A First Line of Defense Between your Organization and the Internet

OpenDNS Cloud-Security & Threat Intelligence

2 CONFIDENTIAL

AUTHORITATIVE DNS Owns and publishes the “phone books”

DOMAIN REGISTRAR Maps and records names

to #s in “phone books”

RECURSIVE DNS Looks up & remembers the #s for each name

First, A Quick Refresher on DNS

3 CONFIDENTIAL

Requests Per Day

90B Countries 160+

Daily Active Users

65M Enterprise Customers

10K

Big Data ~3% of Global DNS

4 CONFIDENTIAL

Used to detect:

•  Compromised systems •  Command & control callbacks •  Malware & phishing attempts •  Algorithm-generated domains •  Domain co-occurrences •  Newly registered domains

OpenDNS User

Authoritative Logs

Recursive DNS

Gather Intelligence & Enforce Security at the DNS Layer

Authoritative DNS

root

com.

domain.com.

Used to find:

•  Newly staged infrastructures •  Malicious domains, IPs, ASNs •  DNS hijacking •  Fast flux domains •  Related domains

Request Patterns

5 CONFIDENTIAL

WEB NON-WEB

15% of C2 bypasses

Web ports 80 & 443

DNS IP IP

91% of C2 can be blocked

at the DNS layer

DNS-Layer Network Security Should Block Threats Others Miss

6 CONFIDENTIAL

INTERNET

MALWARE C2/BOTNETS PHISHING

AV

AV

AV AV

ROUTER/UTM  

AV AV

ROUTER/UTM  

SANDBOX  PROXY  

NGFW  NETFLOW  

AV AV

AV AV

MID LAYER

LAST LAYER

MID LAYER

LAST LAYER

MID LAYER

FIRST LAYER

Where Do You Enforce Security?

Perimeter  

Perimeter   Perimeter  

Endpoint  

Endpoint   CHALLENGES

Too Many Alerts via Appliances & AV

Wait Until Payloads Reaches Target

Too Much Time to Deploy Everywhere

BENEFITS

Alerts Reduced 2-10x; Improves Your SIEM

Traffic & Payloads Never Reach Target

Provision Globally in UNDER 30 MINUTES

7 CONFIDENTIAL

WHY?

Top Use Cases to Add OpenDNS to Customer’s Security Stack

OFF- NETWORK SECURITY

50% of PCs are already mobile1

SECURE DIRECT-TO-NET

OFFICES

70% of offices go direct2 to  Internet  

NEW LAYER OF PREDICTIVE SECURITY

91% of malware uses DNS3  

SPEED UP INCIDENT

RESPONSE

Only 4% of alerts are investigated per week

AUTOMATE ENFORCEMENT

& VISIBILITY

mean time-to-contain threats 26-39 hours4

Sources: (1) Gartner, (2) Forrester, (3) Cisco Security Report, and (4) Ponemon

Umbrella Enforcement & Investigate Threat Intelligence OpenDNS Product Portfolio

9 CONFIDENTIAL

SECURITY LABS

Umbrella (Enforcement)

208.67.222.222 DOMAIN, IP, ASN, EMAIL, HASH

API

OpenDNS Products

CATEGORY   IDENTITY  

MALWARE   INTERNAL IP  

C2 CALLBACK   HOSTNAME  

PHISHING   AD USER  

CUSTOM (API)   HOSTNAME  

Investigate (Intelligence)

STATUS & SCORES CO-OCCURRENCES

RELATIONSHIPS ATTRIBUTIONS

PATTERNS & GEOs

10 CONFIDENTIAL

UMBRELLA: The Fastest & Easiest Way To Prevent Threats Before They Reach You

BENEFITS

Simple to point DNS w/o technical or pro services

No hardware to install No software to maintain

Provision globally in under 30 minutes

Infinitely scalable enforcement platform

208.67.222.222

MALWARE

C2 CALLBACKS

PHISHING

CATEGORY IDENTITY

INTERNAL IP

HOSTNAME

AD USER

CUSTOM (API) HOSTNAME

11 CONFIDENTIAL

The Power of Integrating Umbrella + AMP Threat Grid Automate Enforcement & Visibility

CUSTOMER

COMMUNITY CUSTOMER & PARTNER AMP THREAT GRID

Unified  Analysis    &  Intelligence  

Dynamic & Static malware analysis identifies key

behavioral indicators

Threat Content enriched with global &

historical context for accuracy

files domains

UMBRELLA Enforcement

& Visibility

Automatically Pulls newly discovered malicious

domains in minutes

Logs & Blocks all Internet activity

destined to these domains

12 CONFIDENTIAL

KEY POINTS

Intelligence about domains and IPs across the Internet

Live graph of DNS requests and other contextual data

Correlated against statistical models

Discover & predict malicious domains & IPs

Enrich security data with global intelligence  

 

DOMAIN, IP, ASN, EMAIL, HASH

CONSOLE SIEM, etc. API

STATUS & SCORES

CO-OCCURRENCES

RELATIONSHIPS

ATTRIBUTIONS

PATTERNS & GEOs

INVESTIGATE: The Most Powerful Way To Uncover Threats Before They Happen

13 CONFIDENTIAL

Our Security Intelligence is Different Than Others single, correlated source of information

INVESTIGATE

WHOIS record data

ASN attribution

IP geolocation

IP reputation scores

Domain reputation scores

Domain co-occurrences

Anomaly detection (DGAs, FFNs)

DNS request patterns/geo. distribution

Passive DNS database

Competing Vendors

OpenDNS Only

OpenDNS Only

OpenDNS Only

OpenDNS Consulting Systems Engineer

Investigate Demo with Sergio Silva

15 CONFIDENTIAL

Pivot Through the Attack Infrastructure with Just one Piece of Information (1/2)

Alerts and risk scores Summarise the suspicious activity identified for the domain

Domain Tagging Shows history of when the malware was associated with malware or botnet activity

Global Requests Patterns Shows an abnormal spike in traffic, which highlights when the attack launched

IP Geography Analysis Reveals the domain is hosted by IP addresses on different networks in more than 20 countries, which, for instance, is unusual for legitimate country code top-level domains.

Analysis of IP Requester Location Shows the vast majority of requests for this domain are coming from people located in a certain country, which could signify a more targeted attack

WHOIS Record Data Shows the domain was recently created and registered by someone who used the same email address to register other malicious domains

16 CONFIDENTIAL

Pivot Through the Attack Infrastructure with Just on Piece of Information (2/2)

Mappings of IP prefixes and ASNs highlight where the domain is hosted and confirm it’s hosted in a “bad neighborhood” with many other malicious domains. You can pivot on the IP or ASN for more details.

Passive DNS Data Provides   insight   into   the   history   of   the  mapping   between   domains   and   IPs.   For  example,   this   domain   was   associated   with  different  IPs  when  detected  the  first  Qme.  

Named Threat Attribution Confirms that the domain was associated with a particular malware family or botnet C&C.

Related Domains and Co-Occurrences Identify other domains that were queried with a high statistical frequency right before or after this one and are likely related to the same attack.

Starting from a single piece of data, you’re able to quickly investigate the domain leveraging a single, correlated source and speed up incident response.

Anomaly Detection Including identifying that this is a fast flux domain, which is a technique used to hide malware sites behind IPs that are constantly changing

17 CONFIDENTIAL

Our global context

We know all its relationships

Your local intelligence

You know one IOC

18 CONFIDENTIAL

Prioritize Incident Investigation + Response

List of IPs from threat intel feeds

SIEM events about endpoint activity

Network patterns from IDS/firewall

1.227.187.67 excite[.]su ns4[.]rhzq[.]at

162.209.116.14 Known malware outofspain[.]com

kickoffkit[.]com No malicious activity

162.209.116.14 kickoffkit[.]com 1.227.187.67

109.86.11.184 muzalabels[.]com Query Investigate API &

prioritize based on global context

19 CONFIDENTIAL

Speed Up Investigations

Discover attack details: IP and ASN reputation

Domain and IP are Located in a “Bad Neighborhood”

Determine if malicious with attribution and tagging

See Spikes in Global Requests to a Domain

This domain is attributed to the following attack:

CryptoWall Ransomware This domain has a

suspicious ASN score

DNS Queries/Hour

2K

4K

4/16 4/18 4/20 4/22 4/24 4/26 4/28 4/30 5/2

Domain associated with many IPs with very short TTL

20 CONFIDENTIAL

Stay Ahead of Attacks

Find related infrastructure

Pivot to build out view of attacker’s infrastructure

UMBRELLA Enforce protection

Domain IP Address ASN

21 CONFIDENTIAL

Speed up investigations with WHOIS

Query suspicious domain found in proxy logs

Find site was registered by a privacy protection service

Historical data shows previous registrants

Looks like someone was trying to cover their tracks…

Pivot to find other malicious domains

Was registered with email used with other malicious domains

See name server history Uncover other contact information

Single, correlated source

22 CONFIDENTIAL

Stay ahead of attacks with WHOIS

Start with known registrar of past APT1 domains

Find 31 domains currently registered

Pivot on suspicious-looking domain

Pivot on the IP Uncover malicious domains to proactively block

3 clicks to uncover attackers’ infrastructure

23 CONFIDENTIAL

Enrich Other Systems With Real-time Data

Automatically enrich incident tickets

§  Helpdesk tickets automatically updated with Investigate results

§  Ex: end user logs a ticket saying a site is blocked; Investigate gives context about why

Vet new firewall rules before implementing

§  When adding new FW rule, use Investigate to automatically annotate notes with scoring details

Check new domains

§  Query Investigate with net new domains requested by users to see if they’re suspicious

§  Vet domains added to public-facing community pages

24 CONFIDENTIAL