The Importance of DNS in Preventing Global Cyber Attacks Ricardo - - PowerPoint PPT Presentation

the importance of dns in preventing global cyber attacks
SMART_READER_LITE
LIVE PREVIEW

The Importance of DNS in Preventing Global Cyber Attacks Ricardo - - PowerPoint PPT Presentation

Jul 09, 2023 586 likes •922 views

The Importance of DNS in Preventing Global Cyber Attacks Ricardo Rodrigues Effective Internet Security Has Never Been More Important The cost of security incidents has increased, driven by Ransomware $ 20,752 6M 1.6M $8,699 2013 2016

slide-1
SLIDE 1

The Importance of DNS in Preventing Global Cyber Attacks

Ricardo Rodrigues

slide-2
SLIDE 2

Effective Internet Security Has Never Been More Important

The cost of security incidents has increased, driven by Ransomware

Source: Symantec

Attack queries grew 270 percent from Fall 2016 to Spring 2017

1.6M 6M

2013 2016

Average ransomware cost to a consumer

$8,699

$20,752 Average ransomware cost to a business

Source: Nominum Source: SBIR

2

slide-3
SLIDE 3

Mobile & IoT Devices Are At Risk

End-user Devices Remain Unprotected

Mirai botnet

Source: 360 and Nominum

As IoT Attacks Are on the Rise

Worldwide Mirai Infections

3

slide-4
SLIDE 4

4

The Dream of the Connected Life

slide-5
SLIDE 5

5

IoT: Internet of Things? or… Internet of Threats?

slide-6
SLIDE 6

Cyber Attack Ladder

6

ATTACK INTRUSION PREPARATION Installation Exploitation Delivery Reconnaissance Weaponization STAGE Steps

Cyber Attack Ladder

Action C&C

slide-7
SLIDE 7

7

Cyber Attacks

  • BYOD, IoT and botnets bring new challenges

– What to do if the attack comes from inside your network?

  • Block thousands of infected subscribers?

– How to mitigate the attack without harm to the subscriber?

  • It is imperative to block the malicious traffic and allow the good
  • Is this possible to be proactive?

– How to identify infected subscribers? – Is this possible to avoid that infected subscribers generate attacks?

  • Is this required to change the network architecture?

– Or can we have a better usage of the existing elements?

slide-8
SLIDE 8

DNS and the Security Architecture

8

slide-9
SLIDE 9

DNS Can Help at Every Stage of an Attack

9

ATTACK INTRUSION PREPARATION Installation Exploitation Delivery Reconnaissance Weaponization STAGE Steps

Cyber Attack Ladder

Action C&C

– Block purpose-built DNS Amp domains – Rate-limit dual-use DNS Amp domains – Block malicious subdomains (PRSD) – Block DNS tunneling domains – Block command and control domains – Block phishing domains – Block domains hosting exploit kits – Block malware download domains – Redirect & block HTTP paths for compromised websites – Block malware drop sites – Block domains used to download files for encryption – Monitor or block domains assoc. with criminal infrastructure – Monitor or block traffic to illegal download sites – Block categories of domains frequently serving malware – Identify anomalous DNS request for further investigation

How DNS Helps

slide-10
SLIDE 10

Threat Landscape

01

slide-11
SLIDE 11

11

New DNS Domains – every 24 hours

slide-12
SLIDE 12

Threat Tracker 2016

12

3X growth

in queries and domains

82 million

malicious queries daily (by end of Aug)

94,000

domains added daily to block list

slide-13
SLIDE 13

13

Threat Tracker 2017

slide-14
SLIDE 14

14

Phishing - Time to Block

slide-15
SLIDE 15

Main Threats Identified

02

slide-16
SLIDE 16

16

Top Threats by Function

slide-17
SLIDE 17

17

ATTACK STAGE | Ransomware Attacks

Up 270% Fall 2016-Spring 2017

slide-18
SLIDE 18

18

ATTACK STAGE | Mirai Across the Globe

slide-19
SLIDE 19

19

ATTACK STAGE | Mirai Source Code

Right shifts of 3 bits from an 8-bit number means that the result is between 0-31 characters, which corresponds exactly to the 32-character string above.

slide-20
SLIDE 20

Localization of the Threats

03

slide-21
SLIDE 21

21

C&C – World

slide-22
SLIDE 22

22

C&C – USA

1. California 2. Virginia 3. Arizona 4. Texas 5. Florida

slide-23
SLIDE 23

23

Hosting of Malware

World USA

slide-24
SLIDE 24

Deep Dive in DNS-Based DDoS

04

slide-25
SLIDE 25

12 Minutes of a PRSD Attack

slide-26
SLIDE 26

DNS Amplification

slide-27
SLIDE 27

WannaCry: views from the DNS frontline

04

http://www.nominum.com/tech-blog/wannacry-views-dns-frontline

slide-28
SLIDE 28

28

WannaCry Timeline

Kill-switch domain: iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

slide-29
SLIDE 29

29

WannaCry: Newly Affected Clients per Minute

slide-30
SLIDE 30

30

WannaCry: Top 3 Groups of Infected Subscribers

Top 3 groups identified: – Gamers – Teamviewer users – Previously infected subscribers

slide-31
SLIDE 31

31

Conclusions

High growth of DDoS, botnet and ransomware attacks BYOD and IoT bring new challenges DNS is key for Prevention and Mitigation

slide-32
SLIDE 32

32

Final Thoughts

  • Download Nominum Data Science Security Reports:

http://nominum.com/resource/security-report-nn - Spring 2017 http://nominum.com/resource/security-report-home - Fall 2016

  • For Thought:

– Does your DNS Server always answer the correct answer? – Does the correct answer protects the subscriber?