Page 74 - CSI - Cisco Security Instroduction - BT
P. 74

Why leverage DNS to Detect and Block Threats


          Most attacker C2 is initiated via DNS lookups with some non-Web callbacks

              15%                                                                   NON-WEB C2 EXAMPLES                                                 91%





                                                                                  Storm
                                                                                        Regin Bifrose Starsypound (APT1)
                                                                                  Pushdo/Cutwail  DarkComet  Gameover Zeus
                of C2 bypasses                                                    Gh0st Lethic  Hesperbot Longrun (APT1)                             of C2 can be blocked
                                                                                                            Kelihos
            Web ports 80 & 443                                             Seasalt (APT1)  njRAT  Tinba  Citadel Biscuit (APT1)                          at the DNS layer
                                                                                                PoisonIvy
                                                                                           Zbot
                                                                             Glooxmail (APT1)
                                                                                    ZeroAccess  Bouncer (APT1) Tinba




                                                                     IP                          DNS                           IP

            Lancope Research                                         NON-WEB                           WEB                                            Cisco AMP Threat
             (now part of Cisco)      1                                                                                                                 Grid Research         2



               millions of unique                                                                                                                        millions of unique
               malware samples                                                                                                                           malware samples
                from small office                                                                                                                      submitted to sandbox
              LANs over 2 years                                                                                                                             over 6 months



   NOTE1: 2013 Visual Investigations of Botnet Command and Control Behavior (link)                                            NOTE2: 2016 Cisco Annual Security Report
   • malware reached out to 150,000 C2 servers over 100,000 TCP/UDP ports                                                     • 9% had IP connections only and/or legitimate DNS requests
   • malware often used 866 (TCP) & 1018 (UDP) “well known” ports,                                                            • 91% had IP connections, which were preceded by malicious DNS lookups
     whereas legitimate traffic used 166 (TCP) & 19 (UDP) ports                                                               • very few had no IP connections


          77
   69   70   71   72   73   74   75   76   77   78   79