The Nuts and Bolts of Detecting DNS Tunneling

Share and earn Cybytes
Facebook Twitter LinkedIn Email

This post originally appeared on Sqrrl’s blog.

DNS-based attacks have been commonly used since the early 2000’s, but over 40% of firms still fall prey to DNS tunneling attacks. Tunneling attacks originate from uncommon vectors, so traditional automated tools like SIEMs have difficulty detecting them, but they also must be found in massive sets of DNS data, so hunting for tunneling manually can be challenging as well. So, how can we use more advanced analytic techniques to isolate these adversary behaviors? In a different publication we covered Domain Generation Algorithms and what the best sources are for detecting them. In this piece, we’ll be covering how best to sniff out malicious DNS tunneling on your network.

As we discussed in last week’s webinar, attackers can use DNS queries to send data to an external server. This can be useful for both command and control or data exfiltration, since it bypasses common security measures such as firewalls and proxies. Here is where having a deep knowledge about domains that your firm commonly interacts with can be useful. Since an attacker has to use a compromised domain to exfiltrate data, you can use that knowledge to separate out suspicious domains from those that are popular and trusted. This helps to filter DNS data and make it more manageable. This data can then be collated into smaller channels, with the source IP, destination domain, and group of data being sent to the domain.

For each collated session, we want to ask which ones have instances of tunneling in them. This can be done a number of ways. First, you can count the number of queries that the channel is making. Exfiltration tunnels will generally produce an abnormally large amount of queries. DNS tunnels will also produce an unusually large number of unique subdomains. Be also on the lookout for the average subdomain length and the average information content of the subdomain.

Once you compute the features for each session, you want to classify them as either “malicious” or “normal” traffic. If we have particular examples of malware in mind, we could look for sessions that closely match the feature values we expect to get from the malware. However, we can also take a broader view that looks for any outliers from the “normal” data. This allows us to detect unknown malware and avoid overfitting to specific examples.

The vast majority of sessions should be normal traffic, so we can treat any significant outliers as potential malicious sessions. A number of tools can be used to do this classification and outlier detection, including scikit-learn and TensorFlow. We use a multivariate Bayesian approach that looks for outliers in multiple features. This approach takes into account the observed distribution of feature values, expected rate of attacks and observation time to find the most suspicious sessions.

You also want to orient your system to avoid false positives. Calling something a “false positive” can often be a tricky distinction, because even in some cases where tunneling is used, it may not necessarily be malicious. A common example of non-malicious tunneling would be a person attempting to use DNS tunneling to gain access to wifi that is beyond a paywall at an airport or motel. Additionally, internal DNS and popular services such as Slack, Spotify, anti-virus and anti-spam software can be mistaken for being malicious, since they both employ long strings of random-looking data in their queries. These issues can generally be resolved by whitelisting approved domains, or by using a hard cut alerting only when the number of unique subdomains per user per hour exceed the cut.

So, that’s the nuts and bolts of detecting DNS. If you want a more in depth exploration of how Sqrrl detects DNS related behaviors (including DGA detection), you can check out a recorded session of our webinar here. And check out our blog for more walkthroughs and tips!

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Sqrrl
Sqrrl is the Threat Hunting Company that enables organizations to target, hunt, and disrupt advanced cyber threats. Sqrrl’s industry-leading Threat Hunting Platform unites link analysis, User and Entity Behavior Analytics (UEBA), and multi-petabyte scalability capabilities into an integrated solution. Sqrrl’s unique approach enables security analysts to discover threats faster and reduces the time and resources required to investigate them.
Promoted Content
Huntpedia - Your Threat Hunting Knowledge Compendium
This eBook features over a dozen leading experts on Threat Hunting and Incident Response to share their own tactics, techniques, and procedures for finding evil. It is broken down into 13 chapters authored by all your favorite Threat Hunting people such as Richard Bejtlich, Rob Lee, Chris Sanders, David Bianco, Tim Crothers, Danny Akacki, Tyler Hudak, Scott Roberts, Jack Crook, Matthew Hosburgh, Samuel Alonso, Josh Liburdi, Sergio Caltagirone, and Ryan Nolette.Featuring: Richard Bejtlich, Rob Lee, Jack Crook, Chris Sanders, David Bianco, Scott Roberts and more.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?