Defend Your Network with DNS Defeat Malware and Botnet Infections with a DNS Firewall

Transcription

1 Defeat Malware and Botnet Infections with a DNS Firewall

2 By 2020, 30% of Global 2000 companies will have been directly compromised by an independent group of cyberactivists or cybercriminals. How to Select a Security Threat Intelligence Service, Rob McMillan and Kelly M. Kavanagh, Gartner, 16 October 2013 Cyber-risk (which relates to cyberattacks [malicious] and cyberattacks [nonmalicious] ) is considered the third-biggest risk globally, just behind high taxation and loss of customers. Lloyd s Risk Index 2013, Lloyd s of London, 2013 The Challenge Gone are the days when viruses were the most prevalent vector of attack. Today, attackers employ a diverse bag of tricks to infiltrate, disrupt, and hijack networks including persistent sophisticated methods that exploit every part of a company s information technology, including using their own infrastructure against them. As a result, conventional firewalls and end point anti-virus software are not enough to detect and mitigate the everchanging threat landscape. Security teams must deploy a defence-in-depth strategy, using a combination of tools, each suited to tackle a specific area of concern. Traditional security solutions tend to focus on particular devices or protocols and cannot provide a solution that protects all types of devices and applications. Additionally, the rapid growth in the number and diversity of new devices connecting to the network has created new holes in typical enterprise security. Business transformations like bring your own device (BYOD), Cloud, and the Internet of Things (IoT) introduce new ways for devices to become infected. DNS is a powerful tool which can provide unique insight into network behaviour and can stand directly in the line of fire to block unauthorized communication. Modern attacks can manifest as legitimate traffic evading typical detection methods, but still rely on DNS to locate their command and control servers, presenting a perfect opportunity to detect and mitigate them. To defend your network against the rising threats of malware, botnets, Trojans, and other exploits, you need to augment your traditional security solutions. BlueCat Threat Protection leverages the capabilities of DNS to provide an additional layer of security for your business. By leveraging BlueCat s up-todate and accurate domain and IP reputation security feed, BlueCat Threat Protection creates a DNS firewall that contains malware, preventing the spread of infection and the exfiltration of sensitive data. In this paper, we will look at how BlueCat Threat Protection provides a broadbased solution for addressing holes in enterprise security. The Network Has Changed Our networks have changed dramatically in the last ten years. There are now more connected devices than ever before and many more of them are non-traditional. Alongside the traditional mobile devices like smartphones and tablets, we now have VoIP, Point of Sale (POS), RFID, barcode scanners, IP security cameras, door locks, and other devices. Enterprises are finding it increasingly difficult to pinpoint and isolate threats and defend against Desktop Physical Virtual Remote Cloud Mobile POS IoT TRADITIONAL DEVICES ARE PROTECTED BY CLIENT AND NETWORK SECURITY REMOTE AND CLOUD CREATE COMPLEX CONNECTION SCENARIOS ALL CONNECTED DEVICES INTRODUCE UNPREDICTABLE BUSINESS RISK 2

3 malicious intent. With the emergence of the Internet of Things, you have entirely new types of devices joining your network: everything from smart thermostats and LED light bulbs to vast numbers of sensors. The complexity of today s networks, the dynamic nature of device connections, and new initiatives such as BYOD and IoT have created an environment well-suited for the proliferation of malware. Traditional Layers of Protection Organizations typically employ security mechanisms in three different locations: Typical Protection Mechanisms On the client Antivirus or anti-malware installed directly on the end device On the Network Protocol-specific filtering software such as web content filtering or anti-spam At the Exit Deep packet inspection on a firewall as traffic leaves the network On January 02, 2014, US-CERT issued an alert highlighting the risk of Malware Targeting Point of Sale Systems. US-CERT Alert (TA14-002A) These solutions have been in use for well over a decade and they work well when you have traditional devices, like laptops and desktops, connecting in traditional ways like and Web. Unfortunately, they are not effective for non-traditional devices. This is precisely why attackers are increasingly targeting non-traditional devices to exploit their security vulnerabilities. Hackers that target traditional systems like desktops and servers need to get past the many layers of defense in order to exploit the device. They need to make sure that their malware or Trojan is able to circumvent anti-virus, anti-malware, protocol filters, and other security layers. Non-traditional devices simply have fewer layers of protection so hackers don t need to build sophisticated malware to get around antimalware software because there isn t any on the device they are targeting. The chart below shows how a DNS firewall solution reinforces and extends the security capabilities offered by traditional solutions providing an additional layer of protection for all devices across all protocols. Antivirus Proxy All Devices All Protocols Agentless Firewall 1 _ 2 DNS Firewall 1. Firewalls only filter network traffic passing through the firewall. Other traffic, such as VPN, may not pass through the firewall. DNS filters everything regardless of destination. 2. Firewall rules require an administrator to setup and are only useful if the rule is configured for a specific protocol ahead of time. 3

4 Anatomy of a Typical Infection In order to understand what makes BlueCat Threat Protection a compelling solution for enhancing security, we need to first look at how infections typically make their way into an organization. In most cases, an infection occurs when a user unknowingly connects to a malicious site from their device. It could be a website they visit in their web browser or a link in an that they click that leads them to the malicious site. Once there, the client downloads the malicious code and becomes infected usually without the user ever being aware that anything untoward has occurred. A Typical Infection 1 Client unknowingly connects to a bad site badsite.malware.com 2 5 User clicks a bad link in an or web page 4 3 Client downloads malicious code badsite.malware.com Infection spreads to other clients on the network Client becomes infected Enhancing Security with a DNS Firewall Let s take a look at a typical infection in a little more detail. When a user Susan in Marketing, let s say clicks a bad link, the device or client she s using doesn t actually connect directly to the malicious site. Instead, her click first initiates a DNS lookup to see what the IP address of the requested site is. DNS is built into every device and spans all applications and all devices. Every connection to every application, device, or website using a hostname starts with a DNS lookup to find out where the IP address of the resource is located. BlueCat Threat Protection takes advantage of the ubiquity and pervasiveness of DNS to provide an additional layer of defense for everything on the network. Securing applications and devices through DNS does not require an architectural shift. Because DNS is already in place, there is no need to touch your existing systems or network. BlueCat Threat Protection can be quickly and easily added to existing BlueCat DNS servers, avoiding disruption or conflict with strategic investments in existing security technology or DNS infrastructure. 4

5 Protection for All Devices Network Firewall Badsite Clients and Devices BlueCat Threat Protection (DNS Firewall) How Threat Protection Works Let s take a look at that typical infection one more time, and how it can be prevented with BlueCat Threat Protection. BlueCat Threat Protection leverages built-in technology called Response Policy Zones that allows DNS to respond on behalf of zones and records for which it is not authoritative. For example, using Response Policy Zones, an administrator could redirect all queries to filesharing.example.com to their internal content sharing site. This would prevent users from posting files to public file sharing sites from the corporate network while reminding users that a solution already exists for sharing files. This functionality can be enabled on any BlueCat Recursive or Caching DNS server. So, getting back to Susan in Marketing, let s take a look at how the solution works: 1. The DNS server pulls threat data from BlueCat s Security Feed, which contains known sources of malicious content including malware, botnets, viruses, exploits, viruses, and spam, to create categorized Response Policy Zones on the DNS server. 2. Susan makes a DNS request for known malicious content from their device or client her mobile phone, let s say. 3. The BlueCat DNS server resolves the request on the server, capturing both the host and the resolved IP address (either IPv4 or IPv6), and then compares the results to its Response Policy Zones. 4. If a match occurs, the DNS server responds based on the configured action for the Response Policy Zone. Supported actions are Redirect, Blacklist, Do Not Respond (Black Hole) or Log only (Whitelist) White Listed Black Listed Ignored Redirected BlueCat Threat Protection downloads list of known malicious sites User queries for known malicious content User s query is resolved through a response policy User s matched queries are redirected to a walled garden Matched queries are sent to a SIEM for analysis and remediation 5

6 For the purposes of this paper, we ll look at redirection, which is particularly interesting and valuable to enterprises as it allows them to let the user (Susan) know that they are infected. It also allows them to redirect the request to another server for further analysis by the security team as needed. When redirecting, the user is given the host name of another site to which to connect. This site is typically referred to as a Walled Garden, which can be used to notify the user that they have attempted to access malicious content. Let s pick up the flow of events that we looked at above to show how BlueCat Threat Protection defends against malicious activities by redirecting users: 5. Susan in Marketing still clicks that bad link as above, however the response given back to Susan by the DNS Server with Threat Protection installed redirects her to another safe walled garden site. 6. At the same time, the DNS server logs that a match to a malicious site occurred. BlueCat Administrators can run RPZ activity reports which show all of the DNS queries which triggered a match. These reports are useful for quickly identifying infected devices as well as determining intended destinations for exfiltrated data. The DNS server can optionally be configured to forward all matched queries to a Security Information and Event Management (SIEM) or syslog solution for further analysis. 7. Susan s browser connects to the walled garden site and sees a notice indicating that she may be infected and to contact IT immediately. 8. If using optional SIEM or syslog integration, the system can be configured to alert IT staff based on a match. This proactively notifies IT so that immediate action can be taken to quarantine the device and contact the user. 6

7 Leveraging the BlueCat Security Feed BlueCat Threat Protection for DNS/DHCP Server uses the BlueCat Security Feed to automatically update BlueCat Recursive and Caching DNS servers with the latest data on known sources of threats including malware, botnets, exploits, viruses and spam. This managed service includes six different security categories that can be optionally configured. BlueCat Security Feed Categories As online fraud and financially targeted attacks and other forms of attack continue to grow in number and seriousness, there is increasing demand for services designed to protect brand position, prevent fraud, and assist in the response to an incident. How to Select a Security Threat Intelligence Service, Rob McMillan and Kelly M. Kavanagh, Gartner, 16 October 2013 Category Content Blocked Description Malicious Malware Potential Malware Drop Spam Botnet C&C Spam, phishing, virus, malware Malware dropper, hosting, malicious redirection Malware dropper, hosting, malicious redirection Malware, trojans, botnet C&C Spam, phishing Botnet Command and Control Domains and hosts of known malicious sites Domains and hosts associated with malware Separate list of domains and hosts that contains candidates for malware list IP addresses and netblocks of known persistent malicious sites IP addresses and netblocks under control of spammers IP addresses and ranges of known Botnet Command and Control sources Threat data is aggregated in the cloud and then made available through four geo-located clusters located across the globe. Delivered through DNS as a Response Policy Zone, BlueCat DNS servers simply subscribe to the BlueCat Security Feed, which is then downloaded through zone transfer and hosted locally on the DNS server as a Slave DNS zone. This provides customers with a local copy for quick resolution, but also takes advantage of some of the builtin functions of DNS, such as zone transfer functionality to provide incremental updates of new data using the zone refresh time. This is set to five (5) minutes for host-based lists and two (2) minutes for IP-based lists by default so that customers are receiving updated feed data at least every five (5) minutes. To help illustrate the value of the BlueCat Security Feed, let s look at one category in more detail: Botnet Command and Control. In our example of a typical infection above, we assumed that the user clicked a bad link while at work, but what happens if Susan in Marketing clicks the bad link when she s at home using her own device on her own Wi-Fi network and unknowingly becomes infected with a botnet? The next morning, Susan comes in to work and connects to the enterprise network with her infected device, exposing the business to the risk of a widespread botnet infection. The BlueCat Security Feed s Botnet Command and Control category would allow the DNS server to automatically block the botnet from calling home to its Command and Control source for instructions, and would also identify and log the botnet activity so that any infection could be contained. 7

8 Organizations can augment the threat data delivered by the security feed with their own custom-configured policies to blacklist or whitelist according to their security or web content filtering requirements. For example, your organization might maintain a local blacklist that blocks access to file sharing sites like Pirate Bay or BitTorrent. Whitelists can be created to override any false positive in order to allow access while you work to understand why the site was blocked. Administrators can also create local policies to block access to entire top-level domains such as.xxx. Summing Up A leading university in the US is using BlueCat Threat Protection to provide security for its student population of 12,000 students who are connecting to the network with a variety of personal devices at a cost of less than $0.62 per device. Today, mobile, cloud and non-traditional devices pose new security risks for your business. Infections can lead to downtime, data loss, unwanted negative publicity and a loss of customer confidence all of which can erode market share. In the near future, the Internet of Things will only make these security issues more extensive and extreme. Every connection that starts with a DNS lookup signals the intent to connect and can expose unexpected or unwanted behaviors. BlueCat Threat Protection leverages DNS to control where a device will connect or whether it is allowed to connect at all. The key benefits of BlueCat Threat Protection include: Leverage an already deployed service DNS is an existing service deployed in all networks and used by all devices. Enabling Threat Protection on an existing BlueCat DNS/DHCP server is quick and simple. Protection for all devices and applications DNS resolution is built into every device. Using DNS to filter malicious traffic provides broad-based protection for every device across every application. No need for agents BlueCat Threat Protection leverages DNS to filter traffic without requiring any agent software to be installed on the client or on the devices themselves. Automatically download up-to-the-minute threat data The hosted BlueCat Security Feed automatically updates BlueCat DNS servers with the latest data on known sources of threats. Identify and contain infected systems quickly BlueCat logs all access to malicious sites allowing admins to easily identify infected systems and take action. Restrict access to unwanted sites Admins are able to maintain lists of unwanted sites and notify users why sites are not accessible. Rapid time to value BlueCat Threat Protection is easy to set up and install on DNS Servers to rapidly provide an added layer of defense with minimal changes to existing infrastructure or processes. BlueCat Threat Protection gives you the ability to define and enforce policies directly at the DNS level. The result is a more secure and reliable network that is better equipped to repel emerging threats from malware, botnets and other exploits, and better prepared for the explosive growth of new devices that will come with the Internet of Things. 8

9 BlueCat IP Address Management, DNS and DHCP solutions provide the foundation to build elastic networks that scale to match the ever-changing and unique demands on your infrastructure. We enable the reliability of your core network services and securely connect the people, physical devices, virtual machines and applications that drive your business. Enterprises and government agencies worldwide trust BlueCat to solve real business and IT challenges from device on-boarding for BYOD to network consolidation and modernization to managing and automating virtualization, cloud and the Internet of Things BlueCat Networks. All rights reserved. The BlueCat logo and IPAM Intelligence are trademarks of BlueCat Networks, Inc. All other product and company names are trademarks or registered trademarks of their respective holders. BlueCat assumes no responsibility for any inaccuracies in this document. BlueCat reserves the right to change, modify, transfer or otherwise revise this publication without notice.