This case study presents a detailed investigation into stealthy data exfiltration over DNS for a mid-sized healthcare provider. The attack aimed to exfiltrate sensitive medical records while evading detection using DNS tunneling techniques. The investigation utilized open-source tools to analyze PCAPs, craft Indicators of Compromise (IOCs), and develop effective network rules to prevent future exfiltration attempts. The sophisticated nature of the attack, combined with strict regulatory requirements, posed significant challenges.

Incident Overview

Background

• A routine network audit uncovered unusually high volumes of DNS traffic originating from several internal systems.
• Follow-up investigation raised concerns over potential data exfiltration using DNS, a traditionally trusted protocol.
• The client requested an urgent analysis to confirm the breach, identify malicious activity, and define preventative measures while remaining compliant with healthcare data protection regulations.

Challenges

1. High Volume of DNS Traffic:
   Over 300 GB of PCAP data containing millions of DNS queries needed to be filtered and analyzed.
2. Stealthy Techniques:
   Attackers employed DNS tunneling, embedding exfiltrated data into DNS query payloads.
3. Encrypted Payload Encoding:
   The exfiltrated data was base64-encoded and sent as part of dynamically generated domain names, obscuring its true purpose.
4. Time Constraints:
   The client mandated an initial containment plan within 48 hours.
5. Minimal Disruption:
   The healthcare provider’s services were critical, requiring the investigation to avoid interrupting essential operations.

Investigation Methodology

Phase 1: Data Acquisition

1. PCAP Collection:
   Captured full network traffic over critical segments of the network using tcpdump during the period of suspicion.
2. Scope Definition:
   Focused analysis on DNS traffic to external IPs based on initial signs of excessive queries, prioritizing efficiency in large-scale dataset processing.

Phase 2: Analysis of PCAP Traffic

Open-source tools were leveraged to process and analyze the collected PCAP data efficiently.

1. Filtering and Inspecting DNS Traffic

Tools Used:

1. Wireshark for visual inspection of DNS queries and packet filtering.
2. Tshark to automate the extraction of relevant DNS-related packets from the large datasets.

Key Findings:

1. Unusual Query Patterns:
   DNS queries with exceptionally long subdomains in the form:

gfh7kvhdks73df9f7dge8df8ehhu.example.com

Lengths of the subdomains exceeded expected query structures and contained apparent base64-encoded strings.

2. Suspicious Domains:
   Frequent queries targeting rarely visited external domains in the form:

suspicious-tunnel-domain[.]net

These domains did not resolve to legitimate records and were flagged for further investigation.

3. Exfiltration Indications:
   Patterns in DNS queries suggested chunked data transmission, with each query transmitting a small encoded segment of the stolen data.

2. Automatic Parsing and DNS Tunneling Detection

Tools Used:

• dnscat2 and DNSExfiltrator for recreating and testing tunneling mechanisms.
• Zeek for analyzing DNS communication patterns and detecting anomalies.

Key Findings:

DNS Tunneling Confirmation:

• Replayed traffic through dnscat2 revealed that subdomains included chunks of sensitive encrypted data broken into small packets.
• Zeek DNS logs showed subdomains being queried in rapid succession, supporting the hypothesis:

[zeek] domain: suspicious-tunnel-domain[.]net

query_count: 1200/min

Exfiltration Methodology:

Attackers encoded stolen healthcare records into base64, embedded the encoded chunks into DNS queries, and exfiltrated them to malicious external servers.

3. Reconstruction of Exfiltrated Data

Tools Used:

1. NetworkMiner for extracting payload data from PCAPs.
2. Bulk Extractor for detecting base64-encoded sequences within reconstructed streams.

Key Findings:

Payload Analysis:

Reconstructed base64 strings from packets and decoded them to uncover plaintext PII (personally identifiable information) related to patients, confirming data theft.

Stolen data Format:

Name: F_name L_Name 

DOB: 01/01/1980 

Medical Record ID: 473829195

Traffic Behavior:

Logs from NetworkMiner correlated suspicious DNS queries with outbound communication to malicious IP addresses.

Phase 3: Producing IOCs

Generated Indicators of Compromise:

1. Malicious Domains in the form:
   • tunnel-domain[.]net
   • data-flow[.]com
2. C2 IP Addresses:
   • ***.**.67.203
   • ***.**.65.108
3. DNS Query Patterns:
   • Subdomains exceeding 63 characters.
   • Queries with a high frequency (>1000 per minute) from single internal hosts.

Created DNS Traffic Rules:

• Block queries to known malicious domains.
• Flag and deny DNS queries containing encoded payload patterns through regex rules.

Phase 4: Preventing Future Exfiltration

Actions Taken:

1. Blocking Malicious Traffic:
   • Integrated generated IOCs into firewall policies and DNS filtering tools and cloud DNS services.
   • Set up IDS rules to monitor incoming/outgoing DNS traffic for encoded data patterns.
     
2. Enhanced Monitoring:
   Zeek and Suricata were configured to flag high DNS query volumes and suspiciously structured requests.
   
3. Policy Adjustments:
   • Restrict DNS queries to trusted internal and external resolvers only.
   • Enforced application-layer controls to detect and block outbound tunneling attempts.

Long-Term Measures:

1. Recommended deploying DLP tools to monitor and block unauthorized data transfers.
2. Suggested organization-wide staff training to mitigate phishing risks, a probable entry method for the attackers.

Challenges Overcome

Detecting Covert Channels:

• The use of DNS tunneling added an extra layer of complexity compared to typical HTTP traffic analysis.
• Overcame misdirection by isolating DNS-specific data streams for detailed inspection.

Outcome

This investigation successfully:

1. Identified and confirmed data exfiltration via DNS tunneling.
2. Produced actionable IOCs to block malicious DNS activity.
3. Implemented measures to prevent further exfiltration attempts through firewall and DNS policy enhancements.
4. Provided a roadmap to strengthen network defenses against future DNS-based threats.

This case study highlights how important PCAP analysis is for finding hidden data exfiltration methods. It also shows how open-source tools can be used to deal with advanced threats in a cost-effective way.