Blog - article

A revolutionary new approach to detecting malicious covert communications

Wade Williamson
October 28, 2015

Today’s cyber attackers are patient, as they infiltrate and steadily persist within an organization’s network over time. These long-term attacks require ongoing communication to orchestrate the various phases of attack.

By understanding how attackers conceal their communications, we can rob attackers of the persistence and coordination that makes modern attacks so successful.

Why attackers use covert communications

Attackers conceal command-and-control communication that enable them to coordinate an attack and exfiltrate data. Command-and-control communications can be automated, such as malware that checks in and gets instructions from a remote server.

Or, in the case of a targeted attack, an individual may use remote access tools (RATs) to control an infected computer. Whether automated or manual, command-and-control activities require a flow of information into and out of an organization’s network.

Once an attacker has located the key data or assets he wants to steal, the focus shifts to accumulating them and smuggling those assets out. In this exfiltration stage, the attacker controls the transmission of large amounts of data flow out of the network.

Covert communications are very difficult to detect because they occur after an attacker has bypassed an organization’s prevention-based security controls. Once attackers gain access to the trusted network, they can blend in with the normal, trusted user traffic such as Web browsing or Gmail that are allowed applications.

Vectra takes a revolutionary approach to detecting a variety of methods of covert communications, including the use of encryption, hidden tunnels, hiding within legitimate applications, RATs and anonymization techniques.

Using a combination of advanced data science and machine learning algorithms applied directly to network traffic at the packet level, Vectra reveals covert communications that are invisible to traditional security tools.

Let’s take a look at different types of covert communications.

Detecting threats in encrypted traffic – without decryption

Encryption protects communications from prying eyes, whether you are a good guy or a bad guy.

With the rise of Web applications, the use of SSL/TLS encryption has grown, and there is more HTTPS traffic than ever. That creates a perfect opportunity for attackers to obscure their activities from network security tools. Attackers can encrypt their command-and-control communications and exfiltration traffic so it will blend in with the huge volumes of Web applications.

While many attackers use SSL/TLS, skilled attackers can also create their own encryption schemes. Custom encryption is especially difficult to detect, because the protocol might be unidentifiable and use any available port.

Vectra doesn’t let encryption stand in the way of detecting threats. Vectra applies data science to packet-level network traffic to reveal its true behavior. Vectra mathematically analyzes subtle patterns that indicate covert communications across different applications and whether or not the traffic is encrypted.

Exposing hidden tunnels

Attackers increasingly use hidden tunnels to carry their command-and-control communication and exfiltration activities. Hidden tunnels are very difficult to detect, as attackers’ communications are hidden within multiple connections that use normal, commonly allowed protocols.

For example, communications can be embedded as text in HTTP-GET requests, as well as in headers, cookies and other fields. The requests and responses are hidden among messages within the allowed protocol.

Vectra has created highly sophisticated mathematical algorithms to identify hidden tunnels within HTTP, HTTPS and DNS traffic. Although the traffic appears to be normal, there are subtle abnormalities, such as slight delays or unusual patterns in requests and responses that indicate the presence of covert communications.

Stopping external remote access tools

When it comes to executing a targeted attack, external remote access tools—or RATs—are essential. Attackers on the outside can use RATs to gain total hands-on control over infected devices inside an organization’s network.

RATs are widely used and extremely difficult to detect. Signatures exist for the most common RATs, but skilled attackers can easily customize their own RATS or build their own using common remote desktop tools. From the perspective of log or NetFlow analysis, a RAT looks like an ordinary Web connection, so the traffic blends in with legitimate user traffic.

Vectra combines data science and packet-level machine learning algorithms to reveal the presence of external RATs. No signatures are needed. For example, one indication of a RAT is that the external host breaks almost all of the pauses of the communication.

This information is placed in context by correlating the presence of a RAT with reconnaissance scans, lateral movement or other malicious behavior, and prioritizes the hosts at the center of the attack.

Hiding within allowed applications

Attackers conceal their communications within allowed applications or by emulating allowed applications. Web traffic is a particular favorite, because it is so prevalent.

For example, attackers may emulate a Web browser to blend in with legitimate enterprise Web traffic, and then use this connection to communicate with the outside world. There are other variations of this strategy, but the commonality is that the traffic has not been generated by human actions.

Vectra uses data science to identify malware that masquerades as a person. Through advanced techniques, Vectra can identify the unique patterns of command-and-control behavior and the telltale signs that it is the work of a machine, not a human.

Keeping it anonymous

No discussion of covert communications would be complete without mentioning anonymization technologies such as The Onion Router (Tor), peer-to-peer (P2P) and other proxies that attackers use to obscure their identities and locations.

Vectra can help organizations minimize the risk of anonymizers, whether it is used by an attacker or a worker who is trying to subvert corporate security policy. By analyzing traffic mathematically, Vectra can identify the unique behavior of Tor traffic and can determine whether it is being used for command-and-control communications or more dangerous data smuggling.

Similarly, Vectra can identify the unique patterns of P2P traffic and identifies it generically so that it is effective regardless of the flavor of P2P.

Vectra takes a revolutionary approach to security, revealing attackers’ secret communications for the first time ever—without need for signatures, malware sandboxes or reputation lists. And if you can stop the covert communications, you can stop the attack.

Learn more about malicious covert communications – and how Vectra stops them – by downloading the white paper.

About the author

Wade Williamson

Wade Williamson is a cybersecurity writer, product manager and marketer with experience in positions from director of product marketing to senior security analyst.

Most recent blog posts from the same author


Bringing attack detections to the data center

September 13, 2016
Read blog post

The new vulnerability that creates a dangerous watering hole in your network

July 12, 2016
Read blog post

Ransomware, encryption and machine learning – Three key takeaways from Infosecurity 2016

June 15, 2016
Read blog post