DYNAMIC DNS: DATA EXFILTRATION



Similar documents
DRIVE-BY DOWNLOAD WHAT IS DRIVE-BY DOWNLOAD? A Typical Attack Scenario

SIEM is only as good as the data it consumes

RSA Security Analytics

IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE

Advanced Threats: The New World Order

Concierge SIEM Reporting Overview

Security Analytics for Smart Grid

Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA

Covert Operations: Kill Chain Actions using Security Analytics

What s New in Security Analytics Be the Hunter.. Not the Hunted

A New Perspective on Protecting Critical Networks from Attack:

Practical Threat Intelligence. with Bromium LAVA

WHITEPAPER. How a DNS Firewall Helps in the Battle against Advanced Persistent Threat and Similar Malware

SPEAR PHISHING AN ENTRY POINT FOR APTS

Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst

ThreatSTOP Technology Overview

First Line of Defense

Effective Log Management

Solera Networks, A Blue Coat Company SOLERA NETWORKS BIG DATA SECURITY ANALYTICS

Comprehensive Advanced Threat Defense

Using SIEM for Real- Time Threat Detection

WHITE PAPER Cloud-Based, Automated Breach Detection. The Seculert Platform


Advanced Threat Protection with Dell SecureWorks Security Services

Detect & Investigate Threats. OVERVIEW

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

Unified Security, ATP and more

PALANTIR CYBER An End-to-End Cyber Intelligence Platform for Analysis & Knowledge Management

THE EVOLUTION OF SIEM

The Role of Threat Intelligence and Layered Security for Intrusion Prevention in the Post-Target Breach Era

APPLICATION PROGRAMMING INTERFACE

Threat Advisory: Accellion File Transfer Appliance Vulnerability

Breach Found. Did It Hurt?

Rethinking Information Security for Advanced Threats. CEB Information Risk Leadership Council

IBM QRadar Security Intelligence April 2013

Symantec Cyber Security Services: DeepSight Intelligence

WHITE PAPER: THREAT INTELLIGENCE RANKING

Centre for the Protection of National Infrastructure Effective Log Management

Niara Security Analytics. Overview. Automatically detect attacks on the inside using machine learning

GETTING REAL ABOUT SECURITY MANAGEMENT AND "BIG DATA"

Discover & Investigate Advanced Threats. OVERVIEW

LOG INTELLIGENCE FOR SECURITY AND COMPLIANCE

SANS Top 20 Critical Controls for Effective Cyber Defense

BREAKING THE KILL CHAIN AN EARLY WARNING SYSTEM FOR ADVANCED THREAT

The SIEM Evaluator s Guide

Cloud and Critical Infrastructures how Cloud services are factored in from a risk perspective

Threat Intelligence: The More You Know the Less Damage They Can Do. Charles Kolodgy Research VP, Security Products

QRadar SIEM and Zscaler Nanolog Streaming Service

After the Attack. The Transformation of EMC Security Operations

Network that Know. Rasmus Andersen Lead Security Sales Specialist North & RESE

UNCLASSIFIED. General Enquiries. Incidents Incidents

integrating cutting-edge security technologies the case for SIEM & PAM

IBM Security X-Force Threat Intelligence

ADVANCED KILL CHAIN DISRUPTION. Enabling deception networks

CALNET 3 Category 7 Network Based Management Security. Table of Contents

AlienVault. Unified Security Management (USM) 5.x Policy Management Fundamentals

Why Device Fingerprinting Provides Better Network Security than IP Blocking. How to transform the economics of hacking in your favor

IBM Security IBM Corporation IBM Corporation

idata Improving Defences Against Targeted Attack

SPEAR PHISHING UNDERSTANDING THE THREAT

Evolution Of Cyber Threats & Defense Approaches

Advanced SOC Design. Next Generation Security Operations. Shane Harsch Senior Solutions Principal, MBA GCED CISSP RSA

QRadar SIEM and FireEye MPS Integration

Hillstone Intelligent Next Generation Firewall

Combating a new generation of cybercriminal with in-depth security monitoring

Next Generation IPS and Reputation Services

Top 20 Critical Security Controls

Can We Become Resilient to Cyber Attacks?

Palo Alto Networks and Splunk: Combining Next-generation Solutions to Defeat Advanced Threats

Network/Internet Forensic and Intrusion Log Analysis

Zak Khan Director, Advanced Cyber Defence

CHAPTER 3 : INCIDENT RESPONSE FIVE KEY RECOMMENDATIONS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

IBM Advanced Threat Protection Solution

Analyzing HTTP/HTTPS Traffic Logs

SECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION

RSA Security Anatomy of an Attack Lessons learned

Performing Advanced Incident Response Interactive Exercise

ProtectWise: Shifting Network Security to the Cloud Date: March 2015 Author: Tony Palmer, Senior Lab Analyst and Aviv Kaufmann, Lab Analyst

Practical Steps To Securing Process Control Networks

The Next Generation Security Operations Center

How Attackers are Targeting Your Mobile Devices. Wade Williamson

Unstructured Threat Intelligence Processing using NLP

After the Attack: RSA's Security Operations Transformed

Advanced Persistent Threats

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Extending security intelligence with big data solutions

How Lastline Has Better Breach Detection Capabilities. By David Strom December 2014

Introducing IBM s Advanced Threat Protection Platform

Fighting Advanced Threats

CHANGING THE SECURITY MONITORING STATUS QUO Solving SIEM problems with RSA Security Analytics

IBM SECURITY QRADAR INCIDENT FORENSICS

Cyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies

Operational Lessons from the RSA/EMC CIRC: People, Process, & Threat Intel

Combating a new generation of cybercriminal with in-depth security monitoring. 1 st Advanced Data Analysis Security Operation Center

Effective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention

Transcription:

DYNAMIC DNS: DATA EXFILTRATION RSA Visibility Reconnaissance Weaponization Delivery Exploitation Installation C2 Action WHAT IS DATA EXFILTRATION? One of the most common goals of malicious actors is to steal data. Data exfiltration refers to the successful sending of information out of an environment to an environment controlled by an attacker. Data exfiltration takes many different forms and is an objective of many different types of specific attacks. WHAT IS DYNAMIC DNS? Dynamic DNS is fundamentally a method of automatically updating name servers in public DNS (Domain Name System) in near realtime. It is used to keep a specific domain name linked to a changing IP address when a static IP address is not available or not desired. Dynamic DNS domains are typically hosted by providers for that specific purpose, where the provider owns the top level domain (tld) and a subscriber can quickly (and usually freely) register sub-domains and point them to any IP address they choose. Examples of common dynamic DNS domains/providers include: no-ip.com dyndns.org changeip.com duiadns.net dynamicdns.org many others When a subscriber registers a subdomain, they are free to pick any name they want and map it to any IP address they want. For example, one could register myuniquedomainname.no-ip.org or asnl2349qpwdan.no-ip.org and have them both resolve to 5.6.7.8. A Typical Attack Scenario For nefarious purposes, dynamic DNS allows an attacker to change the actual host and IP address used as a drop zone, for malvertizing, or as a command and control point without having to modify the behavior of the malware used on the victim s endpoint. This provides a quick and convenient mechanism for attackers to evade detection using traditional IP/domain reputation services. While dynamic DNS can be used for many stages of an attack, this scenario focuses on its use as a drop zone for data exfiltration, uncovered by noticing an anomaly in a daily report.

(3) Attacker can quickly change hosting IP addresses and update dynamic DNS to ensure malware can still communicate (1) Attacker registers a dynamic DNS domain and points it to an IP address hosting a drop zone random123.no-ip.org 5.6.7.8 9.8.7.6 1.2.3.4 random123.no-ip.org random123.no-ip.org random123.no-ip.org DATA DATA DATA (2) Malware programmed to talk to random123.no-ip.org (4) Malware used to upload/download data regardless of change in IP address Figure 1 Attacker Use of Dynamic DNS Domain Detection and Response Detection of traffic or logs containing access to and from dynamic DNS domains can be done by traditional tools such as IDS/IPS, Firewalls, and SIEM, however depending on the nature of the attack none of those tools can provide full visibility into the associated network traffic, particularly in the case of data exfiltration. Delivery Exploit/Installation C2 Action Varies Varies Traffic to Dynamic DNS Domains Data Exfiltration AV/FW/IDS/IPS: Traditional SIEM: RSA Security Analytics: No visibility Partial Visibility/Signature Full Visibility

DYNAMIC DNS/DATA EXFILTRATION VISIBILITY WITH RSA SECURITY ANALYTICS FOR PACKETS AND LOGS RSA Security Analytics allows for the reporting of all network, log, net flow and endpoint data from a single interface. By leveraging a feed of known dynamic DNS top level domains, RSA Security Analytics can produce a rich report summarizing all activity that has been seen both on the wire (packets) or from various devices in the network such as proxies and firewalls (logs). In addition to just tagging traffic to and from dynamic DNS domains, RSA Security Analytics can add valuable business and asset context to help an analyst sift through the noise. In this case, the analyst can see the dynamic DNS traffic split by asset criticality and function:

Figure 2 Sample Dynamic DNS Report From this report, the analyst can prioritize and drill in to the most interesting data points to investigate further. In this particular report, the analyst focuses in on data uploads to dynamic DNS domains from critical servers (which should never happen in this environment): Figure 3 Dynamic DNS Session from a File Server Directly from the report, the analyst can drill down to gain insight into the specific sessions:

Figure 4 Drill from Dynamic DNS Report into Sessions from a File Server This looks suspicious enough on its own, but by drilling once more, the analyst can see the reconstructed network session, and in turn extract any files that had left the environment: Figure 5 HTTP Upload of Files to a Dynamic DNS Host from a Critical Server Going one step further, the analyst can download and extract the archive and see the actual company information that has left the environment. By understanding the business impact, proper steps can now be taken to handle the incident further:

Figure 6 Extract Files to See what has Left the Organization Figure 7 Extracted Schematic Diagram REFERENCES Dynamic DNS: http://en.wikipedia.org/wiki/dynamic_dns List of common dynamic DNS domains: http://mirror1.malwaredomains.com/files/dynamic_dns.txt C2 using Dynamic DNS: http://info.opendns.com/rs/opendns/images/opendns_securitywhitepaper-dnsroleinbotnets.pdf Cyber Kill Chain: http://www.lockheedmartin.ca/us/what-we-do/information-technology/cyber-security/cyber-kill-chain.html

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information