DNS tunneling is the process of creating a covert communications channel between a computer within a penetrated network and an outlaw server outside the network. Hackers can use this vector for command and control, data exfiltration or tunneling of any internet protocol traffic. Because DNS is not intended for data transfer, security professionals can easily overlook it as a threat for malicious communications or for data exfiltration.
Threatcare offers powerful cybersecurity risk mitigation through proactive cyber defense. This enables companies to know if they’re systems are at risk. This is one of the many threats we assess, providing visibility and insight into your company’s vulnerability to DNS tunneling. To ensure good security hygiene, hacking simulations should be a regular practice for every company.
Detect DNS Tunneling
Organizations should make sure they are monitoring their DNS requests properly. If there is evidence that data exfiltration or DNS tunneling has possibly occurred, reviewing DNS monitoring logs or accessing the DNS server directly to review query history should be a top priority. DNS tunneling can be detected either through payload analysis and/or traffic analysis. Payload analysis involves dissecting a query for abnormal features such as the lengthy character makeup of DNS or uncommon record types not typically used by a client. Traffic Analysis involves looking at multiple requests/response pairs over time. The amount and frequency of requests can be used for an indication of tunneling.
Threatcare believes in defense-in-depth. By implementing controls that use both payload analysis and traffic analysis an organization moves closer to a stronger security posture in preventing DNS tunneling and other hacking techniques. At the end of the day an organization has the right to know if they’re secure.