Breaking Ground: Understanding and Identifying Hidden Tunnels

July 11, 2018
Vectra AI Security Research team
Breaking Ground: Understanding and Identifying Hidden Tunnels

In recent years, an alarming discovery has shaken the financial services sector: hackers are exploiting hidden tunnels to breach and steal from financial institutions. The gravity of this situation cannot be overstated, as it involves malicious actors targeting vast amounts of money and sensitive personal information. But what exactly are these hidden tunnels, and how do they operate? Let’s dig into what hidden tunnels are and how I find them to uncover the answer.

What are hidden tunnels

Legitimate vs. Hidden Tunnels

Hidden tunnels are a sophisticated form of cyberattack. While many legitimate tunnels exist within networks, used by companies to securely share data between applications or systems, hidden tunnels serve a nefarious purpose. They allow attackers to conduct command-and-control activities and exfiltrate critical data and personally identifiable information (PII) from corporate networks. By masquerading as normal traffic, these tunnels enable remote theft of information, allowing stolen data to be exfiltrated stealthily.

Challenges in Detection

These hidden tunnels are notoriously difficult to detect because they blend seamlessly with legitimate network traffic, often using common protocols to avoid raising suspicions. Cybercriminals frequently steal data incrementally over extended periods, minimizing the risk of triggering alarms. The methods employed by attackers are limited only by their ingenuity. For instance, a standard HTTP-GET request might conceal a hidden malware command within a text field, while an HTTP response could carry covert instructions from a command-and-control server.

Technical Embedding Techniques

The potential for concealed communication extends beyond simple text fields, encompassing various fields, headers, and cookies within network protocols. Without specialized detection techniques, these hidden tunnels can operate undetected, causing significant damage before any response can be mounted. Even progressive decoding of protocols often fails to reveal the true nature of these malicious communications, as they are adeptly embedded within otherwise legitimate data streams.

Detecting Hidden Tunnels: The Vectra AI Approach

Sophisticated Analysis of Metadata

Vectra AI employs highly sophisticated analysis of network traffic metadata to identify subtle anomalies indicative of hidden tunnels. By meticulously examining protocol behaviors, Vectra can detect slight irregularities that betray the presence of these covert pathways. Despite the attackers' efforts to blend in, their communications inevitably introduce subtle deviations in the flow of network conversations. These anomalies might manifest as minor delays or unusual patterns in request and response sequences.

Behavioral Inconsistencies as Indicators

For example, consider a scenario where someone orders a tuna sandwich but receives it in 100 small pieces instead of one whole package. Such an unusual delivery method would raise suspicions. Similarly, Vectra's detection methods identify behavioral inconsistencies that hint at hidden tunnels. Through mathematical models and advanced algorithms, Vectra AI accurately detects hidden tunnels within HTTP, HTTPS, and DNS traffic without needing to decrypt the data.

Advanced Detection Techniques

This capability to identify threats without deep-packet inspection is crucial, as it allows Vectra AI to uncover hidden tunnels regardless of the specific fields used by attackers or any novel obfuscation techniques employed. The variance from normal protocol behavior remains a reliable indicator of malicious activity, ensuring that hidden tunnels are exposed and addressed promptly.

Empowering Security Analysts to Find Hidden Tunnels and Other Threats

The complexity and speed at which cyber threats evolve make it challenging for security analysts to keep pace. Vectra's advanced detection capabilities offer a unique advantage, enabling rapid and precise identification of hidden tunnels and other cyber threats. By leveraging Vectra AI's technology, financial institutions can significantly enhance their ability to respond to these threats, safeguarding their assets and sensitive information more effectively.

In conclusion, the discovery of hidden tunnels in financial services highlights the evolving tactics of cybercriminals and underscores the need for advanced detection and response strategies. Vectra AI's innovative approach provides a robust defense against these sophisticated attacks, ensuring that financial institutions can protect their networks and maintain the trust of their clients. As cyber threats continue to grow in complexity, staying ahead of malicious actors requires continuous innovation and vigilance in cybersecurity practices.


What are hidden tunnels in cybersecurity?

Hidden tunnels are covert channels used by cyberattackers to carry out command-and-control and data exfiltration activities. They disguise malicious traffic as legitimate communication to bypass security measures and remain undetected within a network.

Why are hidden tunnels particularly concerning for financial services firms?

Financial services firms are prime targets due to the high value of their data, including financial transactions and personally identifiable information (PII). Hidden tunnels enable attackers to siphon off this sensitive data without detection, leading to potentially severe financial and reputational damage.

How can hidden tunnels be detected if they mimic legitimate traffic?

Detection involves analyzing network traffic metadata for subtle abnormalities in protocol behavior. This includes identifying slight delays, abnormal patterns in requests and responses, and other deviations from normal communication flow that indicate the presence of a hidden tunnel.

Why can't traditional security measures effectively detect hidden tunnels?

Traditional security measures, such as deep packet inspection, are often ineffective because hidden tunnels blend with legitimate traffic and use sophisticated obfuscation techniques. Progressive decoding of protocols might not reveal the malicious nature of the embedded communications.

What makes behavioral analysis crucial in detecting hidden tunnels?

Behavioral analysis is crucial because hidden tunnels introduce anomalies in communication patterns. These include slight delays and unusual request-response patterns that deviate from normal behavior. Detecting these subtle signs requires sophisticated analysis beyond traditional methods.

How do hidden tunnels differ from legitimate network tunnels?

While legitimate tunnels facilitate efficient data sharing within networks or between applications, hidden tunnels are used maliciously to steal sensitive data. They blend with normal traffic, making them hard to detect and allowing attackers to remotely control and exfiltrate information.

What are some common techniques attackers use to create hidden tunnels?

Attackers often embed malicious communications within normal protocols like HTTP, HTTPS, and DNS. For example, they might hide malware requests within HTTP-GET text fields or command-and-control instructions within HTTP responses. They also use various obfuscation techniques to avoid detection.

What role does a threat detection and response platform play in identifying hidden tunnels?

A threat detection and response platform like Vectra's uses advanced mathematical models and behavioral analysis to detect hidden tunnels without decrypting the traffic. It identifies subtle attack behaviors and anomalies, enabling quick and accurate detection of covert channels.

How does Vectra’s approach to detecting hidden tunnels work?

Vectra continuously analyzes network traffic metadata for subtle protocol abnormalities. By using mathematical models to detect deviations from normal behavior in HTTP, HTTPS, and DNS traffic, Vectra can identify hidden tunnels without deep-packet inspection or decryption.

How can a Security Operations Center (SOC) benefit from using a threat detection platform like Vectra?

A SOC benefits from Vectra's platform by gaining the ability to quickly and accurately detect hidden tunnels and other advanced threats. This enhances the SOC’s capacity to respond to cyberthreats, reducing the risk of data breaches and improving overall network security.