What are hidden tunnels?
Hidden Tunnels are heavily used by attackers to control internal hosts from outside. They are expected to be used for the entire length of an attack.
This technique can circumvent normal security measures and allow attackers to blend in normal traffic. It is critical to have early and confident signal for this type of behavior in order to protect your company.
How do attackers create hidden tunnels?
Attackers have several different ways to create tunnels, leveraging:
- Short TCP sessions
- Long TCP sessions
- Dynamic TCP sessions (combination of short and long TCP sessions)
They leverage known and unknown tunnel technologies, including:
- Custom implants
- Cobalt Strike
- Metasploit
- Empire
- FactionC2
- PoshC2
- Covenant
- DNS over HTTPS
- LogMein
- Any Desk
How to detect signs of hidden tunnels
Signs of a Hidden HTTPS Tunnel
- An internal host is communicating with an outside IP using HTTPS where another protocol is running over the top of the HTTPS sessions
- This represents a hidden tunnel involving one long session or multiple shorter sessions over a longer period of time mimicking normal encrypted Web traffic
- When it can be determined whether the tunneling software is console-based or driven via a graphical user interface, that indicator will be included in the detection
Signs of a Hidden HTTP Tunnel
- An internal host is communicating with an outside IP using HTTP where another protocol is running over the top of the HTTP sessions
- This represents a hidden tunnel involving multiple sessions over longer periods of time mimicking normal Web traffic
Signs of a Hidden DNS Tunnel
- An internal host is communicating with an outside IP using DNS where another protocol is running over the top of the DNS sessions
- This represents a hidden tunnel involving multiple sessions over longer periods of time mimicking normal DNS traffic
Business Impact of a Hidden Tunnel
- The use of a hidden tunnel by some software may be benign, but it represents significant risk as the intention is to bypass security controls
- Hidden tunnels used as part of a targeted attack are meant to slip by your perimeter security controls and indicate a sophisticated attacker
- Hidden tunnels are rarely used by botnets, though more sophisticated bot herders with more ambitious goals may utilize them
How to investigate a Hidden Tunnel
- Check to see if the destination IP or domain of the tunnel is an entity you trust for your network
- Ask the user of the host whether they are using hidden tunnel software for any purpose
- Before removing the offending software via antivirus or reimaging, take a memory snapshot for future analysis of the incident
- If the behavior reappears shortly after a reimaging, this may be a hardware/BIOS tunnel
