DNS tunneling is not a new technique, but for many blue teamers, it is more a theoretical concept than part of the detections regularly run and evaluated. And yet, it is occurring substantially in the wild, as Ryuk activity is showing. Stopping an attack at any stage is valuable, and while exfiltration or C2 occur later in the attack process than is ideal, it is still quite valuable to be able to detect--and thwart.
The good news is that there are some very practical detections you can build, and once that is in place, if you do detect tunneling, you can go beyond simply stopping an existing attack--you can 'defend ahead ' by mapping the infrastructure the adversary is using as the tunnel server. In this Lunch and Learn, Tim Helming from DomainTools will share recent insights from DomainTools researcher Chad Anderson, including:
The ability to build predictive detections informed by activities that already touched your environment is well within the grasp of most shops, and it can help you stop attacks that might not be caught by observation-based threat intel feeds.