Multi-home Fronted Tunnel

Multi-home Fronted Tunnel

Signs of a Multi-home Fronted Tunnel

  • An internal host is communicating with an outside IP using HTTPS where another protocol is running over the top of the HTTPS sessions. The sessions appear to go to different domains but are all served by a single Content Delivery Network (CDN) and all utilize a JA3 hash which is only used by this host with this one CDN.
  • This represents a hidden tunnel involving multiple shorter sessions over a longer period of time mimicking normal encrypted Web traffic
  • The threat score is driven by the amount of data transfer spikes over the baseline beacon and the number of unique second-level domains contacted
  • The certainty score is driven by the communication persistence, the total connection volume, and how the traffic is spread across the different domains

Why Attackers Use Multi-home Fronted Tunnels

  • A targeted attack may use hidden tunnels to hide communication with command and control servers over TLS on port 443 and other ports  
  • Intentionally installed software is using a domain-fronted hidden tunnel utilizing multiple benign domains to bypass expected firewall rules

Business Impact of a Multi-home Fronted Tunnel

  • The use of a hidden tunnel with multi-domain fronting is quite unusual, and it represents significant risk as the intention is to bypass security controls
  • Hidden tunnels used as part of a targeted attack are meant to slip by your perimeter security controls and indicate a sophisticated attacker

How to Investigate a Multi-home Fronted Tunnel

  1. Ask the user of the host whether they are using hidden tunnel software for any purpose and if not, whether they intentionally connected to the list of domains in the detection (the JA3- hash in the detection may provide a clue to the software utilized)
  2. Before removing the offending software via antivirus or reimaging, take a memory snapshot for future analysis of the incident
  3. If the behavior reappears shortly after a reimaging, this may be a hardware/BIOS tunnel

White Paper

Understanding Vectra AI

Vectra AI is a leading AI-driven threat detection and response platform. It uses machine learning to analyze network traffic and other data to identify and prioritize real threats.

This document provides a comprehensive guide to Vectra detections, including:

  • What Vectra detections are and how they work
  • Specific detections that Vectra can identify
  • How to interpret and respond to Vectra detections