Based on the source: NIST special publication 800-61

This document contains guidelines for DNS Tunneling incident response using Lumu. Consider this playbook as a guideline to improve the effectiveness of the incident response and adapt it according to your specific requirements.

What are DNS Tunneling incidents?

DNS Tunneling is a technique used to cover or encapsulate information in a two-way communication with malicious infrastructure using the DNS protocol. By taking advantage of the generally low monitoring levels applied to DNS traffic, malicious actors use this technique to extract sensitive data from or stablish C2 communication tunnels.

The DNS protocol is a fundamental requirement for internet connectivity, and more often than not organizations apply low monitoring levels to these protocols due to the nature of the protocol, translating IP addresses into domain names in a process known as resolution. This blind spot makes DNS an ideal environment for attackers to extract sensitive data from or push payloads into a corporate network without triggering alerts on standard security devices.

Lumu continuously monitors your network metadata for these abnormal behavioral patterns. While some unusual DNS traffic is initially flagged in the Lumu Portal as an anomaly for proactive threat hunting, when the activity exhibits high-confidence characteristics of an active tunnel, it is automatically escalated into a confirmed DNS Tunneling incident requiring immediate response.

What are DNS tunnels used for?

Attackers set up their own Authoritative Servers using a valid domain name—which requires no special authorizations to configure. Then, they exploit the DNS resolution process to send strings of information, opening communication tunnels for:

• Data Exfiltration: Many malware families use this technique to extract sensitive information from a compromised device to the attacker's server. The malicious artifact encodes the stolen data and places it directly into the subdomain field of a DNS query. Regardless of whether that specific subdomain exists, the recursive servers route the request to the attacker's Authoritative server, which records the log and allows the attacker to decode the extracted data.
• DNS Infiltration: Attackers can also use the DNS push data into the compromised network in order to maintain active Command and Control (C2) sessions. They achieve this primarily by hijacking DNS response fields, most notably TXT records. While originally designed to hold benign descriptive text, attackers exploit this capacity to deliver encoded payloads directly to the victim's machine, effectively sneaking executable commands past traditional inbound firewall rules allowing attackers to establish reverse shell on the devices.

General Playbook

This is the general playbook for DNS Tunneling incident operation. It covers the main steps that you can take when investigating and remediating this type of incident.

Example Scenario

Now, let’s delve into a common scenario that an organization can find when operating DNS Tunneling incidents. This will help exemplify the value this feature can provide. Let’s consider a scenario where Lumu notifies your organization that one of the DNS anomalies has reached a High confidence status and it has turned into an incident.

1. Organization A receives a high-confidence DNS Tunneling incident alert. Opening the Lumu Portal, the analyst first starts examining the information provided in the reported incident.

2. The analyst looks for high variability in the subdomains, such as the long, randomized strings visible in the logs (e.g., 1IPsRtkXfgLY4n0gyUPGvusgxrWmx1eGw...). Because DNS tunneling relies on encoding data directly into the query itself, this constant variability confirms that data is actively being encapsulated.

3. Next, the analyst reviews the Tunneling Activity metrics at the top of the dashboard to assess the scope of the compromise. They note the exact amounts of uploaded data and downloaded data. This allows them to determine how much organizational data has potentially been exfiltrated and how many malicious commands or payloads might have entered the network.

4. Then, the analyst then identifies the specific assets involved in this incident. Based on the criticality of these devices and the volume of data transferred, the analyst must choose between two distinct containment strategies.

• Option 1 - Immediate blocking: If the involved endpoints are highly sensitive assets or the volume of exfiltrated data is dangerously high, the analyst opts for immediate containment. They use security orchestration to push block rules directly to the corporate firewalls and DNS proxies, severing the connection to the malicious root domain instantly.
• Option 2 - DNS Sinkholing: If the immediate risk is lower and the team needs to uncover the full extent of the compromise, the analyst configures a DNS sinkhole. By redirecting the malicious domain to an internal, controlled IP address, they can safely capture the traffic and identify if any other endpoints on the network are infected and attempt to send and receive data via the detected DNS tunnel.

5. Once the traffic is halted and the full scope is mapped, the security team isolates all involved devices to conduct a thorough cleanup. They locate and remove the malicious artifacts responsible for generating the DNS tunnels.

6. During the eradication phase, the team performs a forensic review to verify that the attacker did not successfully move laterally to other systems within the organization.

7. Finally, the team documents the incident details and keeps the remediated endpoints under strict surveillance, ensuring prompt detection if any related suspicious behavior occurs in the future.

Preparation

This is the initial phase where organizations take preventive measures to respond effectively to incidents, some recommended steps to prepare your company to deal with a DNS Tunneling incident are listed below:

• Incident Handler Communications and Facilities: It’s vital to gather contact information of everyone involved with incident response to facilitate contact during an incident. Compilate contact information of incident response (IR) team members, external IR teams, and eventually law enforcement, with primary and backup contacts. Determine the escalation and de-escalation criteria and incident reporting mechanisms, such as phone numbers, email addresses, and secure instant messaging.
• Roles and Responsibilities: Details of the roles and responsibilities of key individuals and teams responsible for incident response and decision-making should also be gathered at this stage.
• Training and awareness: Train the incident response (IR) team to identify common MITRE ATT&CK techniques used by adversaries that involve logging in to corporate accounts to damage the organization, and study possible mitigations:
  • ID T1583 - Acquire Infrastructure: Adversaries may buy, lease, rent, or obtain infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services. Some infrastructure providers offer free trial periods, enabling infrastructure acquisition at limited to no cost.
  • ID T1583.001 - Acquire Infrastructure: Domains: Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. Adversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). This may include custom or publicly available encoding/compression algorithms (such as base64) as well as embedding data within protocol headers and fields.
    
  • ID T1583.002 - DNS Server: Adversaries may set up their own Domain Name System (DNS) servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: Application Layer Protocol). Instead of hijacking existing DNS servers, adversaries may opt to configure and run their own DNS servers in support of operations.
    
  • ID T1071 - Application Layer Protocol: Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
    
  • ID T1071.004 - Application Layer Protocol - DNS: Adversaries may set up their own Domain Name System (DNS) servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: Application Layer Protocol). Instead of hijacking existing DNS servers, adversaries may opt to configure and run their own DNS servers in support of operations.
    
  • ID T1572 - Protocol Tunneling: Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Tunneling involves explicitly encapsulating a protocol within another. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling could also enable routing of network packets that would otherwise not reach their intended destination, such as SMB, RDP, or other traffic that would be filtered by network appliances or not routed over the Internet.
    
  • ID T1048 - Exfiltration Over Alternative Protocol: Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. Alternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Adversaries may also opt to encrypt and/or obfuscate these alternate channels.
    
  • ID T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol: Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.

How Lumu Helps

Lumu provides the ability to illuminate the blind spots in your network by providing coverage of your entire infrastructure, namely on-premises, public and private clouds, and roaming devices.

Recommended Actions

• To gain full visibility into your network, set up collectors such as Virtual Appliances, Gateways, Agents and integrations to ensure that all your network metadata is ingested in the Lumu platform, especially the firewall and proxy metadata. Learn more in our deployment guide.
• Ensure you cover remote users in your compromise assessment. Learn more about Lumu Agent and VPN and SDP configuration.
• Identify your vital assets (clients, IoT, clouds, remote devices, etc.) and assign labels to your traffic to help quickly identify the compromise distribution across your infrastructure in a way that makes sense for your organization.
• Control your attack surface by ensuring that services and connections exposed to external environments are governed by strict policies and controls. Verify that only essential services are exposed, and access is restricted to specific roles via secure, authenticated channels. Regularly monitor and enforce these measures to minimize vulnerabilities.
• Conduct regular awareness campaigns on security policies and risks employees face, and what actions to take when faced with a cyberattack.
• Keep your endpoint protection and operating systems updated.
• Implement best practices for Identity and Access Management (IAM).

Detection & Analysis

Organizations should prioritize rapid incident detection and validation to enable effective containment and eradication. Early detection limits the spread of infection and simplifies the response process. During this phase, security teams monitor and analyze alerts and data from systems, networks, and logs to identify potential incidents, understand the threat's scope, impact, and potential source, assess its severity, and gather forensic information. Proper documentation and communication are essential for successful incident response.

Some steps are listed below:

• Alert Monitoring: Collect and monitor data from network, host, and application logs, along with external sources like threat intelligence, to identify attack vectors and signs of potential incidents.
• Incident Identification: Determine whether an event qualifies as an incident or precursor by analyzing and correlating monitoring data.
• Incident Analysis: Classifying the incident type, incident response teams should quickly analyze and validate incidents. Once an incident is confirmed, the team conducts an initial analysis to determine its scope, including affected systems, origin, and attack methods. This analysis helps prioritize actions like containment and deeper investigation.
• Enrichment and Investigation: Gathering additional information (e.g., threat intelligence, forensics analysis) to understand the scope and impact. Maltiverse by Lumu is vital in this procedure.
• Documentation: Recording the details of the incident, timelines, and results of the analysis. An IR team that suspects an incident has occurred should immediately begin recording all facts related to the incident.

How Lumu Helps

Lumu unlocks the value of your own network metadata by implementing the concept of Continuous Compromise Assessment that provides comprehensive and detailed visibility into your network infrastructure. Lumu illuminates the various activities associated with indicators of compromise (IoCs) detected on your network and provides all the contextual information needed for in-depth analysis through the Lumu Portal. Lumu Continuous Compromise Assessment technology provides real-time monitoring over network and identity infrastructure. It correlates network and identity metadata to identify anomalies and contact with malicious infrastructure, providing your organization with multiple tools to determine adverse activity. Through Lumu’s out-of-the-box integrations, you can directly integrate Microsoft Entra ID with Lumu’s detection capabilities to monitor suspicious behaviour in your organization’s accounts. Use Lumu Discover to monitor and control your organization’s exposed attack surface, while letting you monitor compromised employees, data leaks, and infostealers that have affected your organization’s domain

• Use the IoC information provided by Lumu to check if the log files of your defensive infrastructure (e.g. endpoint protection, firewall, UTM gateway) contain this malicious communication.
• Identify the endpoints contacting the adversarial infrastructure related to DNS Tunneling incidents. This can be IoCs related to brute force, scanning infrastructure or ransomware gangs.
• Use the Attack Distribution feature of the Lumu Portal to see how the compromise spreads inside your network. Identify how your assets are communicating with the adversarial infrastructure and detect endpoints within the internal network exhibiting anomalous behavior.
• You can use the Lumu’s Compromise Radar feature to find out the frequency and behavior of malicious communication, so you can differentiate occasional contact from persistent and automated compromises that have the power to cause harm to the organization.
• Use the threat intelligence information provided in each IOC in the Lumu Portal to enrich the context of the activity. Additionally, correlate this with other detections, like Unusual Login, to verify whether the attack attempts were successful.
• If an incident is confirmed, use this information in incident documentation and analysis.
• If possible, reverse-engineer the malware in a secure environment (or sandbox) to understand its behavior and the functionality it implements.

Containment, Eradication & Recovery

This phase has two key goals: stopping the spread of the threat and preventing further damage within the network. Organizations should implement strategies and procedures based on the risk level of the detected compromise. Containment strategies will vary depending on the type of incident and must consider potential damage or theft of resources, the need for evidence preservation, service availability, and the time and resources required for effective response.

Below are some steps to follow in this phase:

• Containment: Implement immediate actions or long-term strategies to isolate or limit the spread of the incident.
• Eradication: Identify the root cause of the incident and eliminate it.
• Recovery: Recover affected systems to a known good state and confirm normal operations, perform testing to ensure systems are no longer compromised, and prevent future incidents.

How Lumu Helps

Confirmed compromise intelligence about the compromised device helps security analysts to understand where and how to contain and eradicate the compromise.

Recommended Actions

• Lumu Defender integrates with your security stack and gives your organization the ability to orchestrate an effective automated response to contain any cyber threat, in line with your policies.
• Lumu orchestration can assist you in identifying whether the endpoints that reported the DNS Tunneling were observed displaying anomalous behavior before.
• Use the threat Intelligence information, Mitre ATT&CK TTPs, and IoCs details from Lumu Portal to configure your security infrastructure scheme (firewalls, IDS, IPS, email gateways, etc) to avoid similar malicious activity.
• Lumu Portal provides your organization with information and details about the devices or IP addresses involved in the incident to initiate targeted investigations into the related internal devices.
• Based on your containment strategy, consider isolating the affected devices to prevent lateral movement and limit the spread of the incident within the network
• Identify related services and users and reset the credentials of all involved systems.
• If you suspect the initial attack vector was via email, check the details in the organization's mail server log files.
• Remove threats, and replace or restore the compromised assets to their previous state. Wipe and baseline affected systems if needed.
• Use Lumu technology to establish monitoring to detect further suspicious activity.
• The incident and its effects need to be remediated across the entire network. Complete malware scanning of all systems across the affected network.

Post-Incident Activity

This phase is designed to incorporate the lessons learned from each incident and to evaluate future improvements.

• Lessons Learned: Conduct post-incident reviews to analyze the incident and determine areas for improvement. This step should answer at least the next key questions:
  • What were the root causes of the incident and the incident response issues?
  • Could the incident have been prevented? How?
  • What went well in the incident response?
  • How can we improve our response to future incidents?
• Incident Reporting: Document the incident and share reports with necessary stakeholders.
• Process Improvement: Update policies, procedures, and tools based on findings from the incident.

How Lumu Helps

Lumu helps refine your current and future defense and response by continuously monitoring that the compromise has been eradicated.

Recommended Actions

• Use Lumu Continuous Compromise Assessment to monitor continuously any communication between your assets and adversarial infrastructure to make sure that no additional contacts are reported.
• Use the context information in the Lumu Portal for details on how the adversary works. Conduct root cause analysis and evaluate the habits of the users.
• Explore the related sources, Mitre ATT&CK Matrix, and articles provided by Lumu in the Context area to understand more about the Tactics, Techniques and Procedures used by adversaries and document the incident.
• Use the incident information to adjust your security policies and Mitre Matrix context to evaluate your security strategy. This may involve changing the configuration of the company's assets and conducting awareness campaigns, focusing on the users that own those devices.
• Coordinate with your endpoint protection technology vendor’s updates if needed.
• Document and share with the stakeholders all the lessons learned from the incident and recommendations of any aspect that could be improved to help prevent a similar cyber incident from reoccurring.