Protecting DNS Infrastructure



Similar documents
Reducing the Security Threat Window

Reducing the Threat Window

Data Center Security

Data Center Security Strategies and Vendor Leadership: North American Enterprise Survey

High-End Firewall Strategies

DDoS Prevention Appliances

Delivering Security Virtually Everywhere with SDN and NFV

Data Center Security Strategies and Vendor Leadership Survey

Reducing Downtime Costs with Network-Based IPS

Trend Micro InterScan Web Security and Citrix NetScaler SDX Platform Overview

Defending Against Cyber Attacks with SessionLevel Network Security

Redefining SIEM to Real Time Security Intelligence

Preempting Business Risk with RSA SIEM and CORE Security Predictive Security Intelligence Solutions

CYBER4SIGHT TM THREAT INTELLIGENCE SERVICES ANTICIPATORY AND ACTIONABLE INTELLIGENCE TO FIGHT ADVANCED CYBER THREATS

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

Securing Your Business with DNS Servers That Protect Themselves

ADC Survey GLOBAL FINDINGS

DDoS DETECTING. DDoS ATTACKS WITH INFRASTRUCTURE MONITORING. [ Executive Brief ] Your data isn t safe. And neither is your website or your business.

On-Premises DDoS Mitigation for the Enterprise

Avoiding the Top 5 Vulnerability Management Mistakes

Real-Time Security Intelligence for Greater Visibility and Information-Asset Protection

WatchGuard Technologies, Inc. 505 Fifth Avenue South Suite 500, Seattle, WA

Symantec Cyber Security Services: DeepSight Intelligence

Cyber4sight TM Threat. Anticipatory and Actionable Intelligence to Fight Advanced Cyber Threats

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Reduce Your Network's Attack Surface

Marble & MobileIron Mobile App Risk Mitigation

First Line of Defense

The webinar will begin shortly

Cisco Security Intelligence Operations

FIVE PRACTICAL STEPS

White Paper A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK. A balancing act

Unified Cyber Security Monitoring and Management Framework By Vijay Bharti Happiest Minds, Security Services Practice

2012 Infrastructure Security Report. 8th Annual Edition Kleber Carriello Consulting Engineer

First Line of Defense

What is Security Intelligence?

Teradata and Protegrity High-Value Protection for High-Value Data

Securing Your Business with DNS Servers That Protect Themselves

Data Center Security Products. Data Center Security. Biannual Worldwide and Regional Market Share, Size, and Forecasts: Excerpts

Vulnerability Management

Intelligent. Data Sheet

SHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper

Unlock the full potential of data centre virtualisation with micro-segmentation. Making software-defined security (SDS) work for your data centre

Combating a new generation of cybercriminal with in-depth security monitoring

RETHINKING CYBER SECURITY

Requirements When Considering a Next- Generation Firewall

HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT

NASCIO 2015 State IT Recognition Awards

NitroView. Content Aware SIEM TM. Unified Security and Compliance Unmatched Speed and Scale. Application Data Monitoring. Database Monitoring

REPORT HIGHLIGHTS. Infonetics: Videoconferencing is up as market moves to lower-cost solutions

Spear Phishing Attacks Why They are Successful and How to Stop Them

SECURITY REIMAGINED SPEAR PHISHING ATTACKS WHY THEY ARE SUCCESSFUL AND HOW TO STOP THEM. Why Automated Analysis Tools are not Created Equal

Q1 Labs Corporate Overview

Advanced Threats: The New World Order

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

STATE OF DNS AVAILABILITY REPORT

Securing Your Business with DNS Servers That Protect Themselves

WHITE PAPER SPLUNK SOFTWARE AS A SIEM

How To Protect Your It Infrastructure

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

White Paper. Intelligence Driven. Security Monitoring. v nexusguard.com

The Hillstone and Trend Micro Joint Solution

Addressing the Full Attack Continuum: Before, During, and After an Attack. It s Time for a New Security Model

IDS or IPS? Pocket E-Guide

White Paper. Intelligent DDoS Protection Use cases for applying DDoS Intelligence to improve preparation, detection and mitigation

Agenda , Palo Alto Networks. Confidential and Proprietary.

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

CHANGING THE SECURITY MONITORING STATUS QUO Solving SIEM problems with RSA Security Analytics

Securing Your Business with DNS Servers That Protect Themselves

Protecting against cyber threats and security breaches

CyberArk Privileged Threat Analytics. Solution Brief

Cyber Situational Awareness for Enterprise Security

The FBI Cyber Program. Bauer Advising Symposium //UNCLASSIFIED

Next-Generation Firewalls: Critical to SMB Network Security

Technology Blueprint. Protect Your Servers. Guard the data and availability that enable business-critical communications

THE EVOLUTION OF SIEM

Business Case for a DDoS Consolidated Solution

An New Approach to Security. Chris Ellis McAfee Senior System Engineer

Retail Security: Enabling Retail Business Innovation with Threat-Centric Security.

First Line of Defense to Protect Critical Infrastructure

Best Practices for Building a Security Operations Center

Why Leaks Matter. Leak Detection and Mitigation as a Critical Element of Network Assurance. A publication of Lumeta Corporation

Defending Against Data Beaches: Internal Controls for Cybersecurity

A Layperson s Guide To DoS Attacks

IBM Security IBM Corporation IBM Corporation

Application Security in the Software Development Lifecycle

Threat Intelligence: What is it, and How Can it Protect You from Today s Advanced Cyber-Attacks A Webroot publication featuring analyst research

Combating a new generation of cybercriminal with in-depth security monitoring. 1 st Advanced Data Analysis Security Operation Center

10 Things Every Web Application Firewall Should Provide Share this ebook

Attack Intelligence: Why It Matters

RETHINKING CYBER SECURITY

Scott Lucas: I m Scott Lucas. I m the Director of Product Marketing for the Branch Solutions Business Unit.

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

24/7 Visibility into Advanced Malware on Networks and Endpoints

Protect Your Universe with ArcSight

Extreme Networks Security Analytics G2 Vulnerability Manager

The SIEM Evaluator s Guide

CHECKLIST: ONLINE SECURITY STRATEGY KEY CONSIDERATIONS MELBOURNE IT ENTERPRISE SERVICES

Transcription:

INFONETICS RESEARCH WHITE PAPER Protecting DNS Infrastructure An Internet Utility that Demands New Security Solutions November 2014 695 Campbell Technology Parkway Suite 200 Campbell California 95008 t 408.583.0011 f 408.583.0031 www.infonetics.com Silicon Valley, CA Boston, MA London, UK

Table of Contents DNS IS A MASSIVE PUBLIC UTILITY 1 EXPLORATION OF ATTACK TYPES 2 WHAT SECURITY SOLUTIONS ARE AVAILABLE TODAY? 3 VISIBILITY AND CORRELATION ARE A GOOD STARTING POINT 4 THE NEED FOR DEDICATED DNS SECURITY SOLUTIONS 6 WHITE PAPER AUTHOR 7 ABOUT INFONETICS RESEARCH 7 REPORT REPRINTS AND CUSTOM RESEARCH 7 List of Exhibits Exhibit 1 DNS Infrastructure Supports the Entire Internet 1 Exhibit 2 DNS Threat Landscape 2 Exhibit 3 Discovery Timeline for Cyber-Espionage 5 Protecting DNS Infrastructure: An Internet Utility that Demands new Security Solutions

DNS IS A MASSIVE PUBLIC UTILITY The DNS (Domain Name System) is the largest distributed database in the world, and every single device and application connected to the Internet is a DNS client. The original DNS was developed in the early 1970s to support e-mail communication on the ARPANET; internet pioneers figured out very quickly that alphabetic host names were much more useful (and much easier to remember) than long numeric addresses. In March 1974, it was declared that the Stanford Research Institute Network Information Center would be the official source of the master host file, and this worked well (more or less) for about a decade. By the early 80s, it became clear that the centralized system couldn t meet the dynamic scale requirements of the emerging Internet, and the true father of our modern distributed DNS was hatched in 1983. DNS infrastructure has grown and evolved significantly in the last 20 years, and as the chart below shows, today there are nearly 1 billion hostnames managed by the DNS, and nearly a quarter of a billion active websites. On the client side, the emergence of smartphones, tablets, and the ecosystem of the Internet of Things adds hundreds of millions (eventually billions) of new DNS clients hungrily looking 24/7 to connect to hosts. The scale of DNS infrastructure is almost unimaginable, but as users of the Internet, we have one basic expectation: DNS simply must work. The Internet is the application, data store, and service, and DNS is our only navigation system, so DNS problems have massive ramifications. Exhibit 1 DNS Infrastructure Supports the Entire Internet Source: Netcraft 1

In parallel to the development of the Internet and DNS infrastructure, we ve seen the development of a wide range of threats aimed at every device with an Internet connection. Buried in news about viruses and worms, massive data breaches, and a never-ending flood of DDoS attacks, there has been a quiet but consistent flow of attacks aimed at DNS infrastructure. It s not at all surprising that DNS would be a target; it s pervasive, it a key to the basic function of the Internet, and it was developed over 20 years ago with very little thought about security and then constantly retrofitted it s highly vulnerable to attack. EXPLORATION OF ATTACK TYPES There are different ways to look at the variety of attacks we see aimed at DNS, but for our purposes we ll group them based on where they fit in the collective consciousness of IT. Exhibit 2 DNS Threat Landscape Traditional Threats Cache poisoning TCP/UDP/ICMP floods Protocol Anomalies Top-of-Mind DDoS: reflection and amplification Hijacking What's Next? Tunneling Exfiltration Traditional threats are well-known; they ve been used in the past, and will be used in the future, either as standalone attacks or as vectors in blended threats, but on the whole the industry has a good handle on what to do about these attacks. Cache-poisoning, for example, is the primary focus of the DNSSEC effort, launched after the 2008 discovery of the Kaminsky bug that opened the industry s eyes to the possibilities of DNS cache poisoning. Also in 2008, the b-variant of the Conficker worm exploited DNS vulnerabilities as a self-defense mechanism. 2

The second attack group is top-of-mind; these attacks have received major coverage in the last year or so. The most obvious examples of top-of-mind attacks are the record-breaking 300G DNS amplification DDoS attack that hit Spamhaus in 2013, the Syrian Electronic Army s hijacking of twitter and the New York Times, and the ongoing hijacking attacks in Brazil, rewriting DNS settings on home routers and stealing banking credentials. The final group of attacks are the what s next? category. They re not pervasive today, but are happening, and they represent a shift in focus from exploiting vulnerabilities in protocols and infrastructure to actually tampering with the content of DNS traffic. In all areas of internet security, hackers eventually move up the stack into content, and content-based attacks are typically the most difficult to identify and stop. Tunneling involves converting TCIP/IP payloads into DNS traffic by a client/app, and then that traffic is sent over mobile networks. DNS traffic is rarely blocked or billed, so attackers can use tunneling to gain internet access without paying in WiFi and mobile environments. Exfiltration is the next logical step after tunneling; if TCP/IP content can be converted to DNS and then freely tunneled (never blocked, never inspected), DNS becomes a path for sneaking data out of a compromised environment. Looking at these attacks together, we see incredibly variety; some attacks take advantage of weaknesses in infrastructure, others attack features of the protocol itself, and the newest threats focus on the actual content of DNS traffic. Hackers can pick and choose what they want to exploit, and use DNS to launch large-scale, infrastructure-crippling attacks and to commit targeted data theft. WHAT SECURITY SOLUTIONS ARE AVAILABLE TODAY? There are security solutions for DNS available today, and the protection they provide is very much linked to the pedigree of the solution provider: Traditional network security platforms like firewalls, IPS, DDoS mitigation DNS resolver/authentication server infrastructure SIEM platforms and offline analysis tools Traditional network security platforms handle much of the heavy security lifting for a wide range of protocols, services, and applications, including DNS. In many cases though, they don t have the depth of protection required to cover all types of DNS threats, and they often lack the performance required to stop the largest DNS attacks (like the 300G Spamhaus DDoS attack). On the good side, they operate in-line, so they re in a position to block DNS attacks when correctly identified. However, dealing with a massive DNS event could affect their performance providing security for other attacks. These devices also lack context for domain behavior, usually with no access to historical information on domains and limited ability to do sophisticated layer-7 analysis for DNS. Most enterprises have firewalls, and may have IPS and DDoS mitigation solutions in place, and should investigate exactly what capability their existing devices have when it comes to DNS security. 3

Many vendors building and selling DNS resolver/authentication server infrastructure have built security tools into their resolver/authentication platforms, or are building specialized security tools to go alongside their resolver/authentication solutions. These vendors have deep experience in DNS but often no experience dealing with threats. Their platforms are defined to handle DNS requests very quickly, and will need to be re-architected to meet the additional performance demands of processing security data from Layer 3 up. To provide real-time protection from threats at all layers, DNS vendors will need to build in-house security expertise (or acquire it), which is costly and potentially expensive. In the meantime they typically consume third-party threat feeds to inform their security functionality, because they re not doing their own threat research. These vendors can add DNS security functionality into existing DNS platforms that customers have already invested in, and they can achieve very tight integration between the DNS resolver/authoritative infrastructure and the security solution. That very integration can lead to trouble though, as it may require a forklift upgrade to a new DNS infrastructure solution just to add security controls, and adding security could degrade overall DNS performance (particularly during attacks). SIEM and other offline analysis and correlation tools can provide many of the visibility and analysis capabilities required to provide a layer of DNS security, but they were never designed to be in-line, so they can t prevent or mitigate threats as they occur; rather they require trained analysts and lots of manual labor (or custom development) to build any kind of automated (or even just faster) response to DNS threat events. Like the network security platform vendors, DNS is just one of many protocols that SIEM and offline analysis solutions are dealing with, so the depth of information they can deliver for DNS security is really directly related to the amount of effort the customer puts into tuning the SIEM for DNS security. Many large customers have SIEM in place though, and as with their network security solutions and they should investigate their SIEM to see what specific protection for DNS it can provide. In all three cases, the solutions only cover a portion of the problem, and to be most effective would need to be tied together by some sort of management or orchestration solution to ensure the fastest response to attacks as they happen. VISIBILITY AND CORRELATION ARE A GOOD STARTING POINT Clearly, a utility protocol that provides basic functionality on the internet requires a different level of protection than many other protocols. For most enterprises and service providers having protection spread across disparate solutions handing different aspects of problem yields mediocre results. A great starting point for improving DNS security posture is to first have visibility into DNS infrastructure, and to continuously monitor DNS. If sophisticated content-based attacks like tunneling and exfiltration are the future, it s likely that they ll be used for a wide range of data theft attacks. Cyber-espionage is always an exciting topic; often the most sophisticated attacks are used to spy on entities and steal critical private information. In the 2014 Verizon Data Breach Investigations report, when looking to counter cyber-espionage attacks, Verizon found that in a typical cyberespionage event it was months before the threat was discovered. 4

Exhibit 3 Discovery Timeline for Cyber-Espionage Seconds 0% Minutes 0% Hours 9% Days 8% Weeks 16% Months 62% Years 5% Source: 2014 Verizon Data Breach Incident Report Regarding protecting yourself from these attacks, Verizon had this to say: Monitor and filter outbound traffic for suspicious connections and potential exfiltration of data to remote hosts. In order to recognize abnormal, you ll need to establish a good baseline of what normal looks like Monitor your DNS connection, among the single best sources of data within your organization. Compare these to your threat intelligence, and mine this data often. So visibility and monitoring is first, but the second statement is almost as important; compare DNS data to threat intelligence, and mine this new data. For many organizations, this is a manual process because there s no automated link between the tools that provide visibility into DNS traffic and events, and the security monitoring, enforcement, and threat research infrastructure. It s not just espionage attacks that have a long time to discovery and recovery; it s all types of attacks. The value of data leaked over months using DNS tunneling and exfiltration would be different for every event. DDoS attacks can take hours to mitigate even with a solutions in place, and can cost hundreds-of-thousands of dollars per hour, and services outages due to failures in the DNS infrastructure can affect huge groups of users causing massive frustration and lost productivity. 5

THE NEED FOR DEDICATED DNS SECURITY SOLUTIONS Given the critical nature of DNS infrastructure, its ubiquity and scale, and the laundry list of DNS vulnerabilities, it seems clear that visibility and protection for DNS should be consolidated into a dedicated platform. Managing multiple systems, some of which were never designed for security, others never designed to be in-line, and the rest handling DNS and a variety of other protocols, leaves too much room for procedural error--thus increasing the time it takes to identify an attack and restore service. If we ve learned anything from watching attacks on most protocols and services running on the internet, we know that DNS attacks will become more complex, will be used in conjunction with other attacks, and hackers will be ever-more persistent. If visibility and protection and protection aren t unified, connected to real-time threat intelligence, and put in-line so that some attacks can be blocked, it will be very difficult to stay ahead of the hackers. We believe companies looking at the next generation of DNS security platforms should look for platforms that: Focus specifically on DNS security, and do not mix DNS security with other security functions, or other DNS performance/management functions, because of the potential for performance impact during threat events Have access to dedicated threat research; the company that builds your DNS security platform should have-in house threat research capability as well as the ability to integrate external feeds Are massively scalable so they can handle huge increases the number of hosts, clients, and threat events Can provide protection from the full range of DNS threats: from localized hijacking and tunneling/exfiltration events to massive DDoS attacks 6

WHITE PAPER AUTHOR Jeff Wilson Principal Analyst, Security Infonetics Research +1 408.583.3337 jeff@infonetics.com Twitter: @securityjeff Commissioned by Cloudmark to educate the industry about new DNS threats and the need for DNS security solutions, this paper was written autonomously by analyst Jeff Wilson based on Infonetics independent research. ABOUT INFONETICS RESEARCH Infonetics Research is an international market research and consulting analyst firm serving the communications industry since 1990. A leader in defining and tracking emerging and established technologies in all world regions, Infonetics helps clients plan, strategize, and compete more effectively. REPORT REPRINTS AND CUSTOM RESEARCH To learn about distributing excerpts from Infonetics reports or custom research, please contact: North America (West) and Asia Pacific Larry Howard, Vice President, larry@infonetics.com, +1 408.583.3335 North America (East, Midwest, Texas), Latin America, and EMEA Scott Coyne, Senior Account Director, scott@infonetics.com, +1 408.583.3395 Greater China, Southeast Asia, and India 大 中 华 区 及 东 南 亚 地 区 Jeffrey Song, Market Analyst 市 场 分 析 师 及 客 户 经 理 jeffrey@infonetics.com, +86 21.3919.8505 7

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information