DNS Data Exfiltration

Are you aware of the potential for data to leave your organization? A company’s intellectual property is the key to profits. Whether you are a marketing company, an insurance firm, or a manufacturer, the “secret sauce” of your organization is what you are trying to keep secret. It is because of this that you have an awareness of ways that the data might leave your company unlawfully.

The first and obvious one is some type of hacker. Perhaps one or many of your machines have been infected with malware. That malware is the remote terminal for bad actors to work through your network looking for valuable data so that they can send your secrets back out and sell them. Perhaps instead you have a rogue employee, who is looking to make extra money and has taken a bribe from bad actors who will pay them a lot of money to send them your data.

The obvious avenues for this data exfiltration are avenues your have already thought about, like email, USB Drive, file sharing sites like DropBox. But most sophisticated exfiltrations are designed to go undetected. There are various ways that data can be sent out using techniques that don’t look like data is going out.

One such was is through DNS lookups. DNS queries are placed from the workstation to a DNS server in control by the bad actor. The DNS queries look like long invalid strings (because perhaps the data in encrypted), but the query itself is asking for the actual data being sent. For example, if I want to exfiltrate the Gettysburg address document, I might perform DNS queries to my own DNS server looking for “FourScoreandSevenYearsAgoOurfathers” and the next query would continue with “broughtforthonthiscontinent” and so on until I have essentially transmitted the entire document. Of course all of these queries will be denied because these aren’t addresses, but who would notice? DNS is necessary on the Internet and you expect to see DNS traffic.

Because DNS queries are quick and easy, this is becoming a more prevalent technique to move data out of the company to the network of bad actors. From the bad actor side, all I have to do is keep a log of the queries and reassemble them.

But what if I am talking about the source code to the software you develop? Or the customer data you hold? Credit card numbers? Social Security numbers? Internal documents that you don’t want your competitors to see?

Contact us to today to find out how we can help protect you and your company from threats like these.