DeepSec 2022 Talk: Fighting Fire with Fire – Detecting DNS-Tunneling with DNS – Artsiom Holub

DNS tunneling used as a covert-channel method to bypass security policies has ballooned in the landscape of Ransomware attacks in recent years. This can be attributed to CobaltStrike post exploitation tools becoming modus operandi of cybercrime syndicates operating with ransomware. Most of the detections rely on packet inspection, which suffers from scalability performance when an extensive set of sockets should be monitored in real time. Aggregation-based monitoring avoids packet inspection, but has two drawbacks: silent intruders (generating small statistical variations of legitimate traffic) and quick statistical fingerprints generation (to obtain a detection tool really applicable in the field). Our approach uses statistical analysis coupled with behavioral characteristics applied directly in the DNS resolver. This presentation will cover examples of the malicious tools used by threat actors and detections designed to protect from such tools.

We asked Artsiom Holub a few more questions about his talk.

Please tell us the top 5 facts about your talk:

1. Novel approach,
2. based on recent attacks,
3. combines statistical and behavioral analysis,
4. covers attack frameworks,
5. provides immediate value.

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

The talk was created as a means to share ongoing and applied research. The initial spark was an issue that needed to be solved for our customers.

Why do you think this is an important topic?

Ransomware became an issue with significant impact not just on network defenders but on people not necessarily involved in IT or network security. We propose a solution that can help mitigate multiple risks in such scenarios.

Is there something you want everybody to know – some good advice for
our readers maybe?

Network security is fun!

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

It will highly depend on what will be used by malicious actors. However, one thing that stands out is the big success of supply chain attacks, which means we will see a lot more of them in the future.

Artsiom Holub is a Senior Security Analyst on the Cisco Umbrella Research team. Throughout the course of the day, he works on Security Threat Reports for existing and potential clients, works closely with the Customer Support Team, finds new threats and attacks by analyzing global DNS data coming from Cisco Umbrella resolvers, and designs tactics to track down and identify malicious actors and domains. He is a frequent presenter at major cybersecurity conferences including RSAC, Black Hat and THEFirst. Holub is currently focused on analysis and research of various cybercrime campaigns and building defensive mechanisms powered with ML.