• An internal host is communicating with an outside IP using HTTPS where another protocol is running over the top of the HTTPS sessions
  • This represents a hidden tunnel involving one long session or multiple shorter sessions over a longer period of time mimicking normal encrypted Web traffic
  • When it can be determined whether the tunneling software is console-based or driven via a graphical user interface, that indicator will be included in the detection

Possible Root Causes

  • A targeted attack may use hidden tunnels to hide communication with command and control servers over SSL on port 443
  • A user is utilizing tunneling software to communicate with Internet services which might not otherwise be accessible
  • Intentionally installed software is using a hidden tunnel to bypass expected firewall rules

Business Impact

  • The use of a hidden tunnel by some software may be benign, but it represents significant risk as the intention is to bypass security controls
  • Hidden tunnels used as part of a targeted attack are meant to slip by your perimeter security controls and indicate a sophisticated attacker
  • Hidden tunnels are rarely used by botnets, though more sophisticated bot herders with more ambitious goals may utilize them

Steps to Verify

  1. Check to see if the destination IP or domain of the tunnel is an entity you trust for your network
  2. Ask the user of the host whether they are using hidden tunnel software for any purpose
  3. Before removing the offending software via antivirus or reimaging, take a memory snapshot for future analysis of the incident
  4. If the behavior reappears shortly after a reimaging, this may be a hardware/BIOS tunnel

Screenshot of the Vectra AI platform showing signs of a hidden HTTPS tunnel
Screenshot of the Vectra AI platform showing signs of a hidden HTTPS tunnel