DNS (Domain Name System) tunneling is one of the most effective techniques in an attacker’s arsenal — and one of the most overlooked. By abusing the DNS protocol, threat actors can establish covert channels for tool transfer, data exfiltration, beaconing, and command-and-control, all while flying under the radar of traditional defenses.
DNS (Domain Name System) is used to translate human-readable names like google.com into IP addresses. Why does DNS tunneling work? Because port 53 is almost always open. DNS is essential infrastructure – you can’t block it without breaking the internet. Attackers know this, and they exploit it.
In this hands-on webinar, Peter Manev walks through a real-world DNS tunneling case from detection to reverse engineering, using Suricata 8’s powerful new capabilities. Suricata has always been very potent in detecting DNS tunneling due to its wealth of generating flow, anomaly, protocol and alert events. This however does not mean that we can not have fun while detecting and investigating it with Suricata 8 while also doing some reverse engineering.
You’ll see exactly how this attack works, why it’s effective, and – most importantly – how to catch it.
What we’ll cover:
Out-of-the-box detection using Suricata 8 DNS log data (event_type:dns)
SIEM/Elastic queries that surface malicious DNS behavior
Visualizations that make DNS tunneling immediately visible
Writing a custom detection rule leveraging new Suricata 8 features — including DNS protocol buffers, dns.rrtype, and entropy keywords
Reverse engineering the tunnel payload to expose what was actually transferred
Attendees will walk away with ready to use:
- Threat hunting formulas
- SIEM queries
- Detection rules
Peter Manev is member of the executive team at the Open Information Security Foundation (OISF) and Suricata Project Evangelist. One of the lead developers of SELKS/CleanNDR. He is also a co-author of The Security Analyst’s Guide to Suricata book written with Eric Leblond, as well as a co-Founder of Stamus Networks.
Save the date
- April 23
- 2 pm GMT
Register to watch live via Zoom: Webinar Registration - Zoom