Command & Control
Hidden HTTPS Tunnel
Detection overview
The Hidden HTTPS Tunnel detection identifies the use of HTTPS traffic to covertly communicate with external command and control servers by encapsulating another protocol within HTTPS sessions. Attackers use this technique to evade detection by blending malicious traffic with legitimate HTTPS traffic, making it difficult to identify without advanced analysis.
Triggers
- An internal host is communicating with an outside IP using HTTPS where another protocol is running over the top of the HTTPS sessions
- This represents a hidden tunnel involving one long session or multiple shorter sessions over a longer period of time mimicking normal encrypted Web traffic
- When it can be determined whether the tunneling software is console-based or driven via a graphical user interface, that indicator will be included in the detection
Possible Root Causes
- A targeted attack may use hidden tunnels to hide communication with command and control servers over SSL on port 443
- A user is utilizing tunneling software to communicate with Internet services which might not otherwise be accessible
- Intentionally installed software is using a hidden tunnel to bypass expected firewall rules
Business Impact
- The use of a hidden tunnel by some software may be benign, but it represents significant risk as the intention is to bypass security controls
- Hidden tunnels used as part of a targeted attack are meant to slip by your perimeter security controls and indicate a sophisticated attacker
- Hidden tunnels are rarely used by botnets, though more sophisticated bot herders with more ambitious goals may utilize them
Steps to Verify
- Check to see if the destination IP or domain of the tunnel is an entity you trust for your network
- Ask the user of the host whether they are using hidden tunnel software for any purpose
- Before removing the offending software via antivirus or reimaging, take a memory snapshot for future analysis of the incident
- If the behavior reappears shortly after a reimaging, this may be a hardware/BIOS tunnel
Hidden HTTPS Tunnel
Possible root causes
Malicious Detection
- An attacker using an internal host to communicate with an external command and control server by tunneling malicious protocols over HTTPS.
- Malware installed on the internal host designed to use HTTPS tunnels to exfiltrate data or receive commands from an attacker.
- Compromised internal host part of a botnet using HTTPS to evade network security measures.
Benign Detection
- Security or network management tools performing legitimate tasks that involve unusual HTTPS traffic patterns.
- Legitimate software updates or cloud services that use non-standard HTTPS communication.
- Misconfigured applications or services generating traffic that resembles hidden tunnels.
Hidden HTTPS Tunnel
Example scenarios
Scenario 1: An internal host communicates with an external IP over HTTPS, displaying consistent communication patterns and unusual payload sizes. Further investigation reveals the presence of malware using HTTPS tunneling to exfiltrate data.
Scenario 2: A security audit detects long-duration HTTPS sessions from an internal host to a suspicious domain. Analysis shows the sessions contain hidden command and control traffic, indicating the host is compromised and part of a botnet.
Hidden HTTPS Tunnel
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Data Exfiltration
Hidden HTTPS tunnels can be used to exfiltrate sensitive data from the organization, leading to potential financial and reputational damage.
Unauthorized Remote Access
Attackers can use these tunnels to maintain persistent remote access, allowing them to control compromised hosts undetected.
Bypassing Security Controls
The use of encrypted tunnels can bypass traditional network security measures, increasing the risk of undetected malicious activity.
Hidden HTTPS Tunnel
Steps to investigate
Analyze Network Traffic Logs
Review logs for unusual HTTPS traffic patterns, focusing on long or multiple sessions, size variability, and communication with uncommon external domains.
Inspect the Host
Investigate the internal host generating the traffic for signs of compromise, such as malware, unauthorized software, or unexpected configurations.
Check for Associated Indicators
Look for other signs of compromise, such as abnormal login attempts, unusual system behavior, or other related detections.
Consult with IT and Security Teams
Confirm if any authorized activities or legitimate services could explain the detected HTTPS tunnel behavior.
Hidden HTTPS Tunnel
MITRE ATT&CK techniques covered
FAQs
What is a Hidden HTTPS Tunnel?
A Hidden HTTPS Tunnel is a technique where attackers use HTTPS traffic to covertly communicate with external command and control servers by encapsulating other protocols within HTTPS sessions to evade detection.
How can I detect a Hidden HTTPS Tunnel in my network?
Detect Hidden HTTPS Tunnels by monitoring for unusual HTTPS traffic patterns, such as long or multiple sessions with variable sizes, and communication with uncommon or suspicious external domains.
What are the common signs of a Hidden HTTPS Tunnel?
Common signs include long-duration HTTPS sessions, frequent communication with suspicious domains, payload sizes inconsistent with typical HTTPS traffic, and unusual frequency or variability in HTTPS session sizes.
Why are Hidden HTTPS Tunnels a significant threat?
They can be used for data exfiltration, maintaining persistent unauthorized remote access, and bypassing traditional network security controls, posing significant risks to the organization.
Can legitimate software trigger this detection?
Yes, security tools, legitimate software updates, or misconfigured applications can generate traffic that resembles hidden HTTPS tunnels.
What steps should I take if I detect a Hidden HTTPS Tunnel?
Investigate the source and nature of the HTTPS traffic, check the host for signs of compromise, review network traffic logs, and consult with IT and security teams to verify if the activity is legitimate.
How does Vectra AI identify Hidden HTTPS Tunnels?
Vectra AI uses advanced AI algorithms and machine learning to analyze HTTPS traffic patterns and identify anomalies indicative of hidden tunneling activities.
What tools can help verify the presence of a Hidden HTTPS Tunnel?
Tools such as network traffic analysis, firewall logs, and intrusion detection systems can help verify and investigate suspicious hidden HTTPS tunnel activities.
What is the business impact of a Hidden HTTPS Tunnel?
It can lead to data exfiltration, unauthorized remote access, and bypassing security controls, resulting in financial and reputational damage.
How can I prevent Hidden HTTPS Tunnels?
Implement robust network monitoring and alerting, enforce strict access controls, regularly conduct security assessments, and ensure timely patching and updating of systems to minimize vulnerabilities.