Defend Your Network with DNS Defeat Malware and Botnet Infections with a DNS Firewall

Transcription

1 Defeat Malware and Botnet Infections with a DNS Firewall

2 By 2020, 30% of Global 2000 companies will have been directly compromised by an independent group of cyberactivists or cybercriminals. How to Select a Security Threat Intelligence Service, Rob McMillan and Kelly M. Kavanagh, Gartner, 16 October 2013 Cyber-risk (which relates to cyberattacks [malicious] and cyberattacks [nonmalicious] ) is considered the third-biggest risk globally, just behind high taxation and loss of customers. Lloyd s Risk Index 2013, Lloyd s of London, 2013 The Challenge The growth in the number and diversity of new devices connecting to the network has exposed holes in typical enterprise security. Your network and devices are increasingly being targeted by sophisticated threats. Business transformations like bring your own device (BYOD), cloud and the Internet of Things (IoT) introduce new ways for devices to become infected. An infection can have serious consequences including service disruptions and sensitive data breaches both of which can put a company at risk. But you have protection for this, right? Well, yes and no. Traditional security solutions tend to focus on particular devices or protocols and cannot provide a solution that covers all devices and applications. To defend your network against the rising threats of malware, botnets, trojans and other exploits, you need to augment your traditional security solutions. BlueCat Threat Protection leverages the Domain Name System (DNS), a pervasive core network service, to provide an additional layer of security for your business. BlueCat Threat Protection creates a DNS firewall that filters malicious activities before they reach business-critical applications or data. DNS is a core network service that is essential for device-to-app, app-to-app and device-to-device communication. DNS is built into every connected device and spans all applications and all devices corporate-owned and bring your own, traditional and non-traditional. This makes DNS ideally positioned in the network to provide complete visibility and control across all devices regardless of their configuration. In this paper, we will look at how BlueCat Threat Protection provides a broad-based solution for addressing holes in enterprise security. The Network Has Changed Our networks no longer look the same as they did ten years ago. There are now more connected devices than ever before and many more of them are non-traditional. Alongside the traditional mobile devices like smartphones and tablets, we now have VoIP, Point of Sale (POS), RFID, barcode scanners, IP security cameras, door locks and other devices. Enterprises are finding it increasingly difficult to pinpoint and isolate threats and defend against malicious intent. With the emergence of the Internet of Things, you have or soon will have entirely new types of devices joining your network: everything from smart thermostats and LED light bulbs to vast numbers of sensors. The complexity of today s networks, the dynamic nature of device connections and new initiatives such as BYOD and IoT have created an environment ideally suited to internal infections and malware proliferation. Desktop Physical Virtual Remote Cloud Mobile POS IoT TRADITIONAL DEVICES ARE PROTECTED BY CLIENT AND NETWORK SECURITY REMOTE AND CLOUD CREATE COMPLEX CONNECTION SCENARIOS ALL CONNECTED DEVICES INTRODUCE UNPREDICTABLE BUSINESS RISK 2

3 Traditional Layers of Protection Organizations typically employ security mechanisms in three different locations: Typical Protection Mechanisms On the client Antivirus or anti-malware installed directly on the end device On the Network Protocol-specific filtering software such as web content filtering or anti-spam At the Exit Deep packet inspection on a firewall as traffic leaves the network On January 02, 2014, US-CERT issued an alert highlighting the risk of Malware Targeting Point of Sale Systems. US-CERT Alert (TA14-002A) These solutions have been in use for well over a decade often together as parts of a defense in depth security strategy. And they work well when you have traditional devices, like laptops and desktops, connecting in traditional ways like and Web. Unfortunately, they are not effective for non-traditional devices. This is precisely why attackers are increasingly targeting non-traditional devices to exploit their security vulnerabilities. Hackers that target traditional systems need to get past the many layers of defense in order to exploit the device. They need to make sure that their malware or Trojan is able to circumvent anti-virus, anti-malware, protocol filters and other security layers. Non-traditional devices simply have fewer layers of protection so hackers don t need to build sophisticated malware to get around anti-malware software because there isn t any on the device they are targeting. The chart below shows how a DNS firewall solution reinforces and extends the security capabilities offered by traditional solutions providing an additional layer of protection for all devices across all protocols. Antivirus Proxy All Devices All Protocols Agentless Firewall 1 _ 2 DNS Firewall 1. Firewalls only filter network traffic passing through the firewall. Other traffic, such as VPN, may not pass through the firewall. DNS filters everything regardless of destination. 2. Firewall rules require an administrator to setup and are only useful if the rule is configured for a specific protocol ahead of time. 3

4 Anatomy of a Typical Infection In order to understand what makes BlueCat Threat Protection a compelling solution for enhancing security, we need to first look at how infections typically make their way into an organization. In most cases, an infection occurs when you have a user that unknowingly connects to a malicious site from their device. It could be a website they visit in their web browser or a link in an that they click that leads them to the malicious site. Once there, the client downloads the malicious code and becomes infected usually without the user ever being aware that anything untoward has occurred. A Typical Infection 1 Client unknowingly connects to a bad site 2 badsite.malware.com 5 User clicks a bad link in an or web page 4 3 Client downloads malicious code badsite.malware.com Infection spreads to other clients on the network Client becomes infected Enhancing Security with a DNS Firewall Let s take a look at a typical infection in a little more detail. When a user Susan in Marketing, let s say clicks a bad link, the device or client she s using doesn t actually connect directly to the malicious site. Instead, her click first initiates a DNS lookup to see what the IP address of the requested site is. DNS is built into every device and spans all applications and all devices. Every connection to every application or site starts with a DNS lookup to find out where the IP address of the server is located. BlueCat Threat Protection takes advantage of the ubiquity and pervasiveness of DNS to provide an additional layer of defense for everything on the network. Securing applications and devices through DNS does not require an architectural shift. Because DNS is already in place, there is no need to touch your existing systems or network. BlueCat Threat Protection can be quickly and easily added to existing BlueCat DNS servers, avoiding disruption or conflict with strategic investments in existing security technology or DNS infrastructure. BlueCat Threat Protection offers an additional layer of security for all devices and applications to enhance an organization s existing defense in depth security capabilities. 4

5 Protection for All Devices Network Firewall Badsite Clients and Devices BlueCat Threat Protection (DNS Firewall) How Threat Protection Works Let s take a look at that typical infection one more time, and how it can be prevented with BlueCat Threat Protection. BlueCat Threat Protection leverages built-in technology called Response Policy Zones that allows DNS to respond on behalf of zones and records for which it is not authoritative. For example, using Response Policy Zones, an administrator could redirect all queries to filesharing.example.com to their internal content sharing site. This would prevent users from posting files to public file sharing sites from the corporate network while reminding users that a solution already exists for sharing files. This functionality can be enabled on any BlueCat Recursive or Caching DNS server to effectively stop malicious activities in DNS. So, getting back to Susan in Marketing, let s take a look at how the solution works: 1. The DNS server pulls threat data from BlueCat s hosted security feed, which provides data on known sources of malicious content including malware, botnets, viruses, exploits, viruses and spam, to create a local Response Policy Zone on the DNS server. 2. Susan makes a DNS request for known malicious content from their device or client her mobile phone, let s say. 3. The BlueCat DNS server resolves the request on the server, capturing both the host and the resolved IP address (either IPv4 or IPv6), and then compares the results to its local threat data. 4. If a match occurs, the DNS server responds based on the configured action for the response policy zone. Supported actions are Redirect, Blacklist, Do Not Respond (Black Hole) or Log (Whitelist) White Listed Black Listed Ignored Redirected BlueCat Threat Protection downloads list of known malicious sites User queries for known malicious content User s query is resolved through a response policy User s matched queries are redirected to a walled garden Matched queries are sent to a SIEM for analysis and remediation 5

6 For the purposes of this paper, we ll look at redirection, which is particularly interesting and valuable to enterprises as it allows them to let the user (Susan) know that they are infected. It also allows them to redirect the request to another server for further analysis by the security team as needed. When redirecting, the user is given the host name of another site to which to connect. This site is typically referred to as a Walled Garden, which can be used to notify the user that they have attempted to access malicious content. Let s pick up the flow of events that we looked at above to show how BlueCat Threat Protection defends against malicious activities by redirecting users: 5. Susan in Marketing still clicks that bad link as above, however the response given back to Susan by the DNS Server with Threat Protection installed redirects her to another safe walled garden site. 6. At the same time, the DNS server logs that a match to a malicious site occurred. The DNS server can optionally be configured to forward all matched queries to a Security Information and Event Management (SIEM) or syslog solution for further analysis. 7. Susan connects to the walled garden site and sees a notice indicating that she may be infected and to contact IT immediately. 8. If using optional SIEM or syslog integration, the system can be configured to alert IT staff based on a match. This proactively notifies IT so that immediate action can be taken to quarantine the device and contact the user. In addition to redirection, BlueCat Threat Protection can also be configured to enable Blacklist, Do Not Respond (Black Hole) or Log (Whitelist). 6

7 Leveraging a Hosted Security Feed to Filter DNS Traffic BlueCat Threat Protection for DNS/DHCP Server leverages the hosted BlueCat Security Feed to automatically update BlueCat Recursive and Caching DNS servers with the latest data on known sources of threats including malware, botnets, exploits, viruses and spam. This managed service includes six different security categories that can be optionally configured. BlueCat Security Feed Categories As online fraud and financially targeted attacks and other forms of attack continue to grow in number and seriousness, there is increasing demand for services designed to protect brand position, prevent fraud, and assist in the response to an incident. How to Select a Security Threat Intelligence Service, Rob McMillan and Kelly M. Kavanagh, Gartner, 16 October 2013 Category Content Blocked Description Malicious Malware Potential Malware Drop Spam Botnet C&C Spam, phishing, virus, malware Malware dropper, hosting, malicious redirection Malware dropper, hosting, malicious redirection Malware, trojans, botnet C&C Spam, phishing Botnet Command and Control Domains and hosts of known malicious sites Domains and hosts associated with malware Separate list of domains and hosts that contains candidates for malware list IP addresses and netblocks of known persistent malicious sites IP addresses and netblocks under control of spammers IP addresses and ranges of known Botnet Command and Control sources Threat data is aggregated in the cloud and then made available through four geo-located clusters located across the globe. Delivered through DNS as a Response Policy Zone, BlueCat DNS servers simply subscribe to the BlueCat Security Feed, which is then downloaded through zone transfer and hosted locally on the DNS server as a Slave DNS zone. This provides customers with a local copy for quick resolution, but also takes advantage of some of the built-in functions of DNS, such as zone transfer functionality to provide incremental updates of new data using the zone refresh time. This is set to five (5) minutes for host-based lists and two (2) minutes for IP-based lists by default so that customers are receiving updated feed data at least every five (5) minutes. To help illustrate the value of the BlueCat Security Feed, let s look at one category in more detail: Botnet Command and Control. In our example of a typical infection above, we assumed that the user clicked a bad link while at work, but what happens if Susan in Marketing clicks the bad link when she s at home using her own device on her own Wi-Fi network and unknowingly becomes infected with a botnet? The next morning, Susan comes in to work and connects to the enterprise network with her infected device, exposing the business to the risk of a widespread botnet infection. The BlueCat Security Feed s Botnet Command and Control category would allow the DNS server to automatically block the botnet from calling home for instructions from its Command and Control source, and would also identify and log the botnet activity so that any infection could be contained. 7

8 Organizations can augment the threat data delivered by the security feed with their own custom-configured policies to blacklist or whitelist according to their security requirements. For example, your organizations might maintain a local blacklist that blocks access to file sharing sites like Pirate Bay or BitTorrent. Whitelists can be created to override any false positive in order to allow access while you work to understand why the site was blocked. Administrators can also create local policies to block access to entire top-level domains such as.xxx. Summing Up A leading university in the US is using BlueCat Threat Protection to provide security for its student population of 12,000 students who are connecting to the network with a variety of personal devices at a cost of less than $0.62 per device. Today, mobile, cloud and non-traditional devices pose new security risks for your business. Infections can lead to downtime, data loss, unwanted negative publicity and a loss of customer confidence all of which can erode market share. In the near future, the Internet of Things will only make these security issues more extensive and extreme. Every connection starts with a DNS lookup, which signals the intent to connect and can expose unexpected or unwanted behaviors. BlueCat Threat Protection leverages DNS to control where a device will connect or whether it is allowed to connect at all. The key benefits of BlueCat Threat Protection include: Leverage an already deployed service DNS is an existing service deployed in all networks and used by all devices. Enabling Threat Protection on an existing BlueCat DNS/DHCP server is quick and simple. Protection for all devices and applications DNS resolution is built into every device. Using DNS to filter malicious traffic provides broad-based protection for every device across every application. No need for agents BlueCat Threat Protection leverages DNS to filter traffic without requiring any agent software to be installed on the client or on the devices themselves. Automatically download up-to-the-minute threat data The hosted BlueCat Security Feed automatically updates BlueCat DNS servers with the latest data on known sources of threats. Identify and contain infected systems quickly BlueCat logs all access to malicious sites allowing admins to easily identify infected systems and take action Restrict access to unwanted sites Admins are able to maintain lists of unwanted sites and notify users why sites are not accessible. Rapid time to value BlueCat Threat Protection is easy to set up and install on DNS Servers to rapidly provide an added layer of defense with minimal changes to existing infrastructure or processes. BlueCat Threat Protection gives you the ability to define and enforce policies directly at the DNS level. The result is a more secure and reliable network that is better equipped to repel emerging threats from malware, botnets and other exploits, and better prepared for the explosive growth of new devices that will come with the Internet of Things. 8

9 BlueCat IP Address Management, DNS and DHCP solutions provide the foundation to build elastic networks that scale to match the ever-changing and unique demands on your infrastructure. We enable the reliability of your core network services and securely connect the people, physical devices, virtual machines and applications that drive your business. Enterprises and government agencies worldwide trust BlueCat to solve real business and IT challenges from device on-boarding for BYOD to network consolidation and modernization to managing and automating virtualization, cloud and the Internet of Things BlueCat Networks. All rights reserved. The BlueCat logo and IPAM Intelligence are trademarks of BlueCat Networks, Inc. All other product and company names are trademarks or registered trademarks of their respective holders. BlueCat assumes no responsibility for any inaccuracies in this document. BlueCat reserves the right to change, modify, transfer or otherwise revise this publication without notice.