Defending Against DNS Exfiltration

I recently attended the SANS' SEC530: Defensible Security Architecture and Engineering On-Demand course.  This course covers various aspects of security tactics and techniques to defend your network. "Think Red, Act Blue."

I wanted to learn more about how to defend a network from DNS exfiltration.  To make this exercise more interesting and perhaps beneficial to the security engineer who does not have the budget to get the latest "new-shiny" security solution from your local Value Added Retailer, I imposed some restrictions on myself.  One, the solution should be at low or minimal cost.  Open source software may be a good fit here.  Secondly, it should be simple and straight forward as possible to implement and analyze.

What is DNS exfiltration?  It is a tactic to transfer data from a "protected" system to another system that the adversary uses for a repository.  The technique used is to transfer the data inside DNS packets. Encapsulating the data inside of DNS packets is often called DNS Tunneling.  The reason DNS is used is probably the fact that it is often unlikely to be block, filtered, or monitored by most network administrators.

In my proposed solution,  I'll use Suricata (IDS) (https://suricata.io/) for the software which is open sourced.  It can be used as an IPS or IDS, but for this I'll use it in IDS mode. For the server, I'll use Fedora Server (https://getfedora.org/en/server/download/).  Technologies that will be implemented are the IDS, Suricata, and custom signatures.

I started with a base install of Fedora.

Then, I installed Suricata with: dnf install suricata

I discovered that I had to modify /etc/sysconfig/suricata to match the interface that my virtual machine was using for monitoring the network.  For this post, I used a packet capture for the easy of repeated testing and validating the rules that I was creating.

[root@fedora suricata]# cat /etc/sysconfig/suricata
# The following parameters are the most commonly needed to configure
# suricata. A full list can be seen by running /sbin/suricata --help
# -i <network interface device>
# --user <acct name>
# --group <group name>

# Add options to be passed to the daemon
OPTIONS="-i ens192 --user suricata "

Now let's create a custom rule for detecting DNS exfiltration.  Since this is my first time with creating a rule for Surciata from scratch, I needed to familiarize myself with the syntax and the rules of the rules.  I found that the documentation at Suricata (https://suricata.readthedocs.io/en/latest/quickstart.html) was good and a good place to start for anyone starting to learn about IDSs and creating rules for them.

What I have learned so far is that DNS exfiltration utilizes DNS queries to pass data or information in an encoded way.  It appears that one utility used for that, DNScat, encodes its control channel and its data channel using xxx and appear in the form of:

dnscat.adc1034207000000008c65a9a404820a11e6f14a093102e5206ab3805436.44fb3b2ac12f56797ddeb0995cc166e768c1205ba401480977109ac2ddb1.7431c8c4af93f14084417d9715


I noticed that the hostnames and sub-domains are unique in the sense of how they start and the length.  The length caught my eye in that all of the domains and sub-domains are not much beyond 8 or 16 characters long.  As I learn more, I'll adjust that opinion.  So, I create my first rule to look for a DNS query where the query begins with "dnscat" and has sub-domains with 16 characters or more.  Since these are custom or local rules, I created a new file for them and added the file to the Suricata configuration file at /etc/suricata/suricata.yaml.

##
## Configure Suricata to load Suricata-Update managed rules.
##

default-rule-path: /var/lib/suricata/rules

rule-files:
- suricata.rules
- custom.rules

[root@fedora suricata]# vi /var/lib/suricata/rules/custom.rules

alert dns any any -> any any (msg:"DNS DGA - possible DNS DGA detected - DNScat"; dns.query; content:"dnscat"; startswith; pcre:"/dnscat\.[a-z-A-Z0-9]{16,}\.[a-zA-Z0-9]{16,}/"; sid:1000001; rev:1;)


Now what if our adversary changes the being to be something different than "dnscat"? My next rule will look for hostnames that are 8 characters or more and sub-domains 16 characters or more:


alert dns any any -> any any (msg:"DNS DGA - possible DNS DGA detected - DNScat"; dns.query; pcre:"/^[a-zA-Z0-9]{8,}\.[a-z-A-Z0-9]{16,}\.[a-zA-Z0-9]{16,}/"; sid:1000002; rev:1;)


Cool. Let's look at what I have so far. I ran my packet capture through Suricata.

[root@fedora suricata]# /sbin/suricata -c /etc/suricata/suricata.yaml -r /root/dnscat.pcap

Now let's look at the results.


[root@fedora suricata]# cat /var/log/suricata/eve.json | jq 'select(.event_type=="alert")' | less

{
"timestamp": "2022-03-15T22:02:29.679222-0400",
"flow_id": 476751120915766,
"pcap_cnt": 1,
"event_type": "alert",
"src_ip": "5.30.5.1",
"src_port": 34336,
"dest_ip": "5.30.5.2",
"dest_port": 53,
"proto": "UDP",
"tx_id": 0,
"alert": {
"action": "allowed",
"gid": 1,
"signature_id": 1000001,
"rev": 1,
"signature": "DNS DGA - possible DNS DGA detected - DNScat",
"category": "",
"severity": 3
},
"dns": {
"query": [
{
"type": "query",
"id": 58118,
"rrname": "dnscat.adc1034207000000008c65a9a404820a11e6f14a093102e5206ab3805436.44fb3b2ac12f56797ddeb0995cc166e768c1205ba401480977109ac2ddb1.7431c8c4af93f14084417d9715",
"rrtype": "TXT",
"tx_id": 0
}
]
},
"app_proto": "dns",
"flow": {
"pkts_toserver": 1,
"pkts_toclient": 0,
"bytes_toserver": 215,
"bytes_toclient": 0,
"start": "2022-03-15T22:02:29.679222-0400"
}
}


I now have an alert in Suricata's logs with all the detail of who, what, where (source and destination), and when.




Just for fun, I'll create another example. This time I created one for another DNS exfiltration tool called dns2tcp. From what I have learned so far is that dns2tcp creates query in the form of:



adc1034207000000008c65a9a404820a11e6f14a093102e5206ab3805436.44fb3b2ac12f56797ddeb0995cc166e768c1205ba401480977109ac2ddb1.=auth.tunnel.domain.tld

adc1034207000000008c65a9a404820a11e6f14a093102e5206ab3805436.44fb3b2ac12f56797ddeb0995cc166e768c1205ba401480977109ac2ddb1.=connect.tunnel.domain.tld


I noticed that the queries contain "=auth" or "=connect". So I created additional rules based on the information and came up with:


alert dns any any -> any any (msg:"DNS DGA - possible DNS DGA detected - DNS2TCP"; dns.query; content:".=auth."; sid:1000003; rev:1;)

alert dns any any -> any any (msg:"DNS DGA - possible DNS DGA detected - DNS2TCP"; dns.query; content:".=connect."; sid:1000004; rev:1;)

Well that was a learning experience. Rather than taking packet captures and processing them later, I would place the Fedora Server with Suricata with one of its interface on a SPAN or mirror port on a switch. This post was more about learning the individual pieces required for a bigger solution. This solution needs a web interface, maybe the ELK Stack (Kibana, Beats, and Logstach), but that is another discussion that is beyond the scope of this post.

This solution is good for a lab and learning the technologies for professional development and possible professional certifications.

This post is not meant for the intermediate for expert threat hunter. I hope that this will inspire the beginner who wants to learn more about IDSs and rules creation.

All in all, I discovered that I have a lot more to learn about Tactics, Techniques, and Procedures (TTPs) to help defend the network, a never ending process.

Cisco Live 2018 - Part 1

It is that time of year again.  One of the biggest technical conference in the U.S.  This year Cisco Live is going to be held at Orlando in the sunny state of Florida.

This year's guest keynote speakers, yes, plural, two guest keynote speakers will be Dr. Michio Kaku, Theoretical physicist and futurist and Amy Webb, Futurist, author and founder of the Future Today Institute.

The Customer Appreciation Event will be at Universal Studios Florida.

http://www.ciscolive.com/us/

Stay tune for more...

Cisco Live 2017

So, it is that time of year again, Cisco Live US (CLUS) 2017 in Las Vegas.

Per usual, it should be an awesome experience.

Those that attend regularly know that it is a fantastic opportunity to gain new knowledge and network with other people of both similar and dissimilar interests at various experiences.

Elle King and Maroon 5 did a fantastic show at the T-Mobile Arena for The Cisco Appreciation Event(CAE) last year.

The guest keynote was given by Kevin Spacey.  His speech focused on how technology transformed how people create and consume media/entertainment.  My take away from it was how he theorized how the merging virtual reality technology will transform the access to and learning experience.

And now for the big news, This year's CAE will be ...

Bruno Mars will be the headlining at the T-Mobile Arena.

I hope to see my fellow attendees again in Las Vegas. (Remember to stay hydrated and walking shoes!)

http://www.ciscolive.com/us/

Cisco Live 2016

So, it has been almost a year since Cisco Live US (CLUS) 2015 in San Diego, CA.

It was an awesome experience, especially since it was my first time attending a great event.

Those that attend regularly know that it is a fantastic opportunity to gain new knowledge, network with other people of both similar and dissimilar interests at various experiences.

The Cisco Appreciation Event(CAE) for CLUS 2015 was Aerosmith.  I'm not a huge fan, unlike my better half, but I do appreciate their talent and being able to put on such a great show for us.  It goes without saying but I will, my wife loved the concert.

This year doesn't seem to disappoint.  The guest keynote will be given by Kevin Spacey.  I real liked his performances on the movies The Usual Suspects and The Negotiator and as Francis "Frank" Underwood on the Nextflix series "House of Cards."

And now for the big news, This year's CAE will be ...

Elle King as the opening performer with Maroon 5 as the headliner at the T-Mobile Arena.

I will see my fellow attendees in Las Vegas.

http://www.ciscolive.com/us/

Cisco Live 2015 - First Time

This year's Cisco Live 2015 was held in San Diego.  It was my first time going to this great event.  I had been wanting to go for the last several years.  This year the opportunity presented itself.  So, here are my thoughts and experiences.

Through my experience, I came up with a number of what I would call "pro-tips."  Firstly, I would highly recommend getting yourself a pair of very good walking shoes.  I'm glad that my better half talked me into getting walking shoes as I found myself walking from the get go.  There was the walking in the airport from the check-in counter to the gate to the baggage claim both on the flight to Cisco Live and the return flight. Not to mention the walking in the convention center, the walking to get food and the walking to catch the shuttle from the hotel to the convention center.

Secondly, keep hydrated.  Though one might not notice that they are using up their water supply keeping cool, drinking an adequate supply of water is very important when you are in a climate or altitude that you have not been acclimatized to.

Thirdly, carry some snacks.  I found myself getting very hungry in between meal times.  Sometimes, it would take an hour or two past a normal meal time to finish whatever is going on before getting to a provided meal or going to a local restaurant.

Fourthly, if possible, get your conference badge on the day before the events kick into full swing.  The lines are small and the process is quick.  And finally, travel lightly.  Carry a small tablet or pad device.  The Cisco Live app for your favorite portable device is handy for keeping tabs on what is going on and for scheduling.

Next, I took the Cisco CCDA exam on site just to see what the experience is like and to do a recon mission on the exam per the excellent advice from @amyengineer and @netmanchris.  I like the idea of not counting the first attempt at an exam.  I had already obtained my certification in CCNP R/S a few years ago and figured I can work on getting my certification in CCDP as I’m setting my sights on CCIE R/S.  I found that it is important to get your studying done and be mentally prepare before your test at Cisco Live.  Along with the few opportunities to take your chosen exam, there will be sessions to attend, events and meet-ups during the evening after which you may find yourself a bit exhausted.  I would have to say that during the convention the Cisco/PearsonVue team made the process of getting checked-in quick and simple.  The fact that they placed the testing room in a quite and secluded of the convention center was very appreciated.

Final thoughts, I found that there was too much to try to take in during the short four days.  I will try to make this a yearly event for myself or at least a nearly annual event.