TY - GEN
T1 - Detection of DNS based covert channels
AU - Sheridan, Stephen
AU - Keane, Anthony
PY - 2015
Y1 - 2015
N2 - Information theft or data exfiltration, whether personal or corporate, is now a lucrative mainstay of cybercrime activity. Recent security reports have suggested that while information, such as credit card data is still a prime target, other data such as corporate secrets, employee files and intellectual property are increasingly sought after on the black market. Malicious actors that are intent on exfiltrating valuable data, usually employ some form of Advanced Persistent Threat (APT) in order to exfiltrate large amounts of data over a long period of time with a high degree of covertness. Botnet's are prime examples of APTs that are usually established on targeted systems through malware or exploit kits that leverage system vulnerabilities. Once established, Botnet's rely on covert command and control (C&C) communications with a central server, this allows a malicious actor to keep track of compromised systems and to send out instructions for compromised systems to do their biding. Covert channels provide an ideal mechanism for data exfiltration and the exchange of command and control messages that are essential to a Botnet's effectiveness. Our work focuses on one particular form of covert channel that enables communication of hidden messages over normal Domain Name Server (DNS) network traffic. Covert channels based on DNS traffic are of particular interest, as DNS requests are an essential part of most Internet traffic and as a result are rarely filtered or blocked by firewalls. As part of our work we have created a test bed system that uses a covert DNS channel to exfiltrate data from a compromised host. Using this system we have carried out network traffic analysis that uses baseline comparisons as a means to fingerprint covert DNS activity. Even though detection of covert DNS activity is relatively straightforward, there is anecdotal evidence to suggest that most organizations do not filter or pay enough attention to DNS traffic and are therefore susceptible to data exfiltration attacks once a host on their network has been compromised. Our work shows that freely available covert DNS tools have particular traffic signatures that can be detected in order to mitigate data exfiltration and C&C traffic.
AB - Information theft or data exfiltration, whether personal or corporate, is now a lucrative mainstay of cybercrime activity. Recent security reports have suggested that while information, such as credit card data is still a prime target, other data such as corporate secrets, employee files and intellectual property are increasingly sought after on the black market. Malicious actors that are intent on exfiltrating valuable data, usually employ some form of Advanced Persistent Threat (APT) in order to exfiltrate large amounts of data over a long period of time with a high degree of covertness. Botnet's are prime examples of APTs that are usually established on targeted systems through malware or exploit kits that leverage system vulnerabilities. Once established, Botnet's rely on covert command and control (C&C) communications with a central server, this allows a malicious actor to keep track of compromised systems and to send out instructions for compromised systems to do their biding. Covert channels provide an ideal mechanism for data exfiltration and the exchange of command and control messages that are essential to a Botnet's effectiveness. Our work focuses on one particular form of covert channel that enables communication of hidden messages over normal Domain Name Server (DNS) network traffic. Covert channels based on DNS traffic are of particular interest, as DNS requests are an essential part of most Internet traffic and as a result are rarely filtered or blocked by firewalls. As part of our work we have created a test bed system that uses a covert DNS channel to exfiltrate data from a compromised host. Using this system we have carried out network traffic analysis that uses baseline comparisons as a means to fingerprint covert DNS activity. Even though detection of covert DNS activity is relatively straightforward, there is anecdotal evidence to suggest that most organizations do not filter or pay enough attention to DNS traffic and are therefore susceptible to data exfiltration attacks once a host on their network has been compromised. Our work shows that freely available covert DNS tools have particular traffic signatures that can be detected in order to mitigate data exfiltration and C&C traffic.
KW - Advanced Persistent Threat (APT)
KW - Botnet
KW - Command & control (C&C)
KW - Covert channels
KW - DNS
KW - Data exfiltration
UR - https://www.scopus.com/pages/publications/84940740219
M3 - Conference contribution
AN - SCOPUS:84940740219
T3 - European Conference on Information Warfare and Security, ECCWS
SP - 267
EP - 275
BT - 14th European Conference on Cyber Warfare and Security, ECCWS 2015
A2 - Abouzakhar, Nasser
PB - Curran Associates Inc.
T2 - 14th European Conference on Cyber Warfare and Security, ECCWS 2015
Y2 - 2 July 2015 through 3 July 2015
ER -
