Presentation is loading. Please wait.

Presentation is loading. Please wait.

Splunk User Group Mike Fasciano | Sr. Sales Engineer.

Similar presentations


Presentation on theme: "Splunk User Group Mike Fasciano | Sr. Sales Engineer."— Presentation transcript:

1 Splunk User Group Mike Fasciano | Sr. Sales Engineer

2 Agenda What is DNS Exfiltration? How can you detect it? Q&A

3 What is DNS Exfiltration?

4 answers.splunk.com What’s in a Domain Name and how does it work…
Servers or Service answers.splunk.com Host or Host+Sub-Domain Second Level Domain or just Domain Top Level Domain Your Laptop Destination DNS Server Your DNS Server Firewall

5 DNS exfiltration DNS Query:
ZG9tYWluPWNvcnA7dXNlcj1kYXZlO3Bhc3N3b3JkPTEyMzQ1DQoNCg==.attack.com domain=corp;user=dave;password=12345 encode Explain DNS Exfiltration – basically encoding they want to steal in DNS requests. Malicious code is downloaded, a user executes it, and it starts doing it’s dirty work. In this case, it starts encoding domain/user/password data. DNS Exfiltration tends to get lost in an ocean of DNS data, but we can fix that. How do we do this? Use some free tools, or write your own. In this case, we used free. I’ll break it down into two steps. Look for odd things, then see how they are behaving. ZG9tYWluPWNvcnA7dXNlcj1kYXZlO3Bhc3N3b3JkPTEyMzQ1DQoNCg==

6 List of provided commands ut_parse_simple(url)
DNS exfil detection – tricks of the trade parse URLs & complicated TLDs (Top Level Domain) calculate Shannon Entropy List of provided commands ut_parse_simple(url) ut_parse(url, list) or ut_parse_extended(url, list) ut_shannon(word) ut_countset(word, set) ut_suites(word, sets) ut_meaning(word) ut_bayesian(word) ut_levenshtein(word1, word2) DNS Exfiltration tends to get lost in an ocean of DNS data, but we can fix that.

7 Shannon Entropy Layman’s definition: a score reflecting the randomness or measure of uncertainty of a string. Examples The domain aaaaa.com has a Shannon Entropy score of 1.8 (very low) The domain google.com has a Shannon Entropy score of 2.6 (rather low) The domain A00wlkj—(-a.aslkn-C.a.2.sk.esasdfasf1111) uC.4.com has a Shannon Entropy score of 3 (rather high) DNS Exfiltration tends to get lost in an ocean of DNS data, but we can fix that.

8 Detecting Data Exfiltration
TIPS Leverage our Bro DNS data (or any DNS source) Calculate Shannon Entropy scores Calculate subdomain length Display Details index=bro sourcetype=bro_dns | eval list=“*” | `ut_parse(query, list)` | `ut_shannon(ut_subdomain)` | eval sublen = length(ut_subdomain) | table ut_domain ut_subdomain ut_shannon sublen DNS Exfiltration tends to get lost in an ocean of DNS data, but we can fix that.

9 DNS Exfiltration tends to get lost in an ocean of DNS data, but we can fix that.

10 Detecting Data Exfiltration
… | stats count avg(ut_shannon) as avg_sha avg(sublen) as avg_sublen stdev(sublen) as stdev_sublen by ut_domain | search avg_sha>3 avg_sublen>20 stdev_sublen<2 TIPS Leverage our Bro DNS data Calculate Shannon Entropy scores Calculate subdomain length Display count, scores, lengths, deviations DNS Exfiltration tends to get lost in an ocean of DNS data, but we can fix that.

11 Detecting Data Exfiltration
RESULTS Exfiltrating data requires many DNS requests – look for high counts DNS exfiltration to mooo.com and chickenkiller.com DNS exfil: 18k text file - Infected host is - Connected to [$base64_encoded_subdomain].xklsl29das.chickenkiller.com - Time frame is around AUG14 20mb+ Zip file - Connected to [$base64_encoded_subdomain].xklsl29das.mooo.com - Time frame is around AUG14

12 Thank You!


Download ppt "Splunk User Group Mike Fasciano | Sr. Sales Engineer."

Similar presentations


Ads by Google