Whitepaper: DNS's Role in Botnet C&C
OpenDNS Whitepaper: DNS's Role in Botnet C&COpenDNS Whitepaper: DNS's Role in Botnet C&C
OpenDNS Whitepaper: DNS's Role in Botnet C&C
 
DNS Security
DNS SecurityDNS Security
DNS Security
 
Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...
Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...
Early Detection of Malicious Flux Networks via Large Scale Passive DNS Traffi...
 
DNS Attacks
DNS AttacksDNS Attacks
DNS Attacks
 
About D2D
About D2D About D2D
About D2D
 
Budget Presentation FS 2013/2014 economic overview
Budget Presentation FS 2013/2014 economic overviewBudget Presentation FS 2013/2014 economic overview
Budget Presentation FS 2013/2014 economic overview
 
2016 cheap long prom dresses uk under 100 chicdresses.co.uk
2016 cheap long prom dresses uk under 100 chicdresses.co.uk2016 cheap long prom dresses uk under 100 chicdresses.co.uk
2016 cheap long prom dresses uk under 100 chicdresses.co.uk
 
DNS for Developers - NDC Oslo 2016
DNS for Developers - NDC Oslo 2016DNS for Developers - NDC Oslo 2016
DNS for Developers - NDC Oslo 2016
 

Ähnlich wie The DNS Tunneling Blindspot

Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy? Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy?
Digital Transformation EXPO Event Series
 
Infoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid Them
Infoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid ThemInfoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid Them
Infoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid Them
Jennifer Nichols
 
Ferris Bueller’s Guide to Abuse Domain Permutations
Ferris Bueller’s Guide to Abuse Domain PermutationsFerris Bueller’s Guide to Abuse Domain Permutations
Ferris Bueller’s Guide to Abuse Domain Permutations
Bishop Fox
 
OWASP ATL - Social Engineering Technical Controls Presentation
OWASP ATL - Social Engineering Technical Controls PresentationOWASP ATL - Social Engineering Technical Controls Presentation
OWASP ATL - Social Engineering Technical Controls Presentation
OWASP Atlanta
 
SANS CTI Summit 2016 Borderless Threat Intelligence
SANS CTI Summit 2016 Borderless Threat IntelligenceSANS CTI Summit 2016 Borderless Threat Intelligence
SANS CTI Summit 2016 Borderless Threat Intelligence
Jason Trost
 

Ähnlich wie The DNS Tunneling Blindspot (20)

Software Supply Chain Security Meetup 21062022
Software Supply Chain Security Meetup 21062022Software Supply Chain Security Meetup 21062022
Software Supply Chain Security Meetup 21062022
 
deftcon 2015 - Dave Piscitello - DNS Traffic Monitoring
deftcon 2015 - Dave Piscitello - DNS Traffic Monitoringdeftcon 2015 - Dave Piscitello - DNS Traffic Monitoring
deftcon 2015 - Dave Piscitello - DNS Traffic Monitoring
 
Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy? Is DNS a Part of Your Cyber Security Strategy?
Is DNS a Part of Your Cyber Security Strategy?
 
R-CISC Summit 2016 Borderless Threat Intelligence
R-CISC Summit 2016 Borderless Threat IntelligenceR-CISC Summit 2016 Borderless Threat Intelligence
R-CISC Summit 2016 Borderless Threat Intelligence
 
ICANN 51: Name Collision
ICANN 51: Name CollisionICANN 51: Name Collision
ICANN 51: Name Collision
 
Monitoring Network Performance in China
Monitoring Network Performance in ChinaMonitoring Network Performance in China
Monitoring Network Performance in China
 
Infoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid Them
Infoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid ThemInfoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid Them
Infoblox White Paper - Top Five DNS Security Attack Risks and How to Avoid Them
 
Top five security errors and how to avoid them - DEM09 - Santa Clara AWS Summ...
Top five security errors and how to avoid them - DEM09 - Santa Clara AWS Summ...Top five security errors and how to avoid them - DEM09 - Santa Clara AWS Summ...
Top five security errors and how to avoid them - DEM09 - Santa Clara AWS Summ...
 
2017 Cyber Risk Grades by Industry: Normshield Executive Presentation
2017 Cyber Risk Grades by Industry: Normshield Executive Presentation2017 Cyber Risk Grades by Industry: Normshield Executive Presentation
2017 Cyber Risk Grades by Industry: Normshield Executive Presentation
 
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...PLNOG15-DNS is the root of all evil in the network. How to become a superhero...
PLNOG15-DNS is the root of all evil in the network. How to become a superhero...
 
Using Splunk to Defend Against Advanced Threats - Webinar Slides: November 2017
Using Splunk to Defend Against Advanced Threats - Webinar Slides: November 2017Using Splunk to Defend Against Advanced Threats - Webinar Slides: November 2017
Using Splunk to Defend Against Advanced Threats - Webinar Slides: November 2017
 
Black hat usa_2015-bypass_surgery-6_aug2015
Black hat usa_2015-bypass_surgery-6_aug2015Black hat usa_2015-bypass_surgery-6_aug2015
Black hat usa_2015-bypass_surgery-6_aug2015
 
Tietoturvallisuuden_kevatseminaari_2013_Jarno_Niemela
Tietoturvallisuuden_kevatseminaari_2013_Jarno_NiemelaTietoturvallisuuden_kevatseminaari_2013_Jarno_Niemela
Tietoturvallisuuden_kevatseminaari_2013_Jarno_Niemela
 
Ferris Bueller’s Guide to Abuse Domain Permutations
Ferris Bueller’s Guide to Abuse Domain PermutationsFerris Bueller’s Guide to Abuse Domain Permutations
Ferris Bueller’s Guide to Abuse Domain Permutations
 
Cyber 101 for smb execs v1
Cyber 101 for smb execs v1Cyber 101 for smb execs v1
Cyber 101 for smb execs v1
 
Top five configuration security errors and how to avoid them - DEM09-S - Chic...
Top five configuration security errors and how to avoid them - DEM09-S - Chic...Top five configuration security errors and how to avoid them - DEM09-S - Chic...
Top five configuration security errors and how to avoid them - DEM09-S - Chic...
 
Top 5 security errors and how to avoid them - DEM06-S - Mexico City AWS Summit
Top 5 security errors and how to avoid them - DEM06-S - Mexico City AWS SummitTop 5 security errors and how to avoid them - DEM06-S - Mexico City AWS Summit
Top 5 security errors and how to avoid them - DEM06-S - Mexico City AWS Summit
 
OWASP ATL - Social Engineering Technical Controls Presentation
OWASP ATL - Social Engineering Technical Controls PresentationOWASP ATL - Social Engineering Technical Controls Presentation
OWASP ATL - Social Engineering Technical Controls Presentation
 
Infoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security toolInfoblox - turning DNS from security target to security tool
Infoblox - turning DNS from security target to security tool
 
SANS CTI Summit 2016 Borderless Threat Intelligence
SANS CTI Summit 2016 Borderless Threat IntelligenceSANS CTI Summit 2016 Borderless Threat Intelligence
SANS CTI Summit 2016 Borderless Threat Intelligence
 

Kürzlich hochgeladen

Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 

Kürzlich hochgeladen (20)

Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 

The DNS Tunneling Blindspot

  • 1. Stopping the bad guys and what you can do about itBrian A. McHenry Sr. Security Solutions Architect bam@f5.com @bamchenry
  • 2. Enterprise Blindspots in the Age of Malware & Insider ThreatsBrian A. McHenry Sr. Security Solutions Architect bam@f5.com @bamchenry
  • 3. Who is this guy? • Brian A. McHenry, Sr. Security Solutions Architect, F5 Networks • 9 years at F5, focused on application security solutions • Regular contributor on DevCentral.f5.com & InformationSecurityBuzz.com • Follow me on Twitter @bamchenry
  • 4. Greatest threats to data loss? External • Injection attacks • SQL, cmd, etc. • Open TCP ports • SSH, Telnet, FTP, etc. • Phishing Internal • Undetected malware • Servers, desktops, laptops, etc. • Employees, contractors • Disgruntled or Careless • Unverified backup systems
  • 6. Mitigate Malicious Communication - RPZ Open Service DNS Query Filtering by Reputation Prevent malware and sites hosting malicious content from ever communicating with a client. Live updates BIG-IP Inhibit the threat at the earliest opportunity. Internet activity starts with a DNS request. Domain Reputation Mitigate DNS threats by blocking access to malicious IPs. Reduce malware and virus infections. Select Your Service Response Policy Zone (RPZ) Live Feed DNS Server/Proxy
  • 7. Protecting the Client The internet isn’t an altogether safe place MALICIOUS THREATS UNDESIRABLE CONTENT DUPING THE USER BotNets Inadvertently downloaded and used to mount distributed attacks. Viruses Once installed, causes malicious activity on end-user device, sometimes for ransom. OS Vulnerabilities Unprotected, unpatched devices are extremely vulnerable. Phishing scams and Man in the Middle Websites which impersonate real websites, often linked from email or a website. Scammers aim to capture credentials. Site redirection DNS traffic is captured and sent to a malicious DNS server serving bad DNS results. Offensive Content may violate HR or local rules. Violation of decency standards. Be age inappropriate. Irrelevant Distractive content incompatible with job function or policy. Illegal content File sharing or sites identified as hosting banned material.
  • 8. DNS IP and Name Reputation Choices RESPONSE POLICY ZONES URL FILTERING IP REPUTATION Screens a DNS request against domains with a bad reputation. Intercept a DNS request in iRules. Categorize & make a decision. Intercept a DNS response in iRules. Categorize & make a decision. INHIBITS THREATS BY FQDN INHIBITS THREATS BY IP INHIBITS THREATS BY FQDN POLICY CONTROL BY FQDN
  • 9. Technical Use Cases http://www.badsite.com http://194.71.107.15 http://www.facebook.com IP REPUTATION URL FILTERINGTHREAT TYPE Virus, malware etc. DNS lookup required. Virus, malware etc No DNS lookup issued Social networking Against corp policy. RPZ No DNS lookup to filter. Cover malicious content only. Limited to IP address reputation. Limited to IP address reputation. No URL or FQDN to examine.
  • 10. Prevent malware and sites hosting malicious content from ever communicating with a client. Internet activity starts with a DNS request. Inhibit the threat at the earliest opportunity. Live updates CACHE RESOLVER PROTOCOL VALIDATION SCRIPTING IPV4/V6 LISTENER REPUTATION DATABASE SPECIAL HANDLING DNS Server or Proxy Use Case – User Protection Prevent subscribers from reaching known bad domains RPZ live feed
  • 11. Use Case – ISP Layered Client Protection QUERY: WWW.DOMAIN.COM DNS Policy CACHE RESOLVER iConto l Subscriber Policy RPZ IP Reputation URL Filtering EGRESS DNS PATH INGRESS DNS PATH • Response Policy Zones (RPZ) filters out and provides NXDOMAIN / Redirect for know bad domains. • URL Filtering further provides granular policy controls using categories. • IP Intelligence blocks based on the resolved IP. • It can also be used in the data path for other protocols. RPZ Feed IP Rep Feed URL Feed Policy
  • 12.
  • 14. Title and Content Layout with List • Add your first bullet point here • Add your second bullet point here • Add your third bullet point here
  • 15. Title and Content Layout with Chart 0 1 2 3 4 5 6 Category 1 Category 2 Category 3 Category 4 Series 1 Series 2 Series 3
  • 16. Two Content Layout with Table • First bullet point here • Second bullet point here • Third bullet point here Class Group 1 Group 2 Class 1 82 95 Class 2 76 88 Class 3 84 90
  • 17. Title and Content Layout with SmartArt Step 1 Title Task description Task description Task description Task description Step 2 Title Task description Task description Task description Step 3 Title Task description Task description Step 4 Title Task description Task description
  • 18. Add a Slide Title - 1
  • 19. Add a Slide Title - 2
  • 20. Add a Slide Title - 3
  • 21.