improving network security with ip &dns reputation services

Sandeep

Discussed at WHP Local Meet

Reference: Improved network security with IP & DNS Reputation Services, A Business Whitepaper by HP Tipping Point Solutions

• Smart Work required by Security Professionalto stay ahead of malicious attacks

• Motivated Hackers using Botnets otherresources for attacks

• Low Risk of Being Caught & Prosecuted

info@whitehatpeople.com

Network Traffic Divided into three parts -

Good Traffic: trusted traffic that should pass through thenetwork, unimpeded and uninspected

Bad Traffic: traffic that should be blocked proactivelybefore it can attempt to compromise the network

Ugly Traffic: untrusted traffic that requires deep packetinspection to determine if it is “good” (legitimate) or“bad” (malicious)

info@whitehatpeople.com

• Bad Devices can be identified on IP & DNS Addressesand the traffic they spew can be blocked. These Devicesare used as:

Botnet Command and Control (CnC) sites: 5,000 to 6,000 botnet command and control sites

worldwide Botnet CnC servers constantly moving to evade

detection, block efforts from security and network personnel

Techniques used by Botnet Masters to avoid being discovered are as follows: Use of IRC, P2P and HTTP Traffic allows to bypass traditional firewalls and some IPS Security Measures

info@whitehatpeople.com

Use of Dynamic Algorithms to select CnC Servers, impossible to be blocked using Firewall ACL’s

Uses both DNS & IP Addresses for identifying CnC Servers

Identifying botnet CnC servers requires detailed botnet analysis and frequent updating of CnC lists.

Malware depots:

2,5002 to 50,0003 devices acting as malware depots or hosting malicious content discovered daily worldwide

info@whitehatpeople.com

Malware Depots: Two Types

1. Websites designed to lure victims and then infect their devices

2. Web sites of legitimate businesses that are compromised because they haven’t been properly secured.

Depots used malware drop sites, and for hosting malware software updates

Look up mechanism always DNS Address

info@whitehatpeople.com

Malware Depot Identification Process:

1. Monitoring for malware downloads and tracking their origin

2. Evaluating data hosting sites worldwide.

info@whitehatpeople.com

Phishing Sites: 50,0004 or more new phishing sites introduced to

the Internet monthly

Tow types of Phishing Sites:

1. Purpose Built sites

2. Sites that appear to be part of a known credible business

info@whitehatpeople.com

Compromised Hosts: Most commonly compromised by Bot malware

Stay under the control of a remote botnet master through botnet CnC sites

Compromised host can be used by botnet master to conduct variety of malicious attacks:

Spreading Malware

Compromising additional hosts to create more botnet devices

info@whitehatpeople.com

Performing reconnaissance scans

Providing access to local networks for further compromise

Conducting Distributed Denial of Service (DDoS) attacks

Conducting email spam or phishing campaigns

Conducting online-click fraud scams

Compromised host can be used by botnet master to conduct variety of malicious attacks (Contd..) :

info@whitehatpeople.com

Determine if a device is “behaving badly”

Block Access to and from Devices that have a known bad reputation

A need of a reputation database with significant metadata on each of these badly behaving devices—identified through IPv4 or IPv6 addresses or DNS names

info@whitehatpeople.com

A Security Research Team that can:

Collect large amounts of device data

Correlate these large data sets

Validate the results of the data sets

Provide Frequent Database updates

Assign a reputation score

info@whitehatpeople.com

The Research Team must:

Collect real-time attack events with very detailed attack data from a large worldwide community of sensors

Analyze Web traffic and crawl Web sites of interest to collect data on sites hosting malicious content or scams

Conduct careful malware analysis to identify botnet CnC sites, and botnet and malware drop sites

Analyze attacks and scams to identify the devices that are participating in or conducting the attacks

info@whitehatpeople.com

Note: The most important component in building a strong

reputation service is the depth of the database. Databasequality depends heavily on the size, scope, and distribution ofthe attack collection sites, and the quality and depth of thecollected attack data

Recommendation: HP Tipping Point IP & DNS Reputation Servicesby HP

Reference: Improved network security with IP and DNS reputation

Business white paper by HP Tipping Point Solutions

info@whitehatpeople.com

whitehat ‘People’

About whitehat ‘People’whitehat‘People’ is a an ‘open consortium’ of national intellects delved to security being the sole intent;trained and specialized in the conception of solutions in all areas of our technical consulting services.whitehat‘People’ produces white papers for the industry, present at symposiums, technology andbusiness conferences nationwide, and provide "thought leadership" for next generation technologieswhich are currently being deployed in a rapidly changing and fluid market place. The members includesecurity researchers and consultants who are up-to-date with developments in technology fromhardware and software vendors to ensure they are leading, and not following the market.Whitehat‘People’ adhere to the following ideals:1. "Help government and industry maximize the value of Information security in information technology."2. "Deliver leading-edge information technology and services, support, training and education."3. "Function as a strategic arm for the clients by leveraging new concepts to support strategic goals and conceptual plans."

info@whitehatpeople.com