Detection and Forensics on DNS Tunneling

  • Wednesday, 16 Dec 2020 12:30PM EST (16 Dec 2020 17:30 UTC)
  • Speaker: Tim Helming

DNS tunneling is not a new technique, but for many blue teamers, it is more a theoretical concept than part of the detections regularly run and evaluated. And yet, it is occurring substantially in the wild, as Ryuk activity is showing. Stopping an attack at any stage is valuable, and while exfiltration or C2 occur later in the attack process than is ideal, it is still quite valuable to be able to detect--and thwart.

The good news is that there are some very practical detections you can build, and once that is in place, if you do detect tunneling, you can go beyond simply stopping an existing attack--you can 'defend ahead ' by mapping the infrastructure the adversary is using as the tunnel server. In this Lunch and Learn, Tim Helming from DomainTools will share recent insights from DomainTools researcher Chad Anderson, including:

  • A quick overview of DNS tunneling techniques and tools
  • How it is being used in current and recent ransomware campaigns
  • How you can detect the activity
  • How to expose larger campaigns, including as-yet-dormant infrastructure that an adversary is preparing for future use

The ability to build predictive detections informed by activities that already touched your environment is well within the grasp of most shops, and it can help you stop attacks that might not be caught by observation-based threat intel feeds.