DeepSec 2019 Talk: Once upon a Time in the West – A Story on DNS Attacks – Valentina Palacín, Ruth Esmeralda Barbacil

Sanna/ September 9, 2019/ Conference

The Internet is the new frontier for some. So just like in Old West movies, we are going through a land riddled with well-known gunmen: OceanLotus, DNSpionage and OilRig, who roam at ease, while the security cowboys sleep. This presentation will uncover the toolset and techniques used by these gunmen, taking a closer look at their big guns and their behavioral patterns. We will explore the attacks involving DNS that took place during the last decade to examine the latest discovered techniques in order to improve detections to dodge the bullets they are firing in our direction.

We asked Valentina and Ruth a few more questions about their talk at the DeepSec conference. Please note that Valentine and Ruth will also speak the the DeepINTEL conference where you will get more in-depth information not suited for a public event.

Please tell us the top 5 facts about your talk.

  1. DNS was not designed having in mind that some people was going to abuse the protocol in these ways.
  2. This type of attack is carried out by intermediate, expert, advanced and strategic threat actors. There is no need of an spectacular level of expertise to be able to carry out a DNS attack.
  3. The motivations behind this type of attack are changing. We have seen a shift from financially motivated attacks with a wide range of targets, to a more targeted and  sometimes politically or military motivated attack.
  4. DNS queries are a very effective method of data exfiltration and C2 communications.
  5. You can implement different solutions to prevent this type of attack.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

We noticed during our daily work investigations that more and more threat actors were using DNS queries both as C2 communications and preferred exfiltration method.

Why do you think this is an important topic?

DNS queries often go unmonitored. Reviewing DNS queries manually is tedious work that can be really exhausting for any analyst. Nevertheless, nowadays we have better solutions to tackle this type of issue, but it’s still not getting enough attention.

Is there something you want everybody to know – some good advice for our readers maybe?

Always monitor your DNS traffic.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

We believe attacks involving DNS will keep growing, and we hope that our talk and many others that are been given out there, will help to raise awareness of this problem.

Valentina is one of Deloitte’s Threat Intelligence Analysts, and she has specialized in tracking APTs worldwide, using ATT&CK Framework to analyze their tools, tactics and techniques. She is a self-taught developer with a degree in Translation and Interpretation from Universidad de Málaga (UMA), and a Cyber Security Diploma from the Universidad Tecnológica Nacional (UTN).






Ruth is an information systems engineering student from the Universidad Tecnológica Nacional (UTN). She has been working at Deloitte’s Argentina Cyber Threat Intelligence area as the Threat Library Team Leader. She has gained experience related to Tactics, Techniques and Procedures (TTPs) investigation, Advanced Persistent Threats (APTs), Campaigns, Incidents and Tools to help mitigation and defense.

Share this Post