Command & Control
Multi-home Fronted Tunnel
Detection overview
The Multi-home Fronted Tunnel detection identifies the use of multiple domain fronting techniques to hide command and control (C2) traffic. This technique involves using several different domains to disguise the true destination of network traffic, often leveraging content delivery networks (CDNs) to make malicious traffic appear legitimate. This method helps attackers evade detection by blending their traffic with regular CDN traffic.
Triggers
- An internal host is communicating with an outside IP using HTTPS where another protocol is running over the top of the HTTPS sessions. The sessions appear to go to different domains but are all served by a single Content Delivery Network (CDN) and all utilize a JA3 hash which is only used by this host with this one CDN.
- This represents a hidden tunnel involving multiple shorter sessions over a longer period of time mimicking normal encrypted Web traffic
Possible Root Causes
- A targeted attack may use hidden tunnels to hide communication with command and control servers over TLS on port 443 and other ports
- Intentionally installed software is using a domain-fronted hidden tunnel utilizing multiple benign domains to bypass expected firewall rules
Business Impact
- The use of a hidden tunnel with multi-domain fronting is quite unusual, and it represents significant risk as the intention is to bypass security controls
- Hidden tunnels used as part of a targeted attack are meant to slip by your perimeter security controls and indicate a sophisticated attacker
Steps to Verify
- Ask the user of the host whether they are using hidden tunnel software for any purpose and if not, whether they intentionally connected to the list of domains in the detection (the JA3- hash in the detection may provide a clue to the software utilized)
- Before removing the offending software via antivirus or reimaging, take a memory snapshot for future analysis of the incident
- If the behavior reappears shortly after a reimaging, this may be a hardware/BIOS tunnel
Multi-home Fronted Tunnel
Possible root causes
Malicious Detection
- An attacker using multi-home fronted tunnels to communicate with external command and control servers while evading detection.
- Malware on an internal host using domain fronting to maintain a persistent connection with C2 servers.
- Compromised internal machines using advanced evasion techniques to bypass network security measures.
Benign Detection
- Security or network management tools performing legitimate tasks that involve complex traffic routing.
- Applications or services using CDNs for load balancing and optimization, resulting in traffic patterns similar to multi-home fronting.
- Misconfigured software inadvertently generating traffic that resembles multi-home fronted tunnels.
Multi-home Fronted Tunnel
Example scenarios
Scenario 1: An internal host communicates with multiple domains via HTTPS, with traffic patterns showing frequent changes in destination domains but consistent JA3 hashes. Further investigation reveals malware using domain fronting to evade detection while maintaining contact with C2 servers.
Scenario 2: A security audit detects HTTPS sessions from an internal host to multiple domains within a short period. Analysis shows these sessions contain hidden command and control traffic, indicating the host is compromised and using multi-home fronting for evasion.
Multi-home Fronted Tunnel
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Data Exfiltration
Hidden tunnels can be used to exfiltrate sensitive data from the organization, leading to potential financial and reputational damage.
Unauthorized Remote Access
Attackers can use these tunnels to maintain persistent remote access, allowing them to control compromised hosts undetected.
Bypassing Security Controls
The use of encrypted tunnels through multiple domains can bypass traditional network security measures, increasing the risk of undetected malicious activity.
Multi-home Fronted Tunnel
Steps to investigate
Analyze Network Traffic Logs
Review logs for traffic patterns involving multiple domain fronting, focusing on consistent JA3 hashes and unusual domain changes within short intervals.
Inspect the Host
Investigate the internal host generating the traffic for signs of compromise, such as malware, unauthorized software, or unexpected configurations.
Check for Associated Indicators
Look for other signs of compromise, such as abnormal login attempts, unusual system behavior, or other related detections.
Consult with IT and Security Teams
Confirm if any authorized activities or legitimate services could explain the detected multi-home fronted tunnel behavior.
Multi-home Fronted Tunnel
MITRE ATT&CK techniques covered
FAQs
What is a Multi-home Fronted Tunnel?
A Multi-home Fronted Tunnel involves using multiple domains, often leveraging CDNs, to disguise the true destination of network traffic, making it difficult to detect malicious communications with command and control servers.
What are the common signs of a Multi-home Fronted Tunnel?
Common signs include frequent domain changes within HTTPS sessions, consistent JA3 hashes across different domains, and HTTPS traffic that appears legitimate but shows signs of protocol tunneling.
Can legitimate software trigger this detection?
Yes, security tools, applications using CDNs for optimization, and misconfigured software can generate traffic resembling multi-home fronted tunnels.
How does Vectra AI identify Multi-home Fronted Tunnels?
Vectra AI uses advanced AI algorithms and machine learning to analyze HTTPS traffic patterns and identify anomalies indicative of multi-home fronting activities.
What is the business impact of a Multi-home Fronted Tunnel?
It can lead to data exfiltration, unauthorized remote access, and bypassing security controls, resulting in financial and reputational damage.
How can I detect a Multi-home Fronted Tunnel in my network?
Detect Multi-home Fronted Tunnels by monitoring for traffic patterns involving frequent changes in destination domains, consistent JA3 hashes, and unusual HTTPS traffic indicative of tunneling.
Why are Multi-home Fronted Tunnels a significant threat?
They can be used for data exfiltration, maintaining persistent unauthorized remote access, and bypassing traditional network security controls, posing significant risks to the organization.
What steps should I take if I detect a Multi-home Fronted Tunnel?
Investigate the source and nature of the traffic, check the host for signs of compromise, review network traffic logs, and consult with IT and security teams to verify if the activity is legitimate.
What tools can help verify the presence of a Multi-home Fronted Tunnel?
Tools such as network traffic analysis, firewall logs, and intrusion detection systems can help verify and investigate suspicious multi-home fronted tunnel activities.
How can I prevent Multi-home Fronted Tunnels?
Implement robust network monitoring and alerting, enforce strict access controls, regularly conduct security assessments, and ensure timely patching and updating of systems to minimize vulnerabilities.