Shielding Europe: DNS4EUs Pan-European Protective DNS Service

good morning everyone uh my name is andronicos I am the tech Consulting lead at wbor and hi everyone I'm Thomas and I'm the security analyst also at wellb uh before we dive deeper to the topic a bit uh some information about us uh right now we are both working at wbor uh wbor is a cyber security company doing DNS space security and identity protection uh before that I was doing research inali group in University of patras uh the research topic was automation of hyot yeah um and I would introduce myself as a security researcher uh with some background in public sector basically I was an incident responder for the government and now I've delved into uh end user threats and uh researching DNS security thank you so um during today's presentation we will go over um protect DNS and in more detailed DNS for you um the project its applications but the main focus will actually be the threat intelligent aspect and how we are planning to build an actionable uh information sharing platform furthermore we will discuss the applications of DNS for EU and how it can be offered to different groups of end users uh first things first a bit of a theory so uh DNS resolution is this magical process of translating a domain name to an IP address uh whenever some process requires some Network research bya domain name a DNS resolver is actually used and it's responsible for fetching the results by iterating the DNS 3 something like that yeah uh sounds simple so far yeah well there are almost 292 rfc's more are coming uh if someone is is interested they are very interesting I highly recommend them uh but we have to say here is that uh this is process agnostic of the operating system and also the type of device yeah so somebody can claim that DNS is the glue keeping the internet together and at this point I would like to offer a moment of sympathy uh to all of us who have ever painfully troubleshooting some networking issues and we came back to just these wise words so uh as you may have understood DNS is a critical Service uh today's talk though is not about all the things that can go wrong but it's about how DNS can intersect with cyber security so uh let's consider the following facts on the one hand nowadays there are 15 billion connected devices the number is expected to grow to 24 billion by 2025 so B bical in a couple of years sounds like a security nightmare uh someone could ask is there some common denominator is there something you can do at scale so hopefully uh here the aners would be yes so industrywide research shows that more than 94% of attacks are actually utilizing DNS at some point of the Cyber kill chain adding to the recipe the fact that all the devices regardless of the operating system and the type of software they running are using DNS resolution as Defenders we have a unique opportunity to protect them at scale this reasoning actually gave birth to the notion of protective DNS what is protective DNS it is the Viewpoint that DNS is no longer only a protocol but rather is a security service implementing filtering of the DNS requests and blocking access to malicious domains is a really really easy way to establish a very first line of defense and block access to f ing websites detect malware communication as well as provide realtime insight to the security teams in this way the number of incidents can be completely and dramatically reduced and here comes the main topic of today's presentation uh in this slide you can see the extract for the original call for proposals the primary goal of the project is to build a European protective DNS service which will improve resilience protect privacy and also Foster cross disciplinary collaboration the NS foru will have a strong security aspect and will offer protection not only against Global but also and more importantly against local cyber security threats as it's highlighted in the last sentence this is a key policy action announced in 2020 in the commission's cyber security strategy for the digital decade so soon after the call was issued uh at wbor we started building and concern with members from different disciplines and different nationalities the members are a mix of public and private entities such as companies uh computer emergency and response teams Nos and National research and education networks in more detail the members are CZ Nick the registry of the do CZ domain the Czech Technical University from Prague the Belgian Law Firm time. Lex desc a German nonprofit organization focusing on DNS hosting the Hungarian and polish shts and uh abil laby from the financial sht of Italy also the national cyber security Center of from Romania uh furthermore we have some Associated Partners such as the ministry of electronic government from Bulgaria the national cyber security Center of Portugal uh the antivirus company F secure from Finland and Chet from the Czech Republic so overall each member of the Consortium is adding its own expertise and contributing to the goals that have been set by the project uh moving forward to the verticals of the project DNS foru can be summarized in four pillars uh threat intelligence DNS for Telos DNS for government and DNS for end users the first case which is the Cornerstone of the project is a threat intelligence aspect which will be generated applied to all the deployment scenarios the threat intelligence will be the product of research based on the anonymized DNS for utraffic as well as continuous information exchange more information will be now shared from thas Hello uh thanks for introduction andos and thank you uh as you mentioned it's uh the thre intelligence is uh basically uh the main pill of all these uh parts of the DNS foru project and um to give a brief introduction or brief definition uh because it's often ambiguous term uh the threat intelligence is pretty much a a process of um understanding and uh analyzing the current cyber threats in context uh it can go from uh high level strategic overview to the core basic of uh tactical indicators of compromise and um in the context of DNS for EU and this presentation I will be mostly dealing with the Tactical level that means uh the indicators compromis of the meaning uh the domain names um at belone uh we aim as at Dr intelligence as um providing as um accurate and timely uh coverage of current threats in DNS space and uh to briefly introduce uh our pillars of uh our intelligence program on a foundation level uh we of course cooperating with uh existing security providers and open source feeds to cover the global threats but the it's of course nothing groundbreaking um but uh what we aim to differentiate with the DNS for EU is um two things uh first of all uh as andos mentioned we'll be dealing with the anonymized DNS traffic itself that means uh investigating uh the DNS logs uh to uncover new threats and U improve our accuracy uh dealing with some early detections and then the most important things that will be the uh key difference uh from all of the DNS protective services will be to establish Regional threat intelligence sharing that means uh we aim to be a centrer point in which all the Consortium members and also public and private sectors contributors um can establish a sharing channels for truth intelligence uh to basically make the European Union a more secure place and provide a more secure DNS resolver uh the intelligence uh in its core is pretty much a never ending cycle and uh it's the same with us uh so I will briefly introduce you to um the each stages and how we aim to add new detection systems to each and every step of the way when it comes to analyzing the malicious domains so starting from the first um top uh we aim to provide uh Timeless detections that means uh covering the threats as early as possible um in this stage uh we'll be analyzing the traffic um and also the registry from newly registered domains and certificate transparency uh to catch the domains um basically before it's even um abused by the actor and has a chance to actually cause some damage and um in this stage uh we are cooperating with two Consortium members uh the Czech Technical University and the nask of Poland where we aim to develop a machine learning model to cover uh uh TLD uh namespace uh detection model uh to basically deny the attackers U the chance to abuse uh European domains so domains like the CZ dode ad uh should be more cover it U against U typos squatting and U impersonation and other malicious stuff making the European um space more uh secure uh also in this stage uh the threat intelligence sharing channels are important that means uh consuming the threat intelligence gathered from our consortion members and uh contributors uh that will be directly fed into the resol and uh protecting uh from early detected threats uh in the next stage uh there's a traffic analysis uh that as I mentioned will be analyzing the uh anonymized DNS for E traffic and uh here we are uh already employing several uh machine Learning Systems to detect uh threats like uh domain generated algorithms that are used by malware communication uh DNS tuning and also researching the patterns and behaviors of DNS sequences to uh uncover some specific DNS threats for example uh uh car scheming on WordPress sites or uh uh compromise websites that are often U abusing uh the end users and then in the U late stage uh we also aim to mitigate false positives um and here we are corporating with the Czech nron University again uh to actually develop a system that takes feedback loop from all the previous systems and uh input it into the life cycle so that we can uh come with a force positive rate as close to zero as possible now uh I mentioned machine learning several times but but um maybe sorry for disappointment but um I'm going to speak about uh in example about something that hits much close to home and is much I say uh simple threat and that is um the plague of the internet uh the fishing and smishing campaigns that are uh targeting the end users uh you may have seen several of those uh it's always the same uh it's basically spamming uh all the users uh everywhere in in the world particular in Europe is very popular lately um pretending to be um some retail company delivery services check post government agencies and scamming the users for uh their credit cards their passports or their their identity um it's very widespread uh it's very simple to use so uh there's very much uh an issue how to deal with this uh on a scale uh also why important uh that there was a recent study that average Damage Done To the End users by such scam is over €7,000 so quite significant uh damage for average people and uh since we already don't like those uh we aim to provide a system uh that um at least U mitigates the risk for our average citizens um from what we saw um yeah sorry um when it comes to obstacles of fighting these campaigns um there's always an issue that uh they have a very short lifespan that means um within a few minutes the campaign is sent uh people click it uh fill it in credit cards and um like U before the can be taken down the Dage is already done and uh currently you can use some takedown services or reporting services but uh they don't provide the Timeless timeliness uh that is necessary to protect the users and also there's no Center Point yet uh that could be used uh at scale in Europe so uh what we aim to do uh is that uh we are cooperating currently with multiple Tel operators and aim to scale it to multiple uh other partners in public and private sector uh because what we found is that uh the moment this fishing campaign starts uh anywhere uh the brand that is impersonated or the tel Cooper that is actually running the SMS Services they are very they aware from the very beginning that this is happening and that the users are at risk uh but they don't have any means uh of effectively com combating this other than this making a press release or maybe for the Telco to actually one time block it in the network but there so Center Point to cover all of the Europe and all of the users so uh we de developed a system that basically works on a Synergy of U the reporting party and a veil bone uh that will be fed to the DNS for EU and um it basically works on reporting the first initial um indicators of the campaign uh in this case for example uh one domain that was in person I think uh dpd delivery services as as an example and uh once we uh receive this uh first initial alert uh our system that we call Bazaar because we uh in the past we use it to um uh uh to basically deal with some scams on online marketplaces and kind of stuck with us uh it starts analyzing the campaign for some uh patterns in a domain and uh it's metadata and it's looking for certificate transparencies and uh new registed domains and DNS Lo itself to actually put together what is the characteristics of the campaign and start to block it proactively and uh basically it could be viewed somehow as a DGA but not quite it's um more simple than that um so that the user is protected again um um from the next uh campaigns that come from the same source so um uh in this case the sharing is caring uh and it really helps helps to protect the users uh from the incoming threats and um since we aim to actually push this and scale this to 100 people uh we need to do this in an easy and automated way uh that is accessible to everyone from both private and public sector and to give you one example not the only one but uh the main one uh of how we intend to uh build a system that is uh used to sharing the information uh let me introduce you uh misp uh to those those of you who are not familiar uh misp is open source project by Luxembourg C and uh is developed by growing uh community of volunteers and I would say it's a fitting European solution for European protection and it's becoming an industry standard for um all both private companies and most particularly the government sector and it's very easy to deploy and uh very easy to maintain and um why we chose it and where the key power lies when it comes to sharing the information is actually how it works with it because it's not just the indicators of compromise themselves the domains but it's also very uh easy to enrich with context and um with uh additional information that can be helped to uh spread the alert on the new threat that is being identified it's also very secure and granular when it comes to sharing because you can choose uh who you're going to share with with and U what are you actually sharing to the community um and in this sense uh V will be running uh dedicated instance that is offered to everyone uh not only just the consortion members but everyone who is uh interested in participating in sharing the threat intelligence and the input to the misp will be automatically fed to our Pipeline and F directly to the reserver so it will be a direct way to actually contribute to threat intelligence and protect the users um one bonus point on why is this important and U what can it bring in benefit um is the possibility of EU wide correlation intelligence uh of the threats because in this example for uh we could find um one of those fishing campaigns that were impersonating a government and um when we gathered the information from multiple sources we actually found that uh it's not just Regional problem but the same actors was actually abusing the same mechanism and using the same infrastructure across multiple countries basically scamming Czech Republic Poland and Slovakia at the same time uh so uh having this some sort of centralized point of the intelligence can be a valuable uh information to actually U connect the dots and put the threat act Spotlight uh so that's all from me uh if you are interested in U more of our work and uh or in participating you can reach us at TW intelligence atv.com .io sorry and uh now back to andronicos who will introduce more function of the DNS for EU thank you thas so um thinking about the requirements so we are building a system we want to actually effectively apply this threat intelligence right so of course the main focus is to ensure a secure reliable and efficient DNS service all the DNS foru resolvers will be deployed in European data centers and will be bound to strict privacy requirements compliance with regulations of course such as gdpr or local legislations uh is also expected of the service but in the very core uh the DNS for youu resolvers will be adhering to the latest security and privacy standards such as dnsx such as DNS over htps such as DNS over TLS uh diving a bit deeper in this slide you can find the depiction of the architecture of the project as we have uh envisioned it and building it so we have adopted a distributed architecture we have combined a cloudbased B uh publicly accessible DNS service and more granular and individual private instances running in Telos or in government entities uh to take the discussion a bit further uh we will discuss the use cases uh for these individual scenarios so um DNS foru is a service for 100 million users that's also the title of this presentation right and we have identified from the very first days of the project that we cannot achieve it without involving the Telecom operators uh for the operators we're making available on premise DNS resolvers which will be uh supporting of course the latest standards and will be integrated into their existing operations and systems for the users one of the major benefits of using the DNS foru instances from the local operators is that they will have very very low latency and the Privacy preserving nature of the service uh will help them to further secure their connections and of course optionally take advantage of the premium threat intelligence which will be generated from the project uh another vertical which we have identified is that of the public sectors uh in the last years we have seen an emerging patterns uh where basically all the public organizations are very very complex and at the same time they remember they remain cry and also some fishing cases during coid uh so in several cases uh such as in the UK or Australia or in Canada uh there has been a Countrywide protective DNS security solution offered by the governments to that regard DNS foru will approach the same problem with a similar way uh but rather than offering a turnkey project it will be possible to have individual DNS for you instances for the individual countries so we are able to have Countrywide DNS foru instances and also go deeper and have individual instances for particular offices let's say uh last but not least of course we plan to make available a service for the end users uh in this case the architecture will be utilizing the shared Cloud DNS resolvers which will be operated by the Consortium and we will make available multiple uh configuration profiles so we'll have the plain DNS resolution the DNS resolution with the threat intelligence and also some optional threat intelligence plus adult content filtering uh when it comes to the timeline of the project here is a high level overview so in 2023 we are finalizing the technology and also the security design and we are starting the implementation of the uh back end uh we have already started discussing with options uh for Telos for governments and we are intensifying uh in the next uh months actually 2023 um we have also kicked off the threat intelligence research and the first results are very very promising so in the next year in 2024 we would like to invest the efforts for the exchange of the regional threat intelligence which was identified by uh thas uh and in 2025 we would like to offer the service to the public to the individual and users uh where we would have of course course to scale where necessary in 2026 and Beyond we'll go uh to invest to The Continuous um Improvement of the [Music] project so uh in conclusion and to summariz