While DNS is one of the most commonly used network protocols in most corporate networks, many organizations don’t give it the same level of scrutiny as other network protocols present in their environments. Attackers have recognized this and have begun increasingly abusing DNS to establish command and control channels, exfiltrate sensitive information and bypass many of the common security controls in place to protect corporate networks. DNS has become increasingly attractive to both red teams and malicious attackers alike to easily subvert otherwise solid security architectures. These techniques are no longer reserved for nation states and are now being actively leveraged by organized crimeware groups as well. This presentation will provide several technical breakdowns of real-world attacks that have been seen leveraging DNS for a variety of purposes such as DNSMessenger, DNSpionage, and more. We will also cover examples of the types of payloads being seen in the wild, how to hunt for these types of threats, and how organizations can equip themselves to better defend against these sorts of attacks.
