1 00:00:06,800 --> 00:00:07,940 - [Instructor] There are many different 2 00:00:07,940 --> 00:00:11,020 attack methods for data exfiltration. 3 00:00:11,020 --> 00:00:12,760 Now, one of the most popular 4 00:00:12,760 --> 00:00:15,490 is to use DNS tunneling. 5 00:00:15,490 --> 00:00:17,230 We're also seeing you know, 6 00:00:17,230 --> 00:00:18,310 other type of tunneling 7 00:00:18,310 --> 00:00:20,160 or other type of encapsulation, 8 00:00:20,160 --> 00:00:24,290 things like even ICMP, NTP 9 00:00:24,290 --> 00:00:27,040 actually being used to carry 10 00:00:27,040 --> 00:00:28,530 sensitive information outside 11 00:00:28,530 --> 00:00:30,730 of the corporate networks. 12 00:00:30,730 --> 00:00:32,960 But DNS tunneling has been one 13 00:00:32,960 --> 00:00:36,760 of the most commonly used nowadays. 14 00:00:36,760 --> 00:00:38,070 We're seeing this use more 15 00:00:38,070 --> 00:00:41,100 and more for malware based data exfiltration 16 00:00:41,100 --> 00:00:42,700 out of enterprise networks. 17 00:00:42,700 --> 00:00:44,140 Here I'm actually including 18 00:00:44,140 --> 00:00:47,240 a Cisco Talos blog post on the link 19 00:00:47,240 --> 00:00:49,610 which actually has a great example 20 00:00:49,610 --> 00:00:51,110 of data exfiltration. 21 00:00:51,110 --> 00:00:54,380 And also how to detect some of these data, 22 00:00:54,380 --> 00:00:56,713 DNS data exfiltration techniques. 23 00:00:57,550 --> 00:01:00,450 Now attackers can encapsulate chunks of data 24 00:01:00,450 --> 00:01:02,550 into DNS packets to actually steal 25 00:01:02,550 --> 00:01:04,730 sensitive information such as, 26 00:01:04,730 --> 00:01:06,830 personal identifiable information, 27 00:01:06,830 --> 00:01:09,192 credit card numbers, and a lot more, right? 28 00:01:09,192 --> 00:01:10,620 So the sky is the limit. 29 00:01:10,620 --> 00:01:14,240 Now, once you actually take those packets 30 00:01:14,240 --> 00:01:16,010 or that, those informations 31 00:01:16,010 --> 00:01:17,490 and divide them into chunks 32 00:01:17,490 --> 00:01:19,210 you can put them in the payload 33 00:01:19,210 --> 00:01:20,728 of those DNS packets 34 00:01:20,728 --> 00:01:24,450 or like I mentioned before NTP or ICMP. 35 00:01:24,450 --> 00:01:27,090 Any other type of packets that is expected 36 00:01:27,090 --> 00:01:31,230 to actually be allowed to leave the organization. 37 00:01:31,230 --> 00:01:32,550 Now, there are a few example 38 00:01:32,550 --> 00:01:35,420 of DNS tunneling tools used by attackers 39 00:01:35,420 --> 00:01:37,260 that I'm actually including a few here. 40 00:01:37,260 --> 00:01:42,260 You know, things like DNS2TCP, DNScat, Iodine, 41 00:01:42,620 --> 00:01:44,071 has a couple versions of it. 42 00:01:44,071 --> 00:01:48,710 OzymanDNS, SplitBrain, TCP-Over-DNS, 43 00:01:48,710 --> 00:01:50,040 as well as YourFreedom. 44 00:01:50,040 --> 00:01:51,860 Again, these are for your reference, 45 00:01:51,860 --> 00:01:53,650 there are many many other tools 46 00:01:53,650 --> 00:01:55,980 and DNS tunneling techniques. 47 00:01:55,980 --> 00:01:57,770 I'm actually including here another really 48 00:01:57,770 --> 00:02:00,750 good reference from SANS that includes 49 00:02:00,750 --> 00:02:03,250 additional types of tools 50 00:02:03,250 --> 00:02:04,980 and DNS exfiltration attacks. 51 00:02:04,980 --> 00:02:06,580 So, whenever you're preparing 52 00:02:06,580 --> 00:02:08,230 for the exam, I will invite you 53 00:02:08,230 --> 00:02:09,870 to actually go through these links 54 00:02:09,870 --> 00:02:10,906 and at least become familiar 55 00:02:10,906 --> 00:02:12,684 with these type of techniques 56 00:02:12,684 --> 00:02:16,690 and type of methods of actually detecting 57 00:02:16,690 --> 00:02:18,400 this type of tunneling. 58 00:02:18,400 --> 00:02:20,710 DNS tunneling may be detected by analyzing 59 00:02:20,710 --> 00:02:24,636 the DNS packet payload or by traffic analysis 60 00:02:24,636 --> 00:02:28,860 like by count and also the frequency 61 00:02:28,860 --> 00:02:31,443 of the DNS request in the network.