Skip to main content

Search

Request Info Apply Now

Undergraduate Certificates
Begin or advance your cybersecurity career at any age with our hands-on certificate programs.
Bachelors Degree
Transfer your credits to SANS.edu and become one of the most job-ready candidates in cybersecurity.
Graduate Certificates
Gain job-specific skills in highly technical certificate programs designed for working professionals.
Master’s Degree
Take your InfoSec career to the highest levels—developing both hands-on technical skills and the ability to lead.
Single Courses
Start with a course, advance to a cybersecurity certificate or degree
All Academic Programs
Explore hands-on undergraduate and graduate programs for every stage of your cybersecurity career.

Featured Program

Hands typing on a laptop

Applied Cybersecurity Certificate (ACS)

Get Your Questions AnsweredJoin a free online info session to see which program is right for you.

Why SANS.edu?
How To Apply
Tuition & Funding

Join us for a free online info session to learn more.

Resources for Veterans

Learn how to get the most from your Veterans Education Benefits.

Women in Cybersecurity

Empowering women to thrive in cybersecurity.

Get Your Questions AnsweredJoin a free online info session to see which program is right for you.

Research Overview
Learn how SANS.edu research is strengthening the field of cybersecurity.
Cybersecurity Research Papers
Explore real-world solutions to pressing issues across AI, cloud security, digital forensics and more.
Internet Storm Center
Discover the world's largest global cyber threat detection network.

Featured Research

Research Review Journal Volume 5

Explore the latest research from SANS.edu graduate students—professionals on the front lines of cybersecurity—tackling today’s toughest threats across AI, cloud security, digital forensics, zero trust, malware detection, and more.

Download the Journal

Get Your Questions AnsweredJoin a free online info session to see which program is right for you.

About Us
Students
Alumni
- Alumni Resources Alumni Resources
- Alumni Outcomes Report Alumni Outcomes Report

Launch Your Cyber Career

Let SANS.edu guide you on a proven path to success.

Sentinels Referral Program

Get recognized for your impact on the SANS.edu community.

Get Your Questions AnsweredJoin a free online info session to see which program is right for you.

Search

Request Info Apply Now

Cyber Research Papers
/Using Splunk to Detect DNS Tunneling

Cyber Research Papers

Using Splunk to Detect DNS Tunneling

DNS tunneling is a method to bypass security controls and exfiltrate data from a targeted organization. Choose any endpoint on your organization's network, using nslookup, perform an A record lookup for www.sans.org. If it resolves with the site's IP address, that endpoint is susceptible to DNS Tunneling. Logging DNS transactions from different sources such as network taps and the DNS servers themselves can generate large volumes of data to investigate. Using Splunk can help ingest the large volume of log data and mine the information to determine what malicious actors may be using DNS tunneling techniques on the target organizations network. This paper will guide the reader in building a lab network to test and understand different DNS tunneling tools. Then use Splunk and Splunk Stream to collect the data and detect the DNS tunneling techniques. The reader will be able apply to what they learn to any enterprise network.

37022 (PDF, 10.98MB)

1 Jun 2016

BySteve Jaworski

Share

All papers are copyrighted

No re-posting of papers is permitted

Related Content

Untested: An Overlooked Link in the Software Supply Chain

This research explores test code as an attack surface and takes a first step toward creating a tool to help analysts detect and mitigate malware lurking in test libraries.

16 Apr 2026

Cyber Risk Intelligence and Security Posture (CRISP): From Compliance to Threat-Informed Intelligence

This paper presents CRISP (Cyber Risk Intelligence & Security Posture), a platform that automates the transformation of STIG compliance data into threat-informed security intelligence.

7 Apr 2026

Enhancing Linux Threat Detection: A Sysmon - Based Approach to Identifying Sandworm TTPs

Linux systems have become foundational across modern IT enterprises. Threat actors are increasingly targeting Linux systems, including well - known advanced persistent threats (APTs) such as Sandworm.

20 Mar 2026

Open-Source National Security Infrastructure for Sweden’s National Security Apparatus

This paper investigates whether core IT infrastructure implemented using open-source software and infrastructure-as-code techniques can achieve compliance with selected information security requirements defined in Chapter 4 of PMFS 2022:1.

18 Mar 2026

Configuring Windows 11 Workgroup Computers to CIS Windows 11 L1 and BitLocker Baseline Recommendations Using PowerShell DSC

Endpoints are often the first points of cyberattacks. Enterprises would often try to harden them according to established security baselines, such as those published by the Center for Internet Security (CIS).

24 Feb 2026

Infrastructure as Code-Driven Group Policy Infrastructure: A Comprehensive Engine for Group Policy Architecture and Enforcement

This study introduces a PowerShell-based Infrastructure as Code (IaC) engine developed to automate the setup and enforcement of a STIG-compliant Group Policy framework.

5 Dec 2025

Defending Vulnerable Populations Against Scams: Effectiveness of Browser Extensions in Mitigating Scammer Attack Chains

This research evaluates the effectiveness of a browser extension as a security control—Grandma’s Guardian—designed for simplicity and accessibility so that even non-technical home users can benefit from enterprise-grade protection.

19 Nov 2025

Building Scalable Detection-as-Code Pipelines with Agentic Validation and Refinement

The proposed DaC pipeline uses large language models (LLMs) for logic conversion, variant analysis, and simulation testing via Atomic Red Team, with queries executed against Splunk to measure true positives and false negatives.

6 Nov 2025

Isolated Trust: Zero Trust in Standalone Systems

The use of air-gapped, isolated systems remains an essential tool for organizations that require high confidentiality or integrity, including those in the government, industrial control systems, and the banking industry.

6 Nov 2025

"You Again": Fingerprinting and Tracking Mechanisms of Malicious Sites

Browsers provide many APIs for any visited site to perform stateful and stateless tracking, and legitimate websites utilize these capabilities. Yet little is widely known about what tracking, if any, malicious sites perform.

26 Sep 2025

A New Era in Vulnerability Management: A SANS Review of the Seemplicity Platform

In this paper, Dave Shackleford offers an inside look at Seemplicity, a vendor-agnostic remediation orchestration platform designed to unify vulnerability management across code, cloud, and infrastructure.

18 Aug 2025
Dave Shackleford

Enhanced Decisions with WatsonX: A Look at IBM QRadar Investigation Assistant

This paper examines IBM QRadar Investigation Assistant, an AI-powered tool that enhances SOC performance by streamlining incident triage, automating threat enrichment, and enabling natural language query capabilities.

6 Aug 2025
Matt Bromiley

SOC AI Automation Masterclass: How Swimlane Enhances Incident Response and Visibility

As organizations grapple with rising alert volumes and growing tool complexity, Swimlane Turbine provides essential value by automating and unifying disparate security systems to speed up response times and boost operational efficiency.

31 Jul 2025
Mark Jeanmougin

Balancing On-Prem and Cloud Security Strategic Considerations for Modern Organizations

This paper examines the strategic trade-offs between cloud and on-prem deployments, and the growing trend of consolidating tools into integrated security platforms.

30 Jul 2025
Matt Bromiley

Evaluating Zero Trust Network Access: A Framework for Comparative Security Testing

While most evaluations rely on vendor checklists and surface-level comparisons, this white paper takes a different approach: building and applying a hands-on testing framework grounded in NIST SP 800-207 and the CISA Zero Trust Maturity Model.

11 Jul 2025

Defense in Depth: Multiple Layers of Protection Fortifying Your Cyber Defenses

Download this paper and learn how to implement and evolve a Defense-in-Depth (DiD) strategy tailored to your organization’s risk profile, infrastructure, and cloud environment.

10 Jul 2025
Ted Demopoulos

Dropzone AI Can Make Internal SOC Teams More Effective

In this paper, SANS Certified Instructor Mark Jeanmougin examines how Dropzone AI can integrate into existing security stacks and help SOC teams stay focused on high-impact decisions.

17 Jun 2025
Mark Jeanmougin

AI-Driven Insecurity: Assessing Security Gaps in AI Generated IT Guidance

The increasing reliance on AI-generated technical guidance for IT system configuration introduces significant security risks. This study assesses these risks through a case study: setting up an Apache web server on a Rocky Linux system using instructions from seven AI models.

13 May 2025

SIEM Detection Logic Conversion with LLMs

This research explores how Large Language Models (LLMs) and automation scripts can expedite the translation of detection logic between SIEMs, converting detections in minutes instead of hours.

2 May 2025

Validating the Effectiveness of MITRE Engage and Active Defense

This research examines the impact of Active Defense compared to a traditional security posture when an adversary employs common tactics and techniques to identify high-value targets or exfiltrate sensitive data.

29 Mar 2025

Cybersecurity is all we teach, and nobody does it better.

Research
Resources
Learn More

Privacy Policy
Terms and Conditions
Admissions
Do Not Sell/Share My Personal Information
Cookie Notice

© 2026 The Escal Institute of Advanced Technologies, Inc. d/b/a SANS Institute.

Our Terms and Conditions detail our trademark and copyright rights. Any unauthorized use is expressly prohibited.

SANS Institute
Internet Storm Center