Breaking Ground: Understanding and Identifying Hidden Tunnels

July 11, 2018
Vectra AI Security Research team
Breaking Ground: Understanding and Identifying Hidden Tunnels

Recently, we made an alarming discovery: hackers are using hidden tunnels to break into and steal from financial services firms! Clearly, this is serious business if it involves bad guys targeting massive amounts of money and private information. But what exactly are we dealing with? Let’s dig into what hidden tunnels are and how I find them to uncover the answer.

Hidden tunnels

There are many types of legitimate tunnels that financial services and other companies use to share data within networks or between applications. They often serve as modes of communication that bypass security controls for greater efficiency. Hidden tunnels look similar, but they serve a different purpose.

Sophisticated attackers use hidden tunnels to carry out command-and-control and exfiltration behaviors. That means they steal critical data and personally identifiable information (PII) from company networks by blending in with normal traffic, remotely controlling the theft of information, and slipping it out through those same tunnels—now loaded with loot yet still undetected.

Because they blend in with multiple connections that use normal, commonly-allowed protocols, hidden tunnels are very difficult to detect. To make things even harder, cyberattackers often steal data in small amounts over time so they won’t set off any obvious alarms. The range of possibilities is limited only by the creativity of the attacker.

For example, a seemingly normal HTTP-GET might carry a hidden malware request embedded within a text field. Likewise, the corresponding HTTP response may include instructions from the command-and-control server that are also hidden within a predetermined field. But these hidden tunnel attacks are not just limited to simple text fields. Covert communications can be embedded in a variety of fields as well as headers and cookies.

Unless you have a way to distinguish hidden tunnels from normal ones, you probably won’t detect them before damage is done. Even progressive decoding of the protocol is unlikely to reveal its true nature because the harmful messages are embedded.

How Vectra finds hidden tunnels

Vectra constantly perform a highly sophisticated analysis of metadata from network traffic, revealing subtle abnormalities within a protocol that gives away the presence of a hidden tunnel. Gotcha, hacker!

In other words, even though messages are disguised within an allowed protocol, the resulting communications that make up the hidden tunnel can’t help but introduce subtle attack behaviors into the overall conversation flow. These include slight delays or abnormal patterns in requests and responses. It’s like seeing someone order a tuna sandwich, only for them to receive it in 100 small parts instead of one whole package; seems fishy to me!

Based on these behavioral hints, we use mathematical models to accurately detect hidden tunnels within HTTP, HTTPS and DNS traffic—all without performing any decryption. Our ability to hunt for threats without performing deep-packet inspection also enables us to find hidden tunnels no matter how they are implemented. It doesn’t matter what field attackers use to embed communications or whether they use a never-before-seen obfuscation technique. The attacker’s variance from normal protocol behavior will still expose the hidden tunnel’s presence.

These are tasks that security analysts can’t tackle alone or fast enough. That’s why we offer unique skills of quickly and precisely detecting and hunting for cyberthreats, including hidden tunnels, so you can better respond to them.

To learn more about sophisticated cyberattacks and hidden tunnels infiltrating various industries like financial services, check out the 2018 Spotlight Report from Vectra.