Triggers

  • An internal host is communicating with an outside IP using HTTP where another protocol is running over the top of the HTTP sessions
  • This represents a hidden tunnel involving multiple sessions over longer periods of time mimicking normal Web traffic
  • The threat score is driven by the quantity of data sent via the tunnel
  • The certainty score is driven by the number and persistence of the sessions

Possible Root Causes

  • A targeted attack may use hidden tunnels to hide communication with command and control servers
  • A user is utilizing tunneling software to communicate with Internet services which might not otherwise be accessible
  • Intentionally installed software is using a hidden tunnel to bypass expected firewall rules

Business Impact

  • The use of a hidden tunnel by some software may be benign, but it represents significant risk as the intention is to bypass security controls
  • Hidden tunnels used as part of a targeted attack are meant to slip by your perimeter security controls and indicate a sophisticated attacker
  • Hidden tunnels are rarely used by botnets, though more sophisticated bot herders with more ambitious goals may utilize them

Steps to Verify

  • Check to see if the destination IP or domain of the tunnel is an entity you trust for your network
  • Ask the user of the host whether they are using hidden tunnel software for any purpose
  • Before removing the offending software via antivirus or reimaging, take a memory snapshot for future analysis of the incident
  • If the behavior reappears shortly after a reimaging, this may be a hardware/BIOS tunnel