What is Data Exfiltration?
One of the most common goals of malicious actors is to steal data. Data exfiltration refers to the successful sending of information out of an environment to an environment controlled by an attacker. Data exfiltration takes many different forms and is an objective of many different types of specific attacks.
What is Dynamic DNS?
Dynamic DNS is fundamentally a method of automatically updating name servers in public DNS (Domain Name System) in near real-time. It is used to keep a specific domain name linked to a changing IP address when a static IP address is not available or not desired. Dynamic DNS domains are typically hosted by providers for that specific purpose, where the provider owns the top level domain (tld) and a subscriber can quickly (and usually freely) register sub-domains and point them to any IP address they choose. Examples of common dynamic DNS domains / providers include:
When a subscriber registers a subdomain, they are free to pick any name they want and map it to any IP address they want. For example, one could register myuniquedomainname.no-ip.org or asnl2349qpwdan.no-ip.org and have them both resolve to 220.127.116.11.
A Typical Attack Scenario
For nefarious purposes, dynamic DNS allows an attacker to change the actual host and IP address used as a drop zone, for “malvertizing,” or as a command and control point without having to modify the behavior of the malware used on the victim’s endpoint. This provides a quick and convenient mechanism for attackers to evade detection using traditional IP/domain reputation services. While dynamic DNS can be used for many stages of an attack, this scenario focuses on its use as a drop zone for data exfiltration, uncovered by noticing an anomaly in a daily report.
Detection and Response
RSA NetWitness allows for the reporting of all network, log, net flow and endpoint data from a single interface. By leveraging a feed of known dynamic DNS top level domains, RSA NetWitness can produce a rich report summarizing all activity that has been seen both on the wire (packets) or from various devices in the network such as proxies and firewalls (logs). In addition to just tagging traffic to and from dynamic DNS domains, RSA NetWitness can add valuable business and asset context to help an analyst sift through the noise. In this case, the analyst can see the dynamic DNS traffic split by asset criticality and function:
From this report, the analyst can prioritize and drill in to the most interesting data points to investigate further. In this particular report, the analyst focuses in on data uploads to dynamic DNS domains from critical servers (which should never happen in this environment):
Directly from the report, the analyst can drill down to gain insight into the specific sessions:
This looks suspicious enough on its own, but by drilling once more, the analyst can see the reconstructed network session, and in turn extract any files that had left the environment:
Going one step further, the analyst can download and extract the archive and see the actual company information that has left the environment. By understanding the business impact, proper steps can now be taken to handle the incident further: