"Security Analytics: Using SiLK and Mothra to Identify Data Exfiltration via the Domain Name Service"
Various modern network threats involve the exfiltration of data through the misuse of network services. In order to detect such threats, analysts monitor data transfers out of the organization's network, specifically data transfers that occur via network services not primarily intended for bulk transfer services. The Domain Name System (DNS) is one such service essential for many other Internet services. Attackers can manipulate DNS to covertly exfiltrate data. Carnegie Mellon University's (CMU) Software Engineering Institute (SEI) blog post examines how the DNS protocol can be exploited to exfiltrate data by appending bytes of data to DNS queries or repeating queries with encoded data in the query fields. The post also analyzes the general traffic analytics used to identify this abuse and tools to implement the analytics. The aggregate size of DNS packets can serve as a reliable indicator of DNS abuse. However, since the DNS protocol has evolved from a simple address resolution mechanism to distributed database support for network connectivity, it is necessary to understand the context of queries and responses in order to interpret the aggregate size. Analysts can better match outgoing queries and incoming responses if they understand the volume of DNS traffic. This article continues to discuss the role of DNS and the analytics for identifying data exfiltration.