 From New York City, it's theCUBE. Covering CyberConnect 2017. Brought to you by Centrify and the Institute for Critical Infrastructure Technology. They were testing it. Okay, welcome back everyone. We are here live in New York City for CyberConnect. 2017's CUBE coverage is presented by Centrify as an industry event bringing all the leaders of industry and government together around all the great opportunities to solve the crisis of our generation at cybersecurity. We are Cricket and Lew, Chief DNS Architect and Senior Fellow at Infoblox. Cricket, great to see you again. Welcome to theCUBE. Thank you, nice to be back, John. So we're live here and really this is the first inaugural event of CyberConnect. Bringing government and industry together. We saw the retired general on stage talking about some of the history but also the fluid nature. We saw Jim from Aetna talking about how unconventional tactics, and talking about domains and how he was handling email. That's a DNS problem. Yeah, yeah, yeah. You're the DNS guru. DNS has become a big role in this. What is, what's going on here around DNS? Why is it important to CyberConnect? Well, you know, I'll be talking tomorrow about the first anniversary, a little bit later than the first anniversary of the big DDoS attack on Dyn, the DNS hosting provider up in Manchester, New Hampshire. And trying to determine if we've actually learned anything, have we improved our DNS infrastructure in any way in the ensuing year plus? Are we doing anything from a standards standpoint on protecting DNS infrastructure, those sorts of things? And certainly one of the highlight examples was mobile users are masked by the DNS on, say, email, for instance, Jim was pointing that out. I got to ask you because, you know, we heard things like sink-holing addresses, hackers create domain names in the first 48 hours, launch attacks, so there's all kinds of tactical things that are being involved with, say, domain names, for instance. That's part of the critical infrastructure. So the question is, how, and DDoS attacks, DNS service attacks, are coming in in the tens of thousands per day? Yeah, well, that issue that you talked about, in particular, the idea that the bad guys register brand new domain names, domain names that, initially, of course, have no negative reputation associated with them. My friend, Paul Vixie, and his new company, Farsight Security, have been working on that. They have what's called a passive DNS database. Was it in this company again? Farsight, Farsight, yeah. And so they have what's called a passive DNS database, which is a database basically of DNS telemetry that is accumulated from big recursive DNS servers around the internet. So they know when a brand new domain name pops up somewhere on the internet because somebody has to resolve it, and they pump all of these brand new domain names into what's called a response policy zone feed. And you can get, for example, different thresholds. I want to see the brand new domain names created over the last 30 minutes or seen over the last 30 minutes. And if you block resolution of those brand new domain names, it turns out you block a tremendous amount of really malicious activity. And then after, say, 30 minutes, if it's a legitimate domain name, it falls off the list, and then you can resolve it. So they're essentially doing DNS signaling as a service for new name registrations because the demand is for software APIs that say, hey, I want to create some policy around some techniques to sinkhole domain address access. Is that what it's, something like that? Yeah, basically this goes hand in hand with this new system response policy zones, which allows you to implement DNS policy, something that we've really never before done with DNS servers. Actually, it's not quite true. There've been proprietary solutions for it, but response policy zones are an open solution. They give you the ability to say, hey, I do want to allow resolution of this domain name, but not this other domain name. And then you can say, all right, all of these brand new domain names for the first 30 minutes of their existence, I don't want to allow people to- It's like a background check for domain names. Yeah, yeah, yeah, or like a wait list, right? Okay, you don't get resolved for the first 30 minutes. That gives the sort of traditional, reputational analyzer so SpamHouse and CERBEL and people like that, a chance to look you over and say, yeah, it's malicious or it's not malicious. So that serves to be run by Paul Vixie, who is the contributor to the DNS protocol. That's right. Right, an enormous contributor, yeah. So we should keep an eye on that. Check it out, Paul Vixie. All right, so DNS is critical infrastructure. We've been talking about that. You and I love to riff about DNS and the role, what's it enabled? I'll say it's ASCII, but I got to ask you all this Unicode stuff about the emoji and the open source really highlights the Unicode phenomenon. Yeah, yeah. What is a hacker potential haven, DNS and Unicode distinction? It's really interesting from a DNS standpoint because we went to a lot of effort within the IETF, the Internet Engineering Task Force, some years ago, back when I was more involved in the IETF. Some people spent a tremendous amount of effort coming up with a way to allow people to use Unicode within domain name so that you could type something into your browser that was in traditional or simplified Chinese or that was in Arabic or was in Hebrew or any number of other scripts and you could type that in and it would be translated into something that we call puny code in the DNS community which is an ASCII equivalent to that. The issue with that though becomes that there are, we would say glyphs, most people I guess would say characters, but there are characters in Unicode that look just like, say, Latin alphabet characters. So there's lowercase a, for example, in Cyrillic. It's not a lowercase a in the Latin alphabet. It's a Cyrillic a, but it looks just like an a. And so it's possible for people to register names, domain names that in their Unicode representation look like, for example, PayPal, which of course has two a's in it, and those two a's could be Cyrillic a's. Not truly the ASCII representation of PayPal which would resolve through the DNS. Exactly. So imagine how subtle an attack that would be if you were able to send out a bunch of email, including links that said www.paypal.com. Yeah, someone's hacked your PayPal account. Click here. Yeah, exactly. And if you eyeballed it, you'd think, well, sure, that's www.paypal.com, but little do you know that it's actually not. So Jim Ruth talked about some applying unconventional methods because the bad guys don't subscribe to the conventional methods, they don't buy into it. He said that they change up their standards, is what I wrote down, but it was maybe, it's their sort of security footprint. 1.5 times a day, how does that apply to sort of your DNS world, is that even, how do you even do that? Well, we're beginning to do more and more with analytics DNS. The passive DNS database that I talked about, more and more big security players, including Infoblox, are collecting passive DNS data, and you can run interesting analytics on that passive DNS data, and you can, in some cases, automatically detect suspicious or malicious behavior. For example, you can say, hey, look, this named IP address mapping is changing really, really rapidly, and that might be an indication of, say, Fast Flux, or you can say, these domain names have really high entropy, the, you know, we did an ngram analysis of the labels of these, and consequence of that, we believe that this resolution of these domain names is actually being used to tunnel data out of an organization or into an organization. So there's some things that you can do with these analytical algorithms in order to suss out suspicious and malicious. And you're doing that in as close to real time as possible, presumably, right? That's right. Okay, and so now everybody's talking about edge, edge computing, edge analytics, how will the edge affect your ability to keep up? Well, you know, the challenge, I think, with doing analytics on passive DNS is that you have to be able to collect that data from a lot of places. The more places that you have, the more sensors that you have collecting passive DNS data, the better. You need to be able to get it out from the edge, from those local recursive DNS servers that are actually responding to the queries that come from, say, your smartphone or your laptop or what have you. If you don't have that kind of data, if you've only got, say, big ISPs, then you may not detect the compromise of somebody's corporate network, for example. I was looking at some stats when I asked the IoT question because you're kind of teasing out kind of the edge of the network and this with mobile and wearables as the general was pointing out is going to create more surface area. But I just also saw a story, I don't know if it was from Google or wherever, but 80% plus roughly websites are going to have SSL, HTBS, and resolving through. And there's reports out here that a lot of the antivirus provisions have been failing because of compromised certificates. And to quote, this is from Research Park and we'll get your reaction to this. Our results show, this is from University of Maryland College Park. Our results show that compromised certificates pose a bigger threat than we previously believed and is not restricted to advanced threats and digitally signed malware was common in the wild well before Stuxnet. And so breaches have been caused by compromising certificates of actual authority. So this brings up the whole, okay, SSL was supposed to be solving this, that's just one problem. They get the certificates well before Stuxnet. So Stuxnet really was kind of going on before Stuxnet. Now you get the edge of the network. Who has the DNS control for these devices? Well, so is it kind of like failing? Is it crumbling? How do we get that trust back? Well, that's a good question. You know, one of the issues that we've had is that at various points, CA's certificate authorities have been conned into issuing certificates for websites that they shouldn't have. For example, hey, generate a cert for me. The Chinese do it all the time. Exactly, I run www.bankofamerica.com. They give it to the wrong guy, he installs it. We have, I think, something like 1500 top level certification authorities. Something crazy like that. Dan Kaminsky had a number in one of his blog posts and it was absolutely ridiculous. The number of different CA's that we trust that are built in to most common browsers like Chrome and Firefox and things like that. We're actually trying to address some of those issues with DNS, so there are two new resource records being introduced to DNS. One is called TLSA. TLSA? TLSA. Yeah, and the other one is called CAA, I think, which always makes me think of the California Automotive Association, but TLSA is basically a way of publishing data in your own zone that says, my cert looks like this. You can say, this is my cert. You can just completely go around the CA and you can say, this is my cert, and then you DNSSEC sign your zone and you're done. Or you can do something short of that and you can say, my cert should look like this and it should have this CA, right? This is my CA. Don't trust any other one. So it's metadata about the cert or the cert itself. Exactly, so that way, if somebody manages to go get a cert for your website, but they get that cert from some untrustworthy CA, I don't know who that would be. Or a compromise. Right, or a compromise CA, nobody will trust it. Nobody who actually looks up the TLSA record because they'll go, oh, okay, I can see that Infobox asserts that their CA is Symantec and this is not a Symantec signed cert, so I'm not going to believe it. And at the same time, this CAA record is designed to be consumed by the CA's themselves and it's a way of saying, say, Infobox can say, hey, we are a customer of Symantec or whomever, Komodo. And then when the cert, when somebody goes to the cert and says, hey, I want to generate a certificate for www.infobox.com, they'll look it up and they'll say, ooh, they're a Symantec customer, I'm not going to do that for you. Yeah, yeah. So it creates trust. Now, how does this impact the edge of the network because the question really is, everyone's on their own mind is, does the internet of things create more trust or does it create more vulnerabilities or how does that balance, I mean, everyone knows it's a surface area, but still, there are technical solutions like what you're talking about. How does this play out in your mind? How does Infobox see it? How do you see it? What's Paul Vixie working on? Does that tie into it? Is this going to be, because out in the hinterlands and the edge of the network and the wild, is it like a DNS server on the device? It could be a sensor, how are they resolving? So what is the protocol for these? Yeah, well, I mean, at least this gives you a greater assurance if you're using TLS to encrypt communication between a client and a web server or some other resource out there on the internet, at least it gives you a better assurance that you really aren't being spoofed, that you're going to the right place, that your communications are secure. So that's all really good. IoT, I think of as slightly orthogonal to that, IoT is still a real challenge. I mean, there's so many IoT devices out there. I look at IoT, though, and I'll talk about this tomorrow, and actually, I've got a live event on Thursday where I'll talk about it some more with my friend Matt Larson. But- Is that going to be here in New York? Actually, we're broadcasting out of Washington, D.C. Were you streaming that? It is streamed. In fact, it's only streamed, I think- Put a plug in for the URL, Matt Larson. If you go to www.infobox.com, I think it's one of the first things that will slide into your view. All right, so you can put it on your company site, infobox.com, you and Matt Larson. Okay, cool, so Thursday event, check it out. Yeah, it's somewhat embarrassingly called CricketLew Live. You're a celebrity, you certainly- It's also Matt Larson live, but it's called CricketLew Live. Well, you guys know what you're talking about, it's great. So there's a discussion among certain boards of directors that says, look, we're losing the battles, we're losing the war, we got to shift more on response and at least cover our buts and get sort of our response mechanism in place. What do you advise those boards? What's the right balance between sort of defense, perimeter, core infrastructure and response? Well, I mean, I would certainly advocate as a DNS guy that people instrument their DNS infrastructure to the extent that they can to be able to detect evidence of compromise. And that's a relatively straightforward thing to do and most organizations haven't gone to the trouble to actually plumb their DNS infrastructure into, for example, their SIM infrastructure so they can get query log information, they can use RPCs to flag when a client looks up the domain name of a known command and control server, which is a clear indication of compromise, those sorts of things. I think that's really important, it's a pretty easy win. I do think at this point, we have to kind of resign ourselves to the idea that we have devices on our network that are infected. That game is lost, right? There's no more crunchy outer shell security, it just doesn't really work. So you have to have, you have to have defense in depth, as they say, right? You have to have. And how CERS has been around for such a long time. I mean, it's been one of those threats that just keeps coming, it's like a waves and waves. So it looks like there's some things happening. That's cool. So I got to ask you, CyberConnect is the first real inaugural event that brings industry and some, obviously government and tech geeks together, it's not Black Hat or ITF or it's not those geeky forums. It's really a business community coming together. What's your take of this event? What's your observations? What are you seeing here? Well, I'm really excited to actually get the opportunity to talk to people who are chiefly security people. I think that's kind of a novelty for me because most of the time, I think I speak to people who are chiefly networking people and in particular, that little niche of networking people who are interested in DNS. Although truth be told, maybe they're not even really interested in DNS. Maybe they just put up with me. Well, the community's been really strong. DNS community has always been organically grown and reliable. But I love the idea of talking about DNS security to a security audience. And hopefully some of the folks that we get to talk to here will come away from it thinking, oh wow. So I didn't even realize that my DNS infrastructure could actually be a security tool for me. It could actually be helpful in any way in detecting compromise. And what about just final question, because I'm going to get a time check here, but operational impact to some of these DNS changes that are coming down from Paul Vixie, you and Matt Larson doing some things together. What's the impact to the customer? And they say, okay, DNS will play a role in how I roll out my architecture. Obviously, I can get new solutions for cyber. IoT's right around the corner. What's the impact to them in your mind operationally? Well, there certainly is some operational impact. For example, if you want to subscribe to RPC feeds, you've got to become a customer of somebody who provides a commercial RPC feed or somebody who provides a free RPC feed. You have to plumb that into your DNS infrastructure. You have to make sure that it continues transferring. You have to plumb that into your SIM so that when something, you get a hit against an RPC, you're notified about it, your security folks. I think one of the, all of that stuff is sort of routine day-to-day stuff. Nothing out of the ordinary. No radical plumbing changes, if you will. Right, but I think one of the big challenges is that in so many of the organizations that I go to visit, the security organization and the networking organization are in different silos and they don't necessarily communicate a lot. So maybe the more difficult operational challenge is just making sure that you have that communication. And that the security guys know the DNS guys, the networking guys, and vice versa, and they cooperate to work on problems. This seems to be the big collaboration theme that's happening here, that it's more of a community model kind of coming together around security. Cricket Loo here, DNS, chief architect of DNS, architect and senior fellow of Infoblox. Obviously a legend in the DNS community among Paul Vixian, amongst the peers. Really that community holding down the floor. Obviously a lot of exploits out there to watch out for. Thanks for your commentary here at the CyberConnect 2017 inaugural event that's theCUBE. We'll be right back with more after this short break.