Page 55 - CSI - Cisco Security Introduction
P. 55

Why leverage DNS to Detect and


       Block Threats




    Most attacker C2 is initiated via DNS lookups with some non-Web callbacks


               15%                                                                    NON-WEB C2 EXAMPLES                                                 91%




                                                                                    Storm
                                                                                         Regin  Bifrose  Starsypound (APT1)
                                                                                   Pushdo/Cutwail   DarkComet   Gameover Zeus
                 of C2 bypasses                                                     Gh0st  Lethic  Hesperbot  Longrun (APT1)                           of C2 can be blocked
                                                                                                              Kelihos
             Web ports 80 & 443                                             Seasalt (APT1)   njRAT  Tinba   Citadel  Biscuit (APT1)                       at the DNS layer
                                                                                             Zbot  PoisonIvy
                                                                              Glooxmail (APT1)
                                                                                     ZeroAccess   Bouncer (APT1)  Tinba





                                                                      IP                          DNS                            IP

             Lancope Research                                         NON-WEB                            WEB                                            Cisco AMP Threat
                                       1
              (now part of Cisco)                                                                                                                         Grid Research         2


                millions of unique                                                                                                                         millions of unique
                malware samples                                                                                                                            malware samples
                 from small office                                                                                                                      submitted to sandbox
                LANs over 2 years                                                                                                                            over 6 months


    NOTE1: 2013 Visual Investigations of Botnet Command and Control Behavior (link)                                           NOTE2: 2018 Cisco Annual Security Report
    • malware reached out to 150,000 C2 servers over 100,000 TCP/UDP ports                                                    • 9% had IP connections only and/or legitimate DNS requests
    • malware often used 866 (TCP) & 1018 (UDP) “well known” ports,                                                           • 91% had IP connections, which were preceded by malicious DNS lookups
      whereas legitimate traffic used 166 (TCP) & 19 (UDP) ports                                                              • very few had no IP connections

       ©
       © 2018 Engage ESM All Rights Reserved 2018 Engage ESM All Rights Reserved
   50   51   52   53   54   55   56   57   58   59   60