Craig Sprosts

Craig Sprosts is the General Manager of Fixed Broadband Solutions at Nominum, a company committed to making the Internet safer and more useful for 500 million end users that rely on Nominum's DNS and DHCP-based solutions.

Craig joined Nominum in June 2008 and regularly consults with customers around the world about ways to better use technology to secure their network. Craig has spent the last 10 years creating and promoting innovative technologies to secure ISP and enterprise networks and make it easier for people to stay safe online.

Prior to joining Nominum, Craig worked at IronPort Systems, a leading email and web security company. At IronPort Craig managed their anti-spam and anti-malware products, led their security research team and launched widely used public tools such as senderbase.org that help network operators identify and prevent spam and abusive communications originating from their network.

Craig holds five security-related patents and received a Bachelor of Science from the State University of New York at Albany and an MBA from MIT's Sloan School of Management.

AusCERT2012 Presentation

Leveraging the DNS to improve situational awareness and mitigate attacks

While it is often acknowledged that DNS can play a role in detecting and mitigating the spread of malware, the DNS arguably remains an underutilized tool in the fight against cybercrime. TDL4, Conficker, Aurora and Duqu are just several examples of botnets whose activity can be detected and significantly disrupted using the DNS. Likewise, DNS can play a critical role in preventing end-users from downloading malware or falling victim to phishing attacks. However, relatively few operators are fully utilizing the DNS to protect their networks and users from these attacks.

Security vendors have done a remarkable job of identifying and tracking even the most agile attacks, but the value of their efforts is substantially diminished if people are unwilling, or unable, to keep their client software current. Likewise, IP-Flow monitoring techniques may detect large scale attacks that use the DNS but often fail to adequately identify botnet activity due to down-sampling. Even if IP-Flow monitoring techniques detect malicious activity these tools may be unable to protect users because they do not sit inline in the data or control plane.

Agile attacks require agile defenses. Since virtually every threat today originates in the network, moving not only threat detection but mitigation into the DNS can improve a network’s security posture. Aggregation is a natural benefit of moving security protections into the DNS. A few systems, strategically situated, can provide effective protection for potentially millions of hosts. Fewer systems means updating threat information is simpler and far more reliable which greatly improves agility and responsiveness to a rapidly changing threat landscape, and the burden on hosts can be reduced, especially as network based protections become pervasive.

Taking advantage of one of the latest methods for protecting networks against botnets and other malware can be a straightforward proposition: it involves adding intelligence to caching DNS servers so they can identify malicious Internet destinations. This can be done by dynamically updating caching servers with the latest threat information from "reputation lists" to make aware of threats that exist in real time. When an Intelligent DNS server sees a request for a web destination that matches a cached malicious destination it can provide a safer more "intelligent" answer based on policies set by a network operator. For instance depending on the type of threat the server could:

- Log the request if the threat is not serious or not well understood (to capture data for further analysis), or

- Provide the IP address of a "safe" website when a user requests a malicious destination, this website could offer specific guidance on the threat and link to other resources

- Provide the IP address of a sinkhole where traffic can be analyzed, or a blackhole where it is dropped

Other policies are possible based on a network operators needs.

This presentation will explore how network operators might better utilize DNS data to detect and mitigate attacks against their network and users. It will cover:

• A brief review of how the DNS works
• Examples of how recent botnets leveraged the DNS
• Counter-intelligence that can be gleaned by logging activity between: (1) clients and caching DNS servers and (2) caching DNS servers and authoritative DNS servers
• Operational considerations for deploying a DNS monitoring or blocking system
• New methods of preventing outbound spam using the DNS
• Anonymized live network data showing individual host infections at massive scale
• Case studies and deployment experience