Using Splunk to Detect DNS Tunneling
- Steve Jaworski
- Tuesday, December 13th, 7:15pm - 7:55pm
DNS tunneling is a method to bypass security controls and exfiltrate data from a targeted organization. Choose any endpoint on your organization's network and perform a lookup to a public site, if it resolves with the siteās IP address, that endpoint is susceptible to DNS Tunneling. It is not possible to block all DNS tunnels. Logging all DNS transactions is necessary to detect the occurrence of DNS Tunnels. Using Splunk can help ingest the large volume of log data and mine the information to determine what malicious actors may be using DNS tunneling techniques on target organizations networks.
Speaker Bio: Steve Jaworski has been involved in information security since 2006 when he obtained the GIAC GSEC certification. Steve has also lead multiple SANS Mentor courses. Since then he has held information security positions in higher education, federal government, and banking. He enjoys presenting on network and security topics. Currently, Steve works with his favorite tool Splunk. Steve is a candidate for the Master of Science in Information Security Engineering degree from the SANS Technology Institute.
Bonus Sessions
The following bonus sessions are open to all paid attendees at no additional cost. There are many different types of events that fall into these categories:
- SANS@Night: Evening presentations given after day courses have ended. This category includes Keynotes.
- Special Events: SANS-hosted events and other non-technical recreational offerings. This category includes, but is not limited to, Receptions and Information Tables.
- Vendor: Events hosted by external vendor exhibitors.
- Lunch & Learn: Short presentations given during the lunch break.
- Master's Degree Presentation: Presentations given by SANS Technology Institute's Master's Degree candidates.
Sunday, December 11
| Session | Speaker | Time | Type |
|---|---|---|---|
| Securing Your Kids | Lance Spitzner | Sunday, December 11th, 7:00pm - 8:00pm | SANS@Night |
Monday, December 12
| Session | Speaker | Time | Type |
|---|---|---|---|
| General Session - Welcome to SANS | Bryan Simon | Monday, December 12th, 8:00am - 8:30am | Special Events |
| What's New for Security in Microsoft Windows Server 2016 and Windows 10? | Jason Fossen | Monday, December 12th, 7:15pm - 9:15pm | Keynote |
Tuesday, December 13
| Session | Speaker | Time | Type |
|---|---|---|---|
| Manual Threat Intelligence Management - Doing it the Hard Way | Chris Black, Sr. Sales Engineer | Tuesday, December 13th, 12:30pm - 1:15pm | Lunch and Learn |
| Exploit Prevention: Stop ransomware, zero-day and modern attacks before they get in | Matt Hickey, Director, Sales Engineering | Tuesday, December 13th, 12:30pm - 1:15pm | Lunch and Learn |
| Modern Mobility Ushers in a New Age of Security | Sean Frazier, Chief Technical Evangelist | Tuesday, December 13th, 12:30pm - 1:15pm | Lunch and Learn |
| Adaptive Network Automation Framework in support of Cyber Defense | Richard Larkin, Sr. Network Engineer | Tuesday, December 13th, 12:30pm - 1:15pm | Lunch and Learn |
| Building the business case for IT Vendor Risk Management | French Caldwell, Chief Evangelist | Tuesday, December 13th, 12:30pm - 1:15pm | Lunch and Learn |
| GIAC Program Presentation | Scott Cassity | Tuesday, December 13th, 6:15pm - 7:15pm | SANS@Night |
| Women's CONNECT Event | Hosted by SANS COINS program and ISSA WIS SIG | Tuesday, December 13th, 6:15pm - 9:15pm | Special Events |
| Test your Cyber Security skills through Gaming with Project Ares | Circadence | Tuesday, December 13th, 6:30pm - 8:30pm | Vendor Event |
| Security Awareness: Understanding and Managing Your Top Seven Human Risks | Lance Spitzner | Tuesday, December 13th, 7:15pm - 8:15pm | SANS@Night |
| (CS)2AI Special Event: Control System Cyber Security Association International | Derek Harp and Mike Assante | Tuesday, December 13th, 7:15pm - 8:15pm | Special Events |
| Using Splunk to Detect DNS Tunneling | Steve Jaworski | Tuesday, December 13th, 7:15pm - 7:55pm | Master's Degree Presentation |
| Analysis of the Cyber Attack on the Ukrainian Power Grid | Robert M. Lee | Tuesday, December 13th, 8:15pm - 9:15pm | SANS@Night |
| Current and Future Trends in Digital Investigative Analysis | Ovie Carroll | Tuesday, December 13th, 8:15pm - 9:15pm | SANS@Night |
| Gh0st in the Dshell: Decoding Undocumented Protocols | David Martin | Tuesday, December 13th, 8:15pm - 8:55pm | Master's Degree Presentation |
Wednesday, December 14
| Session | Speaker | Time | Type |
|---|---|---|---|
| Vendor Solutions Expo | — | Wednesday, December 14th, 12:00pm - 1:30pm | Vendor Event |
| Vendor Solutions Expo | — | Wednesday, December 14th, 5:30pm - 7:30pm | Vendor Event |
| The iOS of Sauron - How iOS Tracks Everything You Do | Sarah Edwards | Wednesday, December 14th, 7:15pm - 8:15pm | SANS@Night |
| CISSP - How to Get the Certification that Matters the Most | David R. Miller | Wednesday, December 14th, 7:15pm - 8:15pm | SANS@Night |
| Collecting Windows Installed Software Details | Jonathan Risto | Wednesday, December 14th, 7:15pm - 7:55pm | Master's Degree Presentation |
| DLP FAIL!!! Using Encoding, Steganography, and Covert Channels to Evade DLP and Other Critical Controls | Kevin Fiscus | Wednesday, December 14th, 8:15pm - 9:15pm | SANS@Night |
| The Tap House | Philip Hagen | Wednesday, December 14th, 8:15pm - 9:15pm | SANS@Night |
| Using Vagrant to Create Repeatable and Sharable Research Environments | Shaun McCullough | Wednesday, December 14th, 8:15pm - 8:55pm | Master's Degree Presentation |
Thursday, December 15
| Session | Speaker | Time | Type |
|---|---|---|---|
| Moving Cybersecurity Forward: Introducing Apache Spot | Rocky DeStefano, SME | Thursday, December 15th, 12:30pm - 1:15pm | Lunch and Learn |
| Keep Calm and Prioritize: Five Requirements for Streamlining Vulnerability Remediation | Jimmy Graham, Director of Product Management | Thursday, December 15th, 12:30pm - 1:15pm | Lunch and Learn |
| It'll Be Easy, They Said: Building a Dark Web Crawler | Alex Viana, VP of Engineering | Thursday, December 15th, 12:30pm - 1:15pm | Lunch and Learn |
| How to Become a SANS Instructor | Eric Conrad | Thursday, December 15th, 12:30pm - 1:15pm | Lunch and Learn |
| Lets Plan an APT | Guy Franco, CTO Javelin Networks/Former Israeli Intelligence Unit | Thursday, December 15th, 12:30pm - 1:15pm | Lunch and Learn |
| All About that Base64 no RATS | Allan Liska, Senior Solutions Architect | Thursday, December 15th, 12:30pm - 1:15pm | Lunch and Learn |
| Maintaining a Digital Evidence Program in an Ever-Changing Environment | Charles Mallery | Thursday, December 15th, 5:30pm - 6:30pm | Special Events |
| NetWars Tournament of Champions | Hosted by Jeff McJunkin | Thursday, December 15th, 6:30pm - 9:30pm | Special Events |
| Quality not Quantity: Continuous Monitoring's Deadliest Events | Eric Conrad | Thursday, December 15th, 7:15pm - 8:15pm | SANS@Night |
| Prioritizing Your Security Program | Keith Palmgren | Thursday, December 15th, 7:15pm - 8:15pm | SANS@Night |
| Portable NFAT Tools, Techniques, and System Build | Don Murdoch | Thursday, December 15th, 7:15pm - 7:55pm | Master's Degree Presentation |
| Open-Source Intelligence (OSINT) Tips for Malware Investigations | Lenny Zeltser | Thursday, December 15th, 8:15pm - 9:15pm | SANS@Night |
Friday, December 16
| Session | Speaker | Time | Type |
|---|---|---|---|
| Trustworthiness with Cyber-Physical Systems (CPS) | Paul Shaw & Chris Newborn | Friday, December 16th, 5:30pm - 6:30pm | Special Events |
| NetWars Tournament of Champions | Hosted by Jeff McJunkin | Friday, December 16th, 6:30pm - 9:30pm | Special Events |
