Detecting DNS Data Exfiltration

The recent discovery of Wekby and Point of Sale malware using DNS
requests as a command and control channel highlights the need to
consider DNS as a potentially malicious channel. Although a skilled
analyst may be able to quickly spot unusual activity because they are
familiar with their organisation’s normal DNS activity, manually
reviewing DNS logs is typically time consuming and tedious. In an
environment where it might be unclear what malicious DNS traffic looks
like, how can we identify malicious DNS requests?
...
We are familiar with common DNS requests such as requesting the IP
address of ‘www.cisco.com’, but what kind of request would be so unusual
as to require investigation? Malware could encode stolen data as the
subdomain part of a DNS lookup for a domain where the nameserver is
under control of an attacker. A DNS lookup for
‘long-string-of-exfiltrated-data.example.com’ would be forwarded to the
nameserver of example.com, which would record
‘long-string-of-exfiltrated-data’ and reply back to the malware with a
coded response

  • Kamis, 14 Jul 2016
  • Penulis: Martin Lee, Jaeson Schultz and Warren Mercer, Talos (Cisco Blog)

Pemantauan Trafik Internet Nasional

Laporan pemantauan trafik internet nasional dengan menampilkan laporan trafik mingguan, trafik bulanan dan trafik tahunan.

Peringatan Ancaman Keamanan & Kerentanan Sistem

Kumpulan arikel tentang peringatan dini ancaman keamanan dan kerentanan sistem.

Security News

Kumpulan berita tentang keamanan siber atau IT.

Laporan Insiden

Id-SIRTII/CC menerima pelaporan insiden dari publik untuk kemudian dilakukan koordinasi kepada pihak-pihak yang berkepentingan.