current issues of malicious domains blocking
play

CURRENT ISSUES OF MALICIOUS DOMAINS BLOCKING Tuesday 9 th April, - PowerPoint PPT Presentation

CURRENT ISSUES OF MALICIOUS DOMAINS BLOCKING Tuesday 9 th April, 2019 Stanislav paek Martin Latovika, Martin Hork and Tom Plesnk Introduction Malicious Domains Attackers may register their own domains May host phishing


  1. CURRENT ISSUES OF MALICIOUS DOMAINS BLOCKING Tuesday 9 th April, 2019 Stanislav Špaček Martin Laštovička, Martin Horák and Tomáš Plesník

  2. Introduction Malicious Domains Attackers may register their own domains May host phishing websites or distribute malware Using the DNS provides attackers with: Trustworthy links A way to avoid IP firewalls DNS Firewall A "clever" resolver Checks its domain blacklist before forwarding DNS query Current Issues of Malicious Domains Blocking Page 2 / 19

  3. Basic DNS FW Model Current Issues of Malicious Domains Blocking Page 3 / 19

  4. Technology DNS Response Policy Zones The only open standard for DNS Fireall up-to-date Integrated into BIND and Windows Server 2016 Provides only the resolver-side support Proprietary Technologies Commercial application of the DNS Firewall, often as a service A lot of providers – Infoblox, FarsightSecurity, SpamHaus Current Issues of Malicious Domains Blocking Page 4 / 19

  5. CSIRT Requirements 1. Functions Integration 2. Logging 3. Blacklist Sharing 4. User Education Current Issues of Malicious Domains Blocking Page 5 / 19

  6. CSIRT Requirements – Integration 1. Functions Integration Manage the DNS FW operation through a GUI Integrate the GUI along other cybersecurity tools Current Issues of Malicious Domains Blocking Page 6 / 19

  7. CSIRT Requirements – Logging 2. Logging User Data Generated as the DNS queries hit the DNS FW blacklist Analysis may point incident handlers to an infected device Management Data Generated as incident handlers manage the DNS FW Allows keeping track of blacklist history Current Issues of Malicious Domains Blocking Page 7 / 19

  8. CSIRT Requirements – Sharing 3. Blacklist Sharing Blocking a domain after or during an attack may be too late Sharing blacklists between CSIRTs and other institutions allows for proactive domain blocking Current Issues of Malicious Domains Blocking Page 8 / 19

  9. CSIRT Requirements – Education 4. User Education The DNS FW may redirect the connections instead of blocking them User is redirected on a safe landing page with the details about the incident It is a direct and immediate way to tell the user what just happened Current Issues of Malicious Domains Blocking Page 9 / 19

  10. Advanced DNS FW Model Current Issues of Malicious Domains Blocking Page 10 / 19

  11. Implementation Based on the DNS Response Policy Zones standard Contains other modules to meet the CSIRT requirements Integration - GUI in the currently used incident handling software Logging - database backend with a visualization plugin Sharing - supported by the DNS RPZ itself Education - landing page with a report form Several open issues prevent implementing the "ideal" model Current Issues of Malicious Domains Blocking Page 11 / 19

  12. Open Issues Transition to HTTPs Blacklist Sharing Few Open Implementations Easy to Bypass Current Issues of Malicious Domains Blocking Page 12 / 19

  13. Open Issues Transition to HTTPs Certificate check of the browser makes redirection impossible Breaks the direct way to inform the user about the incident Users can be contacted outside of the DNS Firewall Current Issues of Malicious Domains Blocking Page 13 / 19

  14. Open Issues Blacklist Sharing Issue with the blacklist trustworthiness Blacklisting a harmless domain may cause severe disruption of institution’s services A serious issue if the feedback from users is not possible Current Issues of Malicious Domains Blocking Page 14 / 19

  15. Open Issues Few Open Implementations The DNS Response Policy Zones is the only open standard Every institution has to develop its own service backend Current Issues of Malicious Domains Blocking Page 15 / 19

  16. Open Issues Easy to Bypass The DNS resolver is easy to change in open network More significant issue if the firewall is used to enforce a policy In some cases may be mitigated by exerting more control over the network Current Issues of Malicious Domains Blocking Page 16 / 19

  17. Current Results DNS Firewall is active on a campus network with around 43 000 devices The blacklist contains 135 domains manually added and known to be malicious Since November 2018, 10 230 incidents were detected, originating from 507 unique devices Current Issues of Malicious Domains Blocking Page 17 / 19

  18. Summary Our testing shows that DNS firewall is a concept that covers another possible hole in the security of a private network There exists at least one open source technology for DNS FW implementation - DNS RPZ The technology allows implementing the DNS FW itself, but cannot satisfy all the CSIRT requirements yet Integration Logging Sharing Education Current Issues of Malicious Domains Blocking Page 18 / 19

  19. THANK YOU FOR YOUR ATTENTION Stanislav Špaček csirt.muni.cz @csirtmu spaceks@ics.muni.cz

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend


More recommend