Threat Analtics Data Exfiltration by DNS lookup

Slides:



Advertisements
Similar presentations
Enabling Secure Internet Access with ISA Server
Advertisements

A look into Bullet Proof Hosting November DefCamp 5 Silviu Sofronie – Head of Forensics
F3 Collecting Network Based Evidence (NBE)
Cyber Threats: Industry Trends and Actionable Advice Presented by: Elton Fontaine.
 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.
Security (Part 2) School of Business Eastern Illinois University © Abdou Illia, Spring 2007 (Week 13, Thursday 4/5/2007)
EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.
Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.
S EC (4.5): S ECURITY 1. F ORMS OF ATTACK There are numerous way that a computer system and its contents can be attacked via network connections. Many.
Reconnaissance & Enumeration Baseline, Monitor, Detect, Analyze, Respond, & Recover Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago,
Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )
1 Title ECI: Anatomy of a Cyber Investigation Who Are the Actors.
Palo Alto Networks Modern Malware Cory Grant Regional Sales Manager Palo Alto Networks.
Enforcing Concurrent Logon Policies with UserLock.
By : Himanshu Mishra Nimish Agarwal CPSC 624.  A system designed to prevent unauthorized access to or from a private network.  It must have at least.
Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.
Software Security Testing Vinay Srinivasan cell:
Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.
Implementing a Port Knocking System in C Honors Thesis Defense by Matt Doyle.
Network problems Last week, we talked about 3 disadvantages of networks. What are they?
Packet Filtering & Firewalls. Stateless Packet Filtering Assume We can classify a “good” packet and/or a “bad packet” Each rule can examine that single.
Overview of Firewalls. Outline Objective Background Firewalls Software Firewall Hardware Firewall Demilitarized Zone (DMZ) Firewall Types Firewall Configuration.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
Firewalls. Intro to Firewalls Basically a firewall is a barrier to keep destructive forces away from your computer network.
Basics of the Domain Name System (DNS) By : AMMY- DRISS Mohamed Amine KADDARI Zakaria MAHMOUDI Soufiane Oujda Med I University National College of Applied.
Chapter 11 Analysis Methodology Spring Incident Response & Computer Forensics.
Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna Proceedings.
1) The size of the Domain name system. 2) The main components of the Domain Naming System operation. 3) The function of the Domain Naming System. 4)Legislation.
ASHRAY PATEL Protection Mechanisms. Roadmap Access Control Four access control processes Managing access control Firewalls Scanning and Analysis tools.
 Terms:  “Security”: is a system’s ability to provide services while maintaining the five IA pillars  “Attack”: an action that violates one of the.
Internet Vulnerabilities & Criminal Activity Internet Forensics 12.1 April 26, 2010 Internet Forensics 12.1 April 26, 2010.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
Presented by: SBS CyberSecurity © SBS CyberSecurity, LLC
Protect your Digital Enterprise
DNS Forensics & Protection
Domain Reputation Hussien Othman.
Everything You need to know
The Dark Side of the DNS Jaeson Schultz.
PGP Key Management Basic Principals
Certified Ethical Hacker Exam Question
IT443 – Network Security Administration Instructor: Bo Sheng
Enabling Secure Internet Access with TMG
Effective Security at the Core
Botnet Detection & Countermeasures
Cyber Security Awareness Workshop
Threats to computers Andrew Cormack UKERNA.
Conquering all phases of the attack lifecycle
DNS Tunneling.
Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009
PGP Key Management Basic Principals
Tutorial on Creating Certificates SSH Kerberos
Client Client 4) Hello , please give me the website
Your Botnet is My Botnet: Analysis of a Botnet Takeover
Working at a Small-to-Medium Business or ISP – Chapter 7
6.6 Firewalls Packet Filter (=filtering router)
“CYBER SPACE” - THE UNDERGROUND ECONOMY
What is it? Why do I keep getting from Barracuda? SPAM.
Proactive Network Protection Through DNS
11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.
The Next Generation Cyber Security in the 4th Industrial Revolution
دیواره ی آتش.
Unit 1 Test Basic Web Concepts Test.
Web Server Technology Unit 10 Website Design and Development.
PGP Key Management Basic Principles
Introduction to the World Wide Web and the Internet
TELE3119: Trusted Networks Week 3
Cybersecurity and Cyberhygiene
Computer Networks Protocols
Q/ Compare between HTTP & HTTPS? HTTP HTTPS
CryptoSpike Ransomware Protection & File System Auditing Robert Graf
Presentation transcript:

Threat Analtics Data Exfiltration by DNS lookup TELE3119: Materials from Martin Lee of TALOS is gratefully acknowledged

Cyber Kill Chain Get Inside Find some data Exfiltrate it Trusted Networks

Email attack: malware distributing ransomware Getting Inside Email attack: malware distributing ransomware Trusted Networks

Exfiltrating Data ftp port 21 stolen data ssh port 22 http port 80 compromised system malicious.com Trusted Networks

Exfiltrating Data Block with FW rules or IP / domain block-list ftp port 21 stolen data ssh port 22 http port 80 compromised system malicious.com Block with FW rules or  IP / domain block-list  Trusted Networks

Exfiltrating Data Hypothetically speaking … Could we exfiltrate and evade:  IP blacklists  Firewall rules  Trusted Networks

DNS requests name server example.com local DNS server .com DNS server what is the address for www.example.com it is: 123.45.67.89 “Dunno, I’ll ask someone else” “Dunno, but I know some who does” “I know the answer” Trusted Networks

Exfiltrating Data by DNS name server malicious.com local DNS server reply: 192.168.0.1 DNS lookup for top.secret.data.malicious.com “top.secret.data” compromised system Trusted Networks

Exfiltrating Data by DNS DNS lookup problems:  Punctuation forbidden (limited to a-z & 0-9, no space or !) Case insensitive  Base64 Encoding ??   Base32 Encoding “top secret data”  ORXXAIDTMVRXEZLUEBSGC5DB  “Top Secret !!!!”  KRXXAICTMVRXEZLUEAQSCIJB  DNS requests logs  www.domain1.com  mail.domain2.com  server.xyz.domain3.com  ORXXAIDTMVRXEZLUEBSGC5DB.malicious.com    long random string! Trusted Networks

Let’s go hunting! Lets look for ‘long’ domain names. OpenDNS DNS Lookup Data  Lets look for ‘long’ domain names.  Oh, great there are 100 million! difficult to analyze data  need a model?  Trusted Networks

Model data: distribution frequency spike ??? the longer the length, the less frequent it becomes. closely follows an exponential decay curve. We know how to fit a curve to the data, how does exponential curve work. We construct a model for our expectation of a subdomain length. Subdomain length Trusted Networks

Identify Anomalies we only analyse particular length Subdomain length Trusted Networks

Active Exfiltration Pattern ? Stealing credit card data ! log.nu6timjqgq4dimbuhe.3ikfsb---redacted---cg3.7s3bnxqmavqy7sec.dojfgj.com lll.nu6toobygq3dsnjrgm.snksjg---redacted---dth.ejitjtk4g4lwvbos.amouc.com ooo.nu6tgnzvgm2tmmbzgq4a.rkgo---redacted---tw5.5z5i6fjnugmxfowy.beevish.com Pattern ? begins with 3 characters (i.e. log, lll, ooo), followed by a dot, followed by a long random string with a fingerprint (i.e. starts with nut6), followed by a dot, followed by a really long string, … Stealing credit card data ! Trusted Networks

Point of Sale malware would sniff the memory of PoS device to collect card numbers, Expiry date, etc Trusted Networks

Active Exfiltration PoS malware domain log.nu6timjqgq4dimbuhe.3ikfsb---redacted---cg3.7s3bnxqmavqy7sec.dojfgj.com lll.nu6toobygq3dsnjrgm.snksjg---redacted---dth.ejitjtk4g4lwvbos.amouc.com ooo.nu6tgnzvgm2tmmbzgq4a.rkgo---redacted---tw5.5z5i6fjnugmxfowy.beevish.com Base32 encoded machine identifier Base32 encoded & RSA 1024 encrypted card information previously unknown malware domains Trusted Networks

Summary Detecting exfiltration over DNS DNS lookups are a viable exfiltration mechanism  If you’re hunting for DNS exfiltration consider other options What system made the most DNS lookups last week?  Why? Has this changed? Model your data to spot anomalies quickly  What are these unexpected values? Trusted Networks

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.