Presentation is loading. Please wait.

Presentation is loading. Please wait.

Threat Analtics Data Exfiltration by DNS lookup

Published byBertha Manning Modified over 6 years ago

Similar presentations

Presentation on theme: "Threat Analtics Data Exfiltration by DNS lookup"— Presentation transcript:

1 Threat Analtics Data Exfiltration by DNS lookup
TELE3119: Materials from Martin Lee of TALOS is gratefully acknowledged

2 Cyber Kill Chain Get Inside Find some data Exfiltrate it
Trusted Networks

3 Email attack: malware distributing ransomware
Getting Inside attack: malware distributing ransomware Trusted Networks

4 Exfiltrating Data ftp port 21 stolen data ssh port 22 http port 80
compromised system malicious.com Trusted Networks

5 Exfiltrating Data Block with FW rules or IP / domain block-list
ftp port 21 stolen data ssh port 22 http port 80 compromised system malicious.com Block with FW rules or  IP / domain block-list  Trusted Networks

6 Exfiltrating Data Hypothetically speaking …
Could we exfiltrate and evade:  IP blacklists  Firewall rules  Trusted Networks

7 DNS requests name server example.com local DNS server .com DNS server
what is the address for it is: “Dunno, I’ll ask someone else” “Dunno, but I know some who does” “I know the answer” Trusted Networks

8 Exfiltrating Data by DNS
name server malicious.com local DNS server reply: DNS lookup for top.secret.data.malicious.com “top.secret.data” compromised system Trusted Networks

9 Exfiltrating Data by DNS
DNS lookup problems:  Punctuation forbidden (limited to a-z & 0-9, no space or !) Case insensitive  Base64 Encoding ?? Base32 Encoding “top secret data”  ORXXAIDTMVRXEZLUEBSGC5DB  “Top Secret !!!!”  KRXXAICTMVRXEZLUEAQSCIJB  DNS requests logs  mail.domain2.com  server.xyz.domain3.com  ORXXAIDTMVRXEZLUEBSGC5DB.malicious.com  long random string! Trusted Networks

10 Let’s go hunting! Lets look for ‘long’ domain names.
OpenDNS DNS Lookup Data  Lets look for ‘long’ domain names.  Oh, great there are 100 million! difficult to analyze data  need a model?  Trusted Networks

11 Model data: distribution frequency
spike ??? the longer the length, the less frequent it becomes. closely follows an exponential decay curve. We know how to fit a curve to the data, how does exponential curve work. We construct a model for our expectation of a subdomain length. Subdomain length Trusted Networks

12 Identify Anomalies we only analyse particular length Subdomain length
Trusted Networks

13 Active Exfiltration Pattern ? Stealing credit card data !
log.nu6timjqgq4dimbuhe.3ikfsb---redacted---cg3.7s3bnxqmavqy7sec.dojfgj.com lll.nu6toobygq3dsnjrgm.snksjg---redacted---dth.ejitjtk4g4lwvbos.amouc.com ooo.nu6tgnzvgm2tmmbzgq4a.rkgo---redacted---tw5.5z5i6fjnugmxfowy.beevish.com Pattern ? begins with 3 characters (i.e. log, lll, ooo), followed by a dot, followed by a long random string with a fingerprint (i.e. starts with nut6), followed by a dot, followed by a really long string, … Stealing credit card data ! Trusted Networks

14 Point of Sale malware would sniff the memory of PoS device to collect card numbers, Expiry date, etc Trusted Networks

15 Active Exfiltration PoS malware domain
log.nu6timjqgq4dimbuhe.3ikfsb---redacted---cg3.7s3bnxqmavqy7sec.dojfgj.com lll.nu6toobygq3dsnjrgm.snksjg---redacted---dth.ejitjtk4g4lwvbos.amouc.com ooo.nu6tgnzvgm2tmmbzgq4a.rkgo---redacted---tw5.5z5i6fjnugmxfowy.beevish.com Base32 encoded machine identifier Base32 encoded & RSA 1024 encrypted card information previously unknown malware domains Trusted Networks

16 Summary Detecting exfiltration over DNS
DNS lookups are a viable exfiltration mechanism  If you’re hunting for DNS exfiltration consider other options What system made the most DNS lookups last week?  Why? Has this changed? Model your data to spot anomalies quickly  What are these unexpected values? Trusted Networks

Download ppt "Threat Analtics Data Exfiltration by DNS lookup"

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
A look into Bullet Proof Hosting November 2014 - DefCamp 5 Silviu Sofronie – Head of Forensics

A look into Bullet Proof Hosting November DefCamp 5 Silviu Sofronie – Head of Forensics
F3 Collecting Network Based Evidence (NBE)

F3 Collecting Network Based Evidence (NBE)
Cyber Threats: Industry Trends and Actionable Advice Presented by: Elton Fontaine.

Cyber Threats: Industry Trends and Actionable Advice Presented by: Elton Fontaine.
 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.

 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.
Security (Part 2) School of Business Eastern Illinois University © Abdou Illia, Spring 2007 (Week 13, Thursday 4/5/2007)

Security (Part 2) School of Business Eastern Illinois University © Abdou Illia, Spring 2007 (Week 13, Thursday 4/5/2007)
EECS 598-2 Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.

EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.
Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.

Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.
S EC (4.5): S ECURITY 1. F ORMS OF ATTACK There are numerous way that a computer system and its contents can be attacked via network connections. Many.

S EC (4.5): S ECURITY 1. F ORMS OF ATTACK There are numerous way that a computer system and its contents can be attacked via network connections. Many.
Reconnaissance & Enumeration Baseline, Monitor, Detect, Analyze, Respond, & Recover Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago,

Reconnaissance & Enumeration Baseline, Monitor, Detect, Analyze, Respond, & Recover Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago,
Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau (20086034) Lee Shirly (20095815) Ong Ivy (20095040)

Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )
1 Title ECI: Anatomy of a Cyber Investigation Who Are the Actors.

1 Title ECI: Anatomy of a Cyber Investigation Who Are the Actors.
Palo Alto Networks Modern Malware Cory Grant Regional Sales Manager Palo Alto Networks.

Palo Alto Networks Modern Malware Cory Grant Regional Sales Manager Palo Alto Networks.
Enforcing Concurrent Logon Policies with UserLock.

Enforcing Concurrent Logon Policies with UserLock.
By : Himanshu Mishra Nimish Agarwal CPSC 624.  A system designed to prevent unauthorized access to or from a private network.  It must have at least.

By : Himanshu Mishra Nimish Agarwal CPSC 624.  A system designed to prevent unauthorized access to or from a private network.  It must have at least.
Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.

Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.
Software Security Testing Vinay Srinivasan cell: +91 9823104620.

Software Security Testing Vinay Srinivasan cell:
Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.

Intrusion Detection Prepared by: Mohammed Hussein Supervised by: Dr. Lo’ai Tawalbeh NYIT- winter 2007.
Implementing a Port Knocking System in C Honors Thesis Defense by Matt Doyle.

Implementing a Port Knocking System in C Honors Thesis Defense by Matt Doyle.
Network problems Last week, we talked about 3 disadvantages of networks. What are they?

Network problems Last week, we talked about 3 disadvantages of networks. What are they?

Similar presentations

Ads by Google