CURRENT ISSUES OF MALICIOUS DOMAINS BLOCKING Tuesday 9 th April, - - PowerPoint PPT Presentation

▶

Nov 04, 2023 229 likes •430 views

CURRENT ISSUES OF MALICIOUS DOMAINS BLOCKING Tuesday 9 th April, 2019 Stanislav paek Martin Latovika, Martin Hork and Tom Plesnk Introduction Malicious Domains Attackers may register their own domains May host phishing

SLIDE 1

CURRENT ISSUES OF MALICIOUS DOMAINS BLOCKING

Tuesday 9th April, 2019

Stanislav Špaček

Martin Laštovička, Martin Horák and Tomáš Plesník

SLIDE 2

Introduction

Malicious Domains Attackers may register their own domains May host phishing websites or distribute malware Using the DNS provides attackers with:

Trustworthy links A way to avoid IP firewalls

DNS Firewall A "clever" resolver Checks its domain blacklist before forwarding DNS query

Current Issues of Malicious Domains Blocking Page 2 / 19

SLIDE 3

Basic DNS FW Model

Current Issues of Malicious Domains Blocking Page 3 / 19

SLIDE 4

Technology

DNS Response Policy Zones The only open standard for DNS Fireall up-to-date Integrated into BIND and Windows Server 2016 Provides only the resolver-side support Proprietary Technologies Commercial application of the DNS Firewall, often as a service A lot of providers – Infoblox, FarsightSecurity, SpamHaus

Current Issues of Malicious Domains Blocking Page 4 / 19

SLIDE 5

CSIRT Requirements

1. Functions Integration
2. Logging
3. Blacklist Sharing
4. User Education

Current Issues of Malicious Domains Blocking Page 5 / 19

SLIDE 6

CSIRT Requirements – Integration

1. Functions Integration

Manage the DNS FW operation through a GUI Integrate the GUI along other cybersecurity tools

Current Issues of Malicious Domains Blocking Page 6 / 19

SLIDE 7

CSIRT Requirements – Logging

2. Logging

User Data

Generated as the DNS queries hit the DNS FW blacklist Analysis may point incident handlers to an infected device

Management Data

Generated as incident handlers manage the DNS FW Allows keeping track of blacklist history

Current Issues of Malicious Domains Blocking Page 7 / 19

SLIDE 8

CSIRT Requirements – Sharing

3. Blacklist Sharing

Blocking a domain after or during an attack may be too late Sharing blacklists between CSIRTs and other institutions allows for proactive domain blocking

Current Issues of Malicious Domains Blocking Page 8 / 19

SLIDE 9

CSIRT Requirements – Education

4. User Education

The DNS FW may redirect the connections instead of blocking them User is redirected on a safe landing page with the details about the incident It is a direct and immediate way to tell the user what just happened

Current Issues of Malicious Domains Blocking Page 9 / 19

SLIDE 10

Advanced DNS FW Model

Current Issues of Malicious Domains Blocking Page 10 / 19

SLIDE 11

Implementation

Based on the DNS Response Policy Zones standard Contains other modules to meet the CSIRT requirements

Integration - GUI in the currently used incident handling software Logging - database backend with a visualization plugin Sharing - supported by the DNS RPZ itself Education - landing page with a report form

Several open issues prevent implementing the "ideal" model

Current Issues of Malicious Domains Blocking Page 11 / 19

SLIDE 12

Open Issues

Transition to HTTPs Blacklist Sharing Few Open Implementations Easy to Bypass

Current Issues of Malicious Domains Blocking Page 12 / 19

SLIDE 13

Open Issues

Transition to HTTPs Certificate check of the browser makes redirection impossible Breaks the direct way to inform the user about the incident Users can be contacted outside of the DNS Firewall

Current Issues of Malicious Domains Blocking Page 13 / 19

SLIDE 14

Open Issues

Blacklist Sharing Issue with the blacklist trustworthiness Blacklisting a harmless domain may cause severe disruption of institution’s services A serious issue if the feedback from users is not possible

Current Issues of Malicious Domains Blocking Page 14 / 19

SLIDE 15

Open Issues

Few Open Implementations The DNS Response Policy Zones is the only open standard Every institution has to develop its own service backend

Current Issues of Malicious Domains Blocking Page 15 / 19

SLIDE 16

Open Issues

Easy to Bypass The DNS resolver is easy to change in open network More significant issue if the firewall is used to enforce a policy In some cases may be mitigated by exerting more control over the network

Current Issues of Malicious Domains Blocking Page 16 / 19

SLIDE 17

Current Results

DNS Firewall is active on a campus network with around 43 000 devices The blacklist contains 135 domains manually added and known to be malicious Since November 2018, 10 230 incidents were detected,

riginating from 507 unique devices

Current Issues of Malicious Domains Blocking Page 17 / 19

SLIDE 18

Summary

Our testing shows that DNS firewall is a concept that covers another possible hole in the security of a private network There exists at least one open source technology for DNS FW implementation - DNS RPZ The technology allows implementing the DNS FW itself, but cannot satisfy all the CSIRT requirements yet

Integration Logging Sharing Education

Current Issues of Malicious Domains Blocking Page 18 / 19

SLIDE 19

CURRENT ISSUES OF MALICIOUS DOMAINS BLOCKING

Tuesday 9th April, 2019

Stanislav Špaček

Martin Laštovička, Martin Horák and Tomáš Plesník

Introduction

Malicious Domains Attackers may register their own domains May host phishing websites or distribute malware Using the DNS provides attackers with:

Trustworthy links A way to avoid IP firewalls

DNS Firewall A "clever" resolver Checks its domain blacklist before forwarding DNS query

Basic DNS FW Model

Technology

CSIRT Requirements

CSIRT Requirements – Integration

Manage the DNS FW operation through a GUI Integrate the GUI along other cybersecurity tools

CSIRT Requirements – Logging

User Data

Generated as the DNS queries hit the DNS FW blacklist Analysis may point incident handlers to an infected device

Management Data

Generated as incident handlers manage the DNS FW Allows keeping track of blacklist history

CSIRT Requirements – Sharing

Blocking a domain after or during an attack may be too late Sharing blacklists between CSIRTs and other institutions allows for proactive domain blocking

CSIRT Requirements – Education

The DNS FW may redirect the connections instead of blocking them User is redirected on a safe landing page with the details about the incident It is a direct and immediate way to tell the user what just happened

Advanced DNS FW Model

Implementation

Based on the DNS Response Policy Zones standard Contains other modules to meet the CSIRT requirements

Integration - GUI in the currently used incident handling software Logging - database backend with a visualization plugin Sharing - supported by the DNS RPZ itself Education - landing page with a report form

Several open issues prevent implementing the "ideal" model

Open Issues

Transition to HTTPs Blacklist Sharing Few Open Implementations Easy to Bypass

Open Issues

Transition to HTTPs Certificate check of the browser makes redirection impossible Breaks the direct way to inform the user about the incident Users can be contacted outside of the DNS Firewall

Open Issues

Blacklist Sharing Issue with the blacklist trustworthiness Blacklisting a harmless domain may cause severe disruption of institution’s services A serious issue if the feedback from users is not possible

Open Issues

Few Open Implementations The DNS Response Policy Zones is the only open standard Every institution has to develop its own service backend

Open Issues

Easy to Bypass The DNS resolver is easy to change in open network More significant issue if the firewall is used to enforce a policy In some cases may be mitigated by exerting more control over the network

Current Results

DNS Firewall is active on a campus network with around 43 000 devices The blacklist contains 135 domains manually added and known to be malicious Since November 2018, 10 230 incidents were detected,

Summary

Integration Logging Sharing Education

THANK YOU FOR YOUR ATTENTION

csirt.muni.cz

Stanislav Špaček

@csirtmu spaceks@ics.muni.cz