Cribl puts your IT and Security data at the center of your data management strategy and provides a one-stop shop for analyzing, collecting, processing, and routing it all at any scale. Try the Cribl suite of products and start building your data engine today!
Learn more ›Evolving demands placed on IT and Security teams are driving a new architecture for how observability data is captured, curated, and queried. This new architecture provides flexibility and control while managing the costs of increasing data volumes.
Read white paper ›Cribl Stream is a vendor-agnostic observability pipeline that gives you the flexibility to collect, reduce, enrich, normalize, and route data from any source to any destination within your existing data infrastructure.
Learn more ›Cribl Edge provides an intelligent, highly scalable edge-based data collection system for logs, metrics, and application data.
Learn more ›Cribl Search turns the traditional search process on its head, allowing users to search data in place without having to collect/store first.
Learn more ›Cribl Lake is a turnkey data lake solution that takes just minutes to get up and running — no data expertise needed. Leverage open formats, unified security with rich access controls, and centralize access to all IT and security data.
Learn more ›The Cribl.Cloud platform gets you up and running fast without the hassle of running infrastructure.
Learn more ›Cribl.Cloud Solution Brief
The fastest and easiest way to realize the value of an observability ecosystem.
Read Solution Brief ›AppScope gives operators the visibility they need into application behavior, metrics and events with no configuration and no agent required.
Learn more ›Explore Cribl’s Solutions by Use Cases:
Explore Cribl’s Solutions by Integrations:
Explore Cribl’s Solutions by Industry:
Watch On-Demand
3 ways to fast-track your data lake strategy without being a data expert
Watch On-Demand ›Try Your Own Cribl Sandbox
Experience a full version of Cribl Stream and Cribl Edge in the cloud.
Launch Now ›Get inspired by how our customers are innovating IT, security and observability. They inspire us daily!
Read Customer Stories ›Sally Beauty Holdings
Sally Beauty Swaps LogStash and Syslog-ng with Cribl.Cloud for a Resilient Security and Observability Pipeline
Read Case Study ›Experience a full version of Cribl Stream and Cribl Edge in the cloud.
Launch Now ›Transform data management with Cribl, the Data Engine for IT and Security
Learn More ›Cribl Corporate Overview
Cribl makes open observability a reality, giving you the freedom and flexibility to make choices instead of compromises.
Get the Guide ›Stay up to date on all things Cribl and observability.
Visit the Newsroom ›Cribl’s leadership team has built and launched category-defining products for some of the most innovative companies in the technology sector, and is supported by the world’s most elite investors.
Meet our Leaders ›Join the Cribl herd! The smartest, funniest, most passionate goats you’ll ever meet.
Learn More ›Whether you’re just getting started or scaling up, the Cribl for Startups program gives you the tools and resources your company needs to be successful at every stage.
Learn More ›Want to learn more about Cribl from our sales experts? Send us your contact information and we’ll be in touch.
Talk to an Expert ›December 3, 2018
Update: Part 2 is now here
The massive data breach from Marriot’s Starwood reservation system got me thinking about various data exfiltration techniques, including over DNS. Probably not related to this breach, but it was a completely random thought and I realized that Cribl LogStream can help security practitioners and threat hunters here.
As you may know, data exfiltration is a well known adversary attack tactic. Mitre has a whole lot of content on its MITRE ATT&CK™ knowledge-base dedicated to exfiltration techniques. In an exfiltration scenario, data from malware or spyware infected machines is sent to a remote destination that acts as command and control (C2/C&C) server. To keep the communication alive for as long as possible “covert” or alternate communication channels and protocols are typically employed. One of the most common ones is DNS. The fundamental idea is to perform the exfiltration between the two parties over DNS requests. The (malware infected) client sends out requests, for example for bXlwYXNzd29yZA==.foobar.com
, and by virtue of its distributed nature the DNS infrastructure will propagate them to that domain’s authoritative name servers, which are owned by the adversary. The servers will reply but at that point the adversary has already exfiltrated and acquired bXlwYXNzd29yZA==
. The client can make more than one request and the remote server can easily stitch exfil’d fragments into a full dataset. In most cases, base64 encoding is used to exfiltrate as it allows for encoding a wider variety of formats, including binary.
There are several ways to minimize damage from this, such as limiting internal machines to only talk to internal DNS servers that have been hardened, but DNS is such a critical, pervasive and widespread service that complete protection via hardening or lockdown may not be guaranteed.
The least that an organizations can do is to collect enough data to see if are signs of exfiltration activity. That basically means one thing: Log ALL your DNS queries!
In Cribl, detecting whether part of a string is base64 encoded can be done using a regex and our native base64 decoder function. Let’s take a look:
1. Ensure that DNS data passes thru Cribl. This may include, but it’s not limited to sources such as Windows DNS, Bro DNS activity, Infoblox, Cisco Umbrella, Amazon Route 53 etc. If this data is coming into Splunk, you’re already covered and LogStream can install as an app. If you have this data elsewhere you can either send it directly to Cribl using one of the available methods or if it’s in AWS S3 or Kinesis Streams you can use our AWS Lambda function. In this example we’re using DNS logs from Infoblox. Notice base64 encoded part in red.
2. Extract the base64 encoded part of query from the data. The exact extraction will depend on your data and in some cases you may simply need to target a query field if it’s already extracted. Here’s how it plays out for sourcetype=='infoblox:dns'
, where extraction is based on raw:
query:\s(?<encoded_part>(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=))
Note that encoded_part
field will become an index-time field in Splunk. If that is not desirable, you can prepend two underscores to it: __encoded_part
.
3. Evaluate a new field whose value is the base64 decoded payload using Cribl’s native C.decode.base64(). You can also add a field that is simple or flag-like (e.g., potential_exfil='yes'
).
Another interesting DNS query characteristic that can be extracted in real-time is the length of the domain-name or that of each label. There are length limits imposed by the protocol and the closer they get to the maximum the more suspicious they are. In our are we’re extracting the length of that label as query_label_len
.
Notice how query_label_len
, potential_exfil
and decoded_payload
fields are only added to the events that Cribl was able to base64 decode:
To use this data in Splunk, you can search or alert by referencing our new fields. E.g.:
index=myIndex sourcetype=infoblox:dns potential_exfil::yes OR decoded_payload::*
In your system can also track the length of the label (or even domain-name’s) over time and adjust and adapt your searches accordingly.
The fastest way to get started with Cribl LogStream is to sign-up at Cribl.Cloud. You can process up to 1 TB of throughput per day at no cost. Sign-up and start using LogStream within a few minutes.
Ryan Conway Apr 9, 2024
Perry Correll Apr 4, 2024