Monitoring a network for DNS exfiltration
A long-standing customer reported to your organization that they found a large number of your company's marketing plans and product roadmaps on a competitive intelligence website. You believed that your wonderful and loyal coworkers would never betray the organization like that, and your investigation showed you were right. It turns out that hackers used DNS to control compromised hosts and exfiltrate the data. You now need to set up monitoring so that this doesn't happen again. You can use Splunk software to monitor for changes that are indicators of data exfiltration. These include spikes in client volume, changes in resource type behavior, changes in packet size, hosts repeatedly checking in with the command infrastructure, and domains that have many subdomains.
How to use Splunk software for this use case
You can run many searches with Splunk software to monitor DNS logs for signs of data exfiltration. Depending on what information you have available, you might find it useful to monitor for some or all of the following:
Next steps
To maximize their benefit, the how-to articles linked in the previous section likely need to tie into existing processes at your organization or become new standard processes. These processes commonly impact success with this use case:
- Developing access policies and conducting audits for compliance
- Identifying and classifying sensitive data
- Installing network perimeter and endpoint protection
Measuring impact and benefit is critical to assessing the value of security operations. When implementing this use case, it can be useful to monitor the number of positive exfiltration attempts identified.
The Splunk Security Essentials (SSE) free application can also help with detecting DNS exfiltration. With SSE, you can centralize analysis and visibility across your multi-layered security environment, use pre-made visualizations to improve your security posture, and further operationalize industry frameworks.