Realtime DNS Exfiltration and DGA C&C Detection – Part 1
I’ve decided to start blogging my masters project early, I’m still in the planning phases since I’m not due to start it until closer to mid-2016 however my current thinking is the topic of realtime DNS data exfiltration and DGA C&C detection.
This class of topics have been discussed in depth before, here’s a good paper on the topic which I have read. In this paper they use a commercial solution to perform data collection for later analysis.
My idea is to build an open system with open source tools, adapted for scalability from small to enterprise grade installations to perform both realtime DNS tunnel detection and realtime DGA C&C detection.
I’m going to be prototyping with Raspberry PI for the sensor cluster and ESXi for simulating the endpoints. The detection platform will be based on a Bro NSM cluster. The data analysis will take place in a layer above Splunk with splunk as an aggregation technology.
My current goals are to opensource all of the solutions.
That’s all I have for now, I’ve placed orders for some of the hardware and am expecting deliveries to start trickling in this week. When I have some concrete evidence that the prototype environment is viable I post up some more details.
Can’t wait for this project, been waiting the past two years to wrap up the masters degree classwork so we can get to what I feel is the meat of a Masters program, to build something and give something to the Information Security community.