DNS-based attacks have been commonly used since the early 2000’s, but over 40% of firms still fall prey to DNS tunneling attacks. Tunneling attacks originate from uncommon vectors, so traditional automated tools like SIEMs have difficulty detecting them, but they also must be found in massive sets of DNS data, so hunting for tunneling manually can be challenging as well. So, how can we use more advanced analytic techniques to isolate these adversary behaviors? In a different publication we covered Domain Generation Algorithms and what the best sources are for detecting them. In this piece, we’ll be covering how best to sniff out malicious DNS tunneling on your network.