dns – a hole in your firewall - heanet a hole in your... · analysis use of character frequency...
Post on 28-Jul-2020
2 Views
Preview:
TRANSCRIPT
DNS – A HOLE IN YOUR FIREWALLanthony.keane@itb.ie | stephen.sheridan@itb.ie
THE PROBLEMTHE PROBLEM
SECURITY
CYBER SECURITY LANDSCAPE
Te
ch
no
log
y R
eli
an
ce
/Co
mp
lexit
y
Perimeter
Security
Layered
Security
Inclusion &
Exclusion
Security
1980s 1990s (www) 2000s (social media) 2016+ (IOT)
Assumed state of
Compromise
ATTACK CHAIN - ADVANCED PERSISTENT THREAT (APT)
Intel
gathering
Point of
entryCompromise
Command &
Control C2
Lateral
Movement
Asset/Data
Recovery
Data
Exfiltration
Covert Communication
COVERT CHANNELS & NETWORK STEGANOGRAPHY
Wax tablets 5th century BC Micro Dots WWII Image Steganography – changing least
significant bits
COVERT CHANNELS & NETWORK STEGANOGRAPHY
LL (1) + LN (3) + LL (1) + LN (3) + LL (1) + LN (2) + NL (1) = 12 bytes
Slack space of = 243 bytes Track 2 = 40 bytes
Track 1 = 79 bytes
WHY SHOULD WE BE CONCERNED ?
68%
!GOOD
BAD
HTTP
FTPFocus on other
protocols
means less time
looking
at DNS traffic.
DNS is ubiquitous.
In order to do good
or bad things on the
internet you need
DNS.
91.3 %of malware
uses DNS in attacks
in some shape or
form.
68% of orgs
don’t monitor
recursive DNS.
DNS91.3%
HOW DOES IT WORK?
DNS
Firewall Compromised
Host
Private
DataEvil Server Authoritative
Nameserver
Malware known to use DNS - MULTIGRAIN
Variant of point of sale (POS) malware known as NewPosThings. Highly targeted,
digitally signed and exfiltrates payment data over DNS. Engineered to target
specific POS process multi.exe. If multi.exe does not exist malware will delete
itself.
Hashed volume serial number + last five
bytes of MAC base32 encoded with computer
name and version number.
install.<base32 encoded data>.evil.com
Track 2 payment info scrapped from memory
and stored in buffer. Malware checks buffer
every 5 mins, encrypts data with 1024bit
RSA and base32 encodes within DNS query.
log.<base32 encoded track2 data >.evil.com
DNS~ 5 mins
Malware known to use DNS – JAKU BOTNET
Specific targets NGO’s, Engineering companies, Academic institutions, Scientists
and Government employees. Victims are spread over globe but primarily in S.
Korea and Japan. Sophisticated and resilient with different command and control
approaches.
pWrpqMoqqipJiiwGBgaoxueIyMaG56g.eq
= "+MICROSOFT_000C29DB249C” which is
’+’ followed by computer name and MAC
address.
install.<base32 encoded data>.evil.com
Translates returned CNAME query of
LS4.com to ‘go’ and looks for command
parameters. For example, LS4.test.com
would be ‘go’ with parameter of test.
LS4.test.com
<base 32 encoded data>.evil.com
~ 2 mins DNS
NEEDLE IN A HAYSTACK- WHAT TO LOOK FOR?
x--344--umnxifvfmxvzbzdzxvehf-3jwl7tchv-xgv3khzlqwnz-q5rizf2i.co.uk
ドメイン.テスト
VGhpcyBpcyBhIHNlY3JldCBtZXNzYWdlIGZvciB5b3U=.cvrtns.mooo.com
01110100 01101000 01101001 01101110 01101011 01100111 01100101
01100101 01101011.co.uk
3---sn-xpgjvh-q0ce.googlevideo.com.
ew5mz7jl6k.search.serialssolutions.com.
s-static.ak.facebook.com.
0xdabbad00.com.
p4-heybcnjawql6y-2lhkfkmkqfbb7eev-if-v6exp3-v4.metric.gstatic.com.
bstatic-a.akamaihd.net.
fbcdn-profile-a.akamaihd.net.
EXFILTRATION TESTING
• IODINE - http://code.kryo.se/iodine/
• OzymanDNS - https://dankaminsky.com/2004/07/29/51/
• DNSCat - https://wiki.skullsecurity.org/Dnscat
• CobaltStrike - https://www.cobaltstrike.com/
• Roll your own version in python, it’s not that hard.
• Use your Linux command line tools and some scripting (xxd, base64, dig)
TECHNIQUES FOR DETECTION
STATISTICAL
ANALYSISUse of character frequency
analysis along with ngram
and entropy analysis.
TRAFFIC
ANALYSISKnow your network. Create
a baseline for anomaly
detection.
ARTIFICIAL
INTELLIGENCEMachine learning
techniques can be used to
spot patterns in traffic and
spot anomalies.
LOG DNS TRAFFIC
DNS TRAFFIC LOGGING APPROACHES
TURN ON
LOGGINGPeriodically turn on logging
on DNS servers. May be
costly but worth it to create
a baseline.
SNIFF
PACKETSUse tools like WireShark to
sniff packets of the wire
without affecting existing
network architecture.
PASSIVE
DNSImplement a PASSIVE
DNS server and contribute
a wider intelligence
community.
DNS INTELLIGENCE
IN SUMMARY
• DNS is ubiquitous almost all internet traffic is dependant on it.
• DNS has characteristics that are very useful to malicious actors.
• Malware uses DNS for C2 and data exfiltration.
• Approaches can be taken to mitigate but we have to log DNS traffic.
• Opportunity to contribute to wider cyber security intelligence community by
implementing passive DNS.
• Organisations such as DNS-OARC can facilitate sharing of intel.
• If you are interesting in logging DNS, sharing DNS data or have questions
come and speak to us.
QUESTIONS
DNS ?
top related