CheckPoint
Amitai Ben Shushan
DNS Tunnel Warfare
Tunnels have been utilized in armed conclicts since antiquity. Underground passages, dug beneath the surface, are still utilized to undermine fortifications and slip right into enemy territory. Today, however, underground tunnels are not the only tunnels used in armed conflicts, as new hidden pathways have proved to be quite effective. DNS tunneling has emerged as a stealthy technique used to covertly transfer data over the DNS protocol, and has been adopted by a wide variety of threats actors, including those involved in ongoing armed conflicts.
In this talk, we will explore various aspects of DNS tunneling, understanding its advantages, drawbacks, and potential for detection. We will immerse ourselves in one particular actor, delving into the analysis of its DNS tunneling infrastructure, tools and targets. As we proceed, we will soon learn how DNS tunnels, much like their physical counterparts, are used to initiate surprise attacks and sabotage enemy infrastructure during times of war.
Amitai is security researcher with a strong focus on threat analysis and targeted attacks. With more than a decade of experience, he is an expert at analyzing threat groups and their activities. Presently, Amitai is leading the Threat Intelligence Analysis (TIA) team at CheckPoint Research. Prior to joining CheckPoint, he has actively engaged in examining threat actors’ behavior from multiple angles, serving as a threat intelligence researcher, incident response analyst, and threat hunter.