>> Announcer: Live from New York City It's TheCube. Covering CyberConnect 2017. Brought to you by Centrify and the Institute for Critical Infrastructure Technology. >> It got out of control, they were testing it. Okay, welcome back everyone. We are here live in New York City for CyberConnect 2017. This is Cube's coverage is presented by Centrify. It's an industry event, bringing all the leaders of industry and government together around all the great opportunities to solve the crisis of our generation. That's cyber security. We have Cricket Liu. Chief DNS architect and senior fellow at Infoblox. Cricket, great to see you again. Welcome to theCUBE. >> Thank you, nice to be back John. >> So we're live here and really this is the first inaugural event of CyberConnect. Bringing government and industry together. We saw the retired general on stage talking about some of the history, but also the fluid nature. We saw Jim from Aetna, talking about how unconventional tactics and talking about domains and how he was handling email. That's a DNS problem. >> Yeah, yeah. >> You're the DNS guru. DNS has become a role in this. What's going on here around DNS? Why is it important to CyberConnect? >> Well, I'll be talking tomorrow about the first anniversary, well, a little bit later than the first anniversary of the big DDoS attack on Dyn. The DNS hosting provider up in Manchester, New Hampshire. And trying to determine if we've actually learned anything, have we improved our DNS infrastructure in any way in the ensuing year plus? Are we doing anything from the standards, standpoint on protecting DNS infrastructure. Those sorts of things. >> And certainly one of the highlight examples was mobile users are masked by the DNS on, say, email for example. Jim was pointing that out. I got to ask you, because we heard things like sink-holing addresses, hackers create domain names in the first 48 hours to launch attacks. So there's all kinds of tactical things that are being involved with, lets say, domain names for instance. >> Cricket: Yeah, yeah. >> That's part of the critical infrastructure. So, the question is how, in DDoS attacks, denial-of-service attacks, are coming in in the tens of thousands per day? >> Yeah, well that issue that you talked about, in particular the idea that the bad guys register brand new domain names, domain names that initially have no negative reputation associated with them, my friend Paul Vixie and his new company Farsight Security have been working on that. They have what is called a -- >> John: What's the name of the company again? >> Farsight Security. >> Farsight? >> And they have what's called a Passive DNS Database. Which is a database basically of DNS telemetry that is accumulated from big recursive DNS servers around the internet. So they know when a brand new domain name pops up, somewhere on the internet because someone has to resolve it. And they pump all of these brand new domain names into what's called a response policy zone feed. And you can get for example different thresh holds. I want to see the brand new domain names created over the last 30 minutes or seen over the last 30 minutes. And if you block resolution of those brand new domain names, it turns out you block a tremendous amount of really malicious activity. And then after say, 30 minutes if it's a legitimate domain name it falls off the list and you can resolve it. >> So this says your doing DNS signaling as a service for new name registrations because the demand is for software APIs to say "Hey, I want to create some policy around some techniques to sink-hole domain address hacks. Something like that? >> Yeah, basically this goes hand in hand with this new system response policy zone which allows you to implement DNS policy. Something that we've really never before done with DNS servers, which that's actually not quite true. There have been proprietary solutions for it. But response policy zones are an open solution that give you the ability to say "Hey I do want to allow resolution of this domain name, but not this other domain name". And then you can say "Alright, all these brand new domain names, for the first 30 minutes of their existence I don't want-- >> It's like a background check for domain names. >> Yeah, or like a wait list. Okay, you don't get resolved for the first 30 minutes, that gives the sort of traditional, reputational, analyzers, Spamhaus and Serval and people like that a chance to look you over and say "yeah, it's malicious or it's not malicious". >> So serves to be run my Paul Vixie who is the contributor to the DNS protocol-- >> Right, enormous contributor. >> So we should keep an eye on that. Check it out, Paul Vixie. Alright, so DNS's critical infrastructure that we've been talking about, that you and I, love to riff about DNS and the role What's it enabled? Obviously it's ASCII, but I got to ask you, all these Unicode stuff about the emoji and the open source, really it highlight's the Unicode phenomenon. So this is a hacker potential haven. DNS and Unicode distinction. >> It's really interesting from a DNS standpoint, because we went to a lot of effort within the IETF, the Internet Engineering Task Force, some years ago, back when I was more involved in the IETF, some people spent a tremendous amount of effort coming up with a way to use allow people to use Unicode within domain name. So that you could type something into your browser that was in traditional or simplified Chinese or that was in Arabic or was in Hebrew or any number of other scripts. And you could type that in and it would be translated into something that we call puny code, in the DNS community, which is an ASCII equivalent to that. The issue with that though, becomes that there are, we would say glifs, most people I guess would say characters, but there are characters in Unicode that look just like, say Latin alphabet characters. So there's a lowercase 'a' for example, in cyrillic, it's not a lowercase 'a' in the Latin alphabet, it's a cyrillic 'a', but it looks just like an 'a'. So it's possible for people to register names, domain names, that in there Unicode representation, look like for example, PayPal, which of course has two a's in it, and those two a's could be cyrillic a's. >> Not truly the ASCII representation of PayPal which we resolve through the DNS. >> Exactly, so imagine how subtle an attack that would be if you were able to send out a bunch of email, including the links that said www.-- >> Someone's hacked your PayPal account, click here. >> Yeah, exactly. And if you eyeballed it you'd think Well, sure that's www.PayPal.com, but little do you know it's actually not the -- >> So Jim Ruth talked about applying some unconventional methods, because the bad guys don't subscribe to the conventional methods . They don't buy into it. He said that they change up their standards, is what I wrote down, but that was maybe their sort of security footprint. 1.5 times a day, how does that apply to your DNS world, how do you even do that? >> Well, we're beginning to do more and more with analytics DNS. The passive DNS database that I talked about. More and more big security players, including Infoblox are collecting passive DNS data. And you can run interesting analytics on that passive DNS data. And you can, in some cases, automatically detect suspicious or malicious behavior. For example you can say "Hey, look this named IP address mapping is changing really, really rapidly" and that might be an indication of let's say, fast flux. Or you can say "These domain names have really high entropy. We did an engram analysis of the labels of these". The consequence of that we believe that this resolution of these domain names, is actually being used to tunnel data out of an organization or into an organization. So there's some things you can do with these analytical algorithms in order to suss out suspicious and malicious. >> And you're doing that in as close to real time as possible, presumably right? >> Cricket: That's right. >> And so, now everybody's talking about Edge, Edge computing, Edge analytics. How will the Edge effect your ability to keep up? >> Well, the challenge I think with doing analytics on passive DNS is that you have to be able to collect that data from a lot of places. The more places that you have, the more sensors that you have collecting passive DNS data the better. You need to be able to get it out from the Edge. From those local recursive DNS servers that are actually responding to the query's that come from say your smart phone or your laptop or what have you. If you don't have that kind of data, you've only got, say, big ISPs, then you may not detect the compromise of somebody's corporate network, for example. >> I was looking at some stats when I asked the IOT questions, 'cause you're kind of teasing out kind of the edge of the network and with mobile and wearables as the general was pointing out, is that it's going to create more service area, but I just also saw a story, I don't know if it's from Google or wherever, but 80% plus roughly, websites are going to have SSL HTBS that they're resolving through. And there's reports out here that a lot of the anti virus provisions have been failing because of compromised certificates. And to quote someone from Research Park, and we want to get your reaction to this "Our results show", this is from University of Maryland College Park. "Our results show that compromised certificates pose a bigger threat than we previously believed, and is not restricted to advanced threats and digitally signed malware was common in the wild." Well before Stuxnet. >> Yeah, yeah. >> And so breaches have been caused by compromising certificates of actual authority. So this brings up the whole SSL was supposed to be solving this, that's just one problem. Now you've got the certificates, well before Stuxnet. So Stuxnet really was kind of going on before Stuxnet. Now you've got the edge of the network. Who has the DNS control for these devices? Is it kind of like failing? Is it crumbling? How do we get that trust back? >> That's a good question. One of the issues that we've had is that at various points, CAs, Certificate Authorities, have been conned into issuing certificates for websites that they shouldn't have. For example, "Hey, generate a cert for me". >> John: The Chinese do it all the time. >> Exactly. I run www. Bank of America .com. They give it to the wrong guy. He installs it. We have I think, something like 1,500 top level certification authorities. Something crazy like that. Dan Komenski had a number in one of his blog posts and it was absolutely ridiculous. The number of different CA's that we trust that are built into the most common browsers, like Chrome and Firefox and things like that. We're actually trying to address some of those issues with DNS, so there are two new resource records being introduced to DNS. One is TLSA. >> John: TLSA? >> Yeah, TLSA. And the other one is called CAA I think, which always makes me think of a California Automotive Association. (laughter) But TLSA is basically a way of publishing data in your own zone that says My cert looks like this. You can say "This is my cert." You can just completely go around the CA. And you can say "This is my cert" and then your DNS sec sign your zone and you're done. Or you can do something short of that and you can say "My cert should look like this "and it should have this CA. "This is my CA. "Don't trust any other one" >> So it's metadata about the cert or the cert itself. >> Exactly, so that way if somebody manages to go get a cert for your website, but they get that cert from some untrustworthy CA. I don't know who that would be. >> John: Or a comprimised-- >> Right, or a compromised CA. No body would trust it. No body who actually looks up the TSLA record because they'll go "Oh, Okay. I can see that Infoblox's cert that their CA is Symantech. And this is not a Symantech signed cert. So I'm not going to believe it". And at the same time this CAA record is designed to be consumed by the CA's themselves, and it's a way of saying, say Infoblox can say "We are a customer of Symantech or whoever" And when somebody goes to the cert and says "Hey, I want to generate a certificate for www.Infoblox.com, they'll look it up and say "Oh, they're a Symantech customer, I'm not going to do that for you". >> So it creates trust. So how does this impact the edge of the network, because the question really is, the question that's on everyone's mind is, does the internet of things create more trust or does it create more vulnerabilities? Everyone knows it's a surface area, but still there are technical solutions when you're talking about, how does this play out in your mind? How does Infoblox see it? How do you see it? What's Paul Vixie working on, does that tie into it? Because out in the hinterlands and the edge of the network and the wild, is it like a DNS server on the device. It could be a sensor? How are they resolving things? What is the protocol for these? >> At least this gives you a greater assurance if you're using TLS to encrypt communication between a client and a web server or some other resource out there on the internet. It at least gives you a better assurance that you really aren't being spoofed. That you're going to the right place. That your communications are secure. So that's all really good. IOT, I think of as slightly orthogonal to that. IOT is still a real challenge. I mean there is so many IOT devices out there. I look at IOT though, and I'll talk about this tomorrow, and actually I've got a live event on Thursday, where I'll talk about it some more with my friend Matt Larson. >> John: Is that going to be here in New York? >> Actually we're going to be broadcasting out of Washington, D.C. >> John: Were you streaming that? >> It is streamed. In fact it's only streamed. >> John: Put a plug in for the URL. >> If you go to www.Infoblox.com I think it's one of the first things that will slide into your view. >> So you're putting it onto your company site. Infoblox.com. You and Matt Larson. Okay, cool. Thursday event, check it out. >> It is somewhat embarrassingly called Cricket Liu Live. >> You're a celebrity. >> It's also Matt Larson Live. >> Both of you guys know what you're talking about. It's great. >> So there's a discussion among certain boards of directors that says, "Look, we're losing the battle, "we're losing the war. "We got to shift more on response "and at least cover our butts. "And get some of our response mechanisms in place." What do you advise those boards? What's the right balance between sort of defense perimeter, core infrastructure, and response. >> Well, I would certainly advocate as a DNS guy, that people instrument their DNS infrastructure to the extent that they can to be able to detect evidence of compromise. And that's a relatively straight forward thing to do. And most organizations haven't gone through the trouble to plumb their DNS infrastructure into their, for example, their sim infrastructure, so they can get query log information, they can use RPZs to flag when a client looks up the domain name of a known command and control server, which is a clear indication of compromise. Those sorts of things. I think that's really important. It's a pretty easy win. I do think at this point that we have to resign ourselves to the idea that we have devices on our network that are infected. That game is lost. There's no more crunchy outer shell security. It just doesn't really work. So you have to have defensive depth as they say. >> Now servs has been around for such a long time. It's been one of those threats that just keeps coming. It's like waves and waves. So it looks like there's some things happening, that's cool. So I got to ask you, CyberConnect is the first real inaugural event that brings industry and some obviously government and tech geeks together, but it's not black hat or ETF. It's not those geeky forums. It's really a business community coming together. What's your take of this event? What's your observations? What are you seeing here? >> Well, I'm really excited to actually get the opportunity to talk to people who are chiefly security people. I think that's kind of a novelty for me, because most of the time I think I speak to people who are chiefly networking people and in particular that little niche of networking people who are interested in DNS. Although truth be told, maybe they're not really interested in DNS, maybe they just put up with me. >> Well the community is really strong. The DNS community has always been organically grown and reliable. >> But I love the idea of talking about DNS security to a security audience. And hopefully some of the folks we get to talk to here, will come away from it thinking oh, wow, so I didn't even realize that my DNS infrastructure could actually be a security tool for me. Could actually be helpful in any way in detecting compromise. >> And what about this final question, 'cause I know we got a time check here. But, operational impact of some of these DNS changes that are coming down from Paul Vixie, you and Matt Larson doing some things together, What's the impact of the customer and they say "okay, DNS will play a role in how I role out my architecture. New solutions for cyber, IOT is right around the corner. What's the impact to them in your mind operationally. >> There certainly is some operational impact, for example if you want to subscribe to RPZ feeds, you've got to become a customer of somebody who provides a commercial RPZ feed or somebody who provides a free RPZ feed. You have to plumb that into your DNS infrastructure. You have to make sure that it continues transferring. You have to plumb that into your sim, so when you get a hit against an RPZ, you're notified about it, your security folks. All that stuff is routine day to day stuff. Nothing out of the ordinary. >> No radical plumbing changes. >> Right, but I think one of the big challenges in so many of the organizations that I go to visit, the security organization and the networking organization are in different silos and they don't necessarily communicate a lot. So maybe the more difficult operational challenge is just making sure that you have that communication. And that the security guys know the DNS guys, the networking guys, and vice versa. And they cooperate to work on problems. >> This seems to be the big collaboration thing that's happening here. That it's more of a community model coming together, rather than security. Cricket Liu here, DNS, Chief Architect of DNS and senior fellow of Infoblox. The legend in the DNS community. Paul Vixie amongst the peers. Really that community holding down the fort I'll see a lot of exploits that they have to watch out for. Thanks for your commentary here at the CyberConnect 2017 inaugural event. This is theCUBE. We'll be right back with more after this short break. (techno music)

>> Hello, we are here On the Ground. This is theCUBE's On the Ground program at Centrify's Headquarters. We go to Cricket Liu, chief DNS officer at Infoblox. Been with the company from the beginning. Great to see you again. Wrote the book on DNS. What year was that? That was between DNS, was like, when I was born. >> Yeah, 1992. September 1992 was when it was published. >> Great to see you. We've done some podcasts together over the years. >> Yeah, good to see you too. >> DNS, now obviously global, ICANN's now global, it's part of the U.N., all different governance bodies, but it's certainly still critical infrastructure. >> Yeah, absolutely. >> Critical infrastructure is now the big conversation as the security paradigm has moved from data center to the Cloud, there's no perimeter anymore. >> Yeah. >> How is that changing the DNS game? >> Well, I think that folks are starting to realize how critical DNS is. In October of last year, we had that huge DDoS attack against Dyn, the big DNS hosting provider in New Hampshire and I think that woke a lot of folks up. A lot of folks realized, holy cow, these guys are not too big to fail as they say. Even though they have enormous infrastructure, widely distributed around the globe, they have such a concentrational power that a huge number of really, really popular web properties were inaccessible for quite sometime, so I think that caused a lot of people to look at their own DNS infrastructure and to reevaluate it and say, well maybe I need to do something. >> Interesting about the stack wars that are going on, that attack, as we've lived through and you've been part of it as chief technical officer in many companies. DNS was always that part where it'd be secure but now you have block change, you have new kinds of infrastructure with mobile computing now over 10 years post iPhone. >> Yep, the critical moment. >> How has infrastructure changed, beyond DNS 'cause it still needs to work together? >> Yeah, well, it's funny because we do have all of these new types of devices. We do have new technologies. But a lot of things have remained the same. DNS is still the same. The remarkable thing is that the latest version in my book is 10 years old, actually 11 years old now, so it's older than the iPhone and people still buy it because the underlying theory is still the same. It hasn't changed. It's a testament, really, to the quality of the original design of DNS that it still works for anything and that it's scaled to serve a network as diverse and as large as the internet is today. >> What's your biggest observation, looking back over the past decade with DNS, about the emergence of virtual machines, now Cloud. Again, the game is still the same 'cause DNS is the plumbing and it provides a lot of the key critical infrastructure for the web and now mobile. What's the biggest observations that you've seen over the decade? >> Well I'd say one of the things that's happened over the last several years that's maybe the most important development in DNS is something that we call response policy zones. Up until now, DNS servers have just been sort of blithely complicit when it comes to, for example, malware. Malware wakes up on a device and it assumes that it has DNS available to it and it uses DNS, for example, to find command to control server, maybe a drop server to exfiltrate data to. In the DNS server, even though it's being asked to look up the address record for CommandAndControlServer.Malware.Org, it just happily goes along with it. A few years ago, Paul Vixie, who I've known for a very long time, came up with this idea called response policy zones which is basically to imbue our DNS servers with resolution policy so that you can tell them, hey if you get a query for a domain name that we know is being used maliciously, don't answer it. Don't resolve it like you normally do. Instead, hand back a little white lie like that doesn't exist and moreover, log the fact that somebody looked it up because it's a good indication that they're infected. >> So bringing policy to DNS is really making it more intelligent. >> Yeah, that's right. >> And certainly as networks grow, I was just watching some of my friends setting up the wireless at Burning Man and the whole new change of how Wi-Fi is being deployed and how networks are being constructed is really coming down to some of the basic principles of DNS to route more, be responsive, and this is kind of a new change. >> Yeah, there's a lot going on in changes to the deployment of DNS. It used to be that most big companies ran all their own DNS infrastructure. At this point, I think most large companies don't bother running, for example, what we'd call their external authoritative DNS infrastructure. They give that to a big hosting provider to do, somebody like Dyn or Verisign or Neustar or somebody like that, so that's a big change. >> Cricket, I want to ask you about the CyberConnect Event going on in New York. Infoblox is involved. Security is paramount, so now an industry event. Centrify is the main sponsor. You guys are involved as a vendor, but it's not a vendor event, it's a industry event. It's a broad category. What's your thoughts on this kind of industry event? Usually in events it's been Black Hat or vendor events pushing their wares and selling their stuff but now security is global. What's your take on this event? >> Well, I'm hoping to be able to spend a little bit of time talking to folks who come to the event about DNS and how it can be used as a tool in their security tool chain. The folks who come to us as Infoblox to our events already know about DNS. They're already network administrators or they're responsible for DNS or something like that. My hope is that we can reach a broader audience through CyberConnect and actually talk to folks who maybe haven't considered DNS as a security tool. Who maybe haven't thought about the necessity to bolster their DNS infrastructure. >> One final question since we're on bonus material time. I've got to ask you about the global landscape. I mean, in my early days involved in DNS when I came was from the '98 to the 2000 time frame. International domain names were Unicode. That's not ASCII. So that technically wasn't DNS, but still, they were keywords. They had this global landscape in, say, China, that actually wasn't DNS so there's all these abstraction layers. Has anything actually evolved out of that trend of really bringing an abstraction layer on top of DNS and certainly now with the nation-states with security are issues, China, Russia, et cetera. How does all that play out? >> Well, international domain names have actually taken off in some areas. And basically it's as you say, you have the ability now to use Unicode labels in domain names in certain contexts, for example, if you're using your web browser you can type in a Unicode domain name and then what the web browser does is it translates it into an equivalent ASCII representation and then resolves it using DNS which is the traditional DNS that doesn't actually know about Unicode. There are actually some very interesting security implications to using Unicode. For example, people can register things that have Unicode, we would say, glyphs in them that look exactly like regular ASCII characters. For example, you could register paypal.com where the A's are actually lowercase A's in Cyrillic. It's not the same code point as an ASCII A. So it's visually. >> Great for hackers. >> Oh yeah. Visually indistinguishable from paypal.com in a lot of contexts and people might click on it and go to a page that looks like PayPal's. >> John: So its a phishing dream. >> Yeah, really dangerous potentially and so we're working out some of the implications of that, trying to figure out, within, for example, web browsers, how do we protect the user from things like this? >> And a lot of SSL out there, now you're seeing HTTPS everywhere. Is that now the norm? >> Yeah, actually, within the internet engineering task force, the IETF, after it became obvious that state-sponsored-- >> John: Attacks. >> Eavesdropping. >> You were smiling. >> Was kind of the norm. >> Got to find the right word. >> Yeah, the IETF embarked on an effort called DPRIVE and DPRIVE is basically a bunch of individual tracks to encrypt basically every single part of the DNS channel, especially that between what we call a stub resolver and the recursive DNS server so that if you're a customer here in the United States and a subscriber to an ISP like Comcast or whomever, you can make sure that that first hop between your computer and the ISP is secured. >> We're getting down and dirty under the hood with Cricket Liu on DNS. I got to ask kind of up level to the consumer. One of the things that kind of pisses me off the most when I'm surfing the web is you see the browser doesn't resolve or you go hit someone's website, oh yeah, something.io, these new domain names, top level gTLDs are out there, .media, all these, and companies have firewalls or whatever their equipment is and it doesn't let it through. Because they're trying to protect the perimeter still, must be, I mean, what does that mean when companies aren't letting those URLs then, it is a firewall issue or is it more they're still perimeter based, they're not resolving it, they're afraid of malware? Somethings aren't resolving in? What does that mean? >> Well I think as often as not it's an operational problem. It could be just a misconfiguration on the part of the folks who are hosting the target website's DNS. It could be that. I don't know a lot of folks who-- >> So it's one of their policies or something, it's just kind of locking down. >> Could be that too. Or it could be, for example, that they have a proxy server and they're trying to limit access to the internet by category. Maybe it does categorization and filtering by-- >> Can you work on that? Can you write some code for that? Well thanks, great to see you, thanks for sharing this conversation here On The Ground at Centrify. >> You're welcome. >> And good luck with the CyberConnect Conference. >> Yeah, nice to see you too. >> Alright, I'm John Furrier with On The Ground here on theCUBE at Centfity's headquarters in Silicon Valley. Thanks for watching.