The Importance of DNS in Preventing Global Cyber Attacks Ricardo Rodrigues
Effective Internet Security Has Never Been More Important The cost of security incidents has increased, driven by Ransomware $ 20,752 6M 1.6M $8,699 2013 2016 Average ransomware cost to Average ransomware cost to a Attack queries grew 270 percent a consumer from Fall 2016 to Spring 2017 business Source: Nominum Source: Symantec Source: SBIR 2
Mobile & IoT Devices Are At Risk As IoT Attacks Are on the Rise End-user Devices Remain Unprotected Worldwide Mirai Infections Mirai botnet Source: 360 and Nominum 3
The Dream of the Connected Life 4
IoT: Internet of Things? or… Internet of Threats? 5
Cyber Attack Ladder STAGE Steps Action ATTACK Cyber Attack Ladder C&C Installation INTRUSION Exploitation Delivery Reconnaissance PREPARATION Weaponization 6
Cyber Attacks • BYOD, IoT and botnets bring new challenges – What to do if the attack comes from inside your network? • Block thousands of infected subscribers? – How to mitigate the attack without harm to the subscriber? • It is imperative to block the malicious traffic and allow the good • Is this possible to be proactive? – How to identify infected subscribers? – Is this possible to avoid that infected subscribers generate attacks? • Is this required to change the network architecture? – Or can we have a better usage of the existing elements? 7
DNS and the Security Architecture 8
DNS Can Help at Every Stage of an Attack STAGE How DNS Helps Steps – Block purpose-built DNS Amp domains – Rate-limit dual-use DNS Amp domains Action – Block malicious subdomains (PRSD) ATTACK Cyber Attack Ladder C&C – Block DNS tunneling domains – Block command and control domains – Block phishing domains – Block domains hosting exploit kits Installation – Block malware download domains INTRUSION Exploitation – Redirect & block HTTP paths for compromised websites – Block malware drop sites Delivery – Block domains used to download files for encryption – Monitor or block domains assoc. with criminal infrastructure Reconnaissance – Monitor or block traffic to illegal download sites PREPARATION Weaponization – Block categories of domains frequently serving malware – Identify anomalous DNS request for further investigation 9
Threat Landscape 01
New DNS Domains – every 24 hours 11
Threat Tracker 2016 3X growth 94,000 in queries and domains domains added daily to block list 82 million malicious queries daily (by end of Aug) 12
Threat Tracker 2017 13
Phishing - Time to Block 14
Main Threats Identified 02
Top Threats by Function 16
ATTACK STAGE | Ransomware Attacks Up 270% Fall 2016-Spring 2017 17
ATTACK STAGE | Mirai Across the Globe 18
ATTACK STAGE | Mirai Source Code Right shifts of 3 bits from an 8-bit number means that the result is between 0-31 characters, which corresponds exactly to the 32-character string above. 19
Localization of the Threats 03
C&C – World 21
C&C – USA 1. California 2. Virginia 3. Arizona 4. Texas 5. Florida 22
Hosting of Malware World USA 23
DNS-Based DDoS Deep Dive in 04
12 Minutes of a PRSD Attack
DNS Amplification
WannaCry: views from 04 the DNS frontline http://www.nominum.com/tech-blog/wannacry-views-dns-frontline
WannaCry Timeline Kill-switch domain: iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com 28
WannaCry: Newly Affected Clients per Minute 29
WannaCry: Top 3 Groups of Infected Subscribers Top 3 groups identified: – Gamers – Teamviewer users – Previously infected subscribers 30
Conclusions High growth of DDoS, BYOD and IoT bring new DNS is key for Prevention botnet and ransomware challenges and Mitigation attacks 31
Final Thoughts • Download Nominum Data Science Security Reports: http://nominum.com/resource/security-report-nn - Spring 2017 http://nominum.com/resource/security-report-home - Fall 2016 • For Thought: – Does your DNS Server always answer the correct answer? – Does the correct answer protects the subscriber? 32
Recommend
More recommend
