Attack Technique
Tunneling
Tunneling is widely used for legitimate network purposes, such as establishing secure communications or bypassing geographical restrictions. But it’s also a technique attackers use to bypass your security controls.
Definition
What is tunneling?
In the real world, tunnels are hidden passages that offer a way through barriers like mountains and buildings. Network tunneling is similar — it's a technique for transporting data using unsupported protocols. More specifically, it encapsulates data packets within other packets to bypass network restrictions. This method allows network traffic to appear as though it’s part of a legitimate network protocol, enabling communication between systems in ways that might otherwise be blocked or restricted.
While many legitimate tunnels exist within networks, used by companies to securely share data between applications or systems, hidden tunnels serve malicious purposes. Attackers use them to bypass security controls and masquerade as normal traffic while conducting command-and-control activities and stealing data.
How it works
How tunneling works
In a typical tunneling scenario, the data from one protocol is enclosed within the payload section of another protocol. The outer layer, or "wrapper," appears as normal traffic. It hides the inner, unauthorized content. This can be done with protocols such as:
- VPN (Virtual Private Networks) to secure communications over the internet by encapsulating private network traffic within encrypted IP packets.
- Secure Shell (SSH tunneling) to set up encrypted connections between client and server, most often to bypass firewall restrictions.
- DNS, HTTPS and HTTP Tunneling, which uses traffic to covertly communicate with external command-and control-servers by encapsulating another protocol within legitimate sessions.
Why attackers use it
Why attackers use tunneling
Attackers use tunneling as a method to encapsulate one network protocol within another, allowing them to bypass security controls, evade detection, and maintain persistent communication with compromised systems. Tunneling enables attackers to stealthily transmit data, commands, or malware across network boundaries that would otherwise restrict or monitor such traffic.
Here are the specific reasons why attackers use tunneling techniques:
Bypassing firewalls and network restrictions
- Evading security policies: Firewalls and network filters often allow certain types of traffic while blocking others. Attackers use tunneling to encapsulate prohibited protocols within allowed ones (e.g., wrapping malicious traffic inside HTTP or DNS protocols) to bypass these restrictions.
- Accessing restricted services: Tunneling allows attackers to reach internal services that are not exposed to the external network by routing traffic through permitted channels.
Stealth and evasion
- Hiding malicious activity: By embedding malicious communications within legitimate protocols, attackers can avoid detection by intrusion detection systems (IDS) and intrusion prevention systems (IPS).
- Encryption and obfuscation: Tunneling can encrypt the payload, making it difficult for security tools to inspect the contents of the traffic.
Data exfiltration
- Stealthy data theft: Attackers use tunneling to exfiltrate sensitive data from a compromised network without triggering security alerts.
- Avoiding detection: By blending exfiltrated data with normal traffic patterns, attackers reduce the likelihood of being noticed.
Maintaining persistent connections
- Command and Control (C2) communication: Tunneling facilitates persistent communication channels between compromised systems and attackers' servers, even in the presence of security measures.
- Resilience against network changes: Tunnels can adapt to network changes, ensuring that the communication remains intact.
Anonymity and attribution avoidance
- Hiding source IP addresses: Tunneling can obscure the attacker's origin, making it harder for defenders to trace the attack back to its source.
- Using intermediate hosts: Attackers route their traffic through multiple layers or compromised hosts to further complicate attribution.
Protocol abuse
- Leveraging allowed protocols: Attackers exploit protocols that are commonly allowed through firewalls (e.g., HTTP, HTTPS, DNS) to carry out malicious activities.
- Exploiting weaknesses: Some protocols have inherent weaknesses or are less scrutinized, providing an opportunity for attackers.
Common Tunneling Techniques Used by Attackers
DNS Tunneling
DNS tunneling involves encapsulating data within DNS queries and responses. Since DNS traffic is essential for domain name resolution and is often allowed through firewalls without strict scrutiny, attackers exploit this protocol to embed malicious data or commands inside DNS packets. This technique enables them to perform data exfiltration and maintain command and control communications with compromised systems, leveraging the permitted DNS traffic to bypass security measures undetected.
HTTP/HTTPS Tunneling
HTTP/HTTPS tunneling entails embedding malicious traffic within standard HTTP or HTTPS requests and responses. Attackers take advantage of the widespread use and acceptance of web traffic to conceal their communications. By encapsulating their data within HTTP protocols, they can pass through firewalls that typically allow web traffic without stringent checks. Utilizing HTTPS adds an extra layer of encryption, preventing content inspection by security tools and hiding malicious activities within normal encrypted web traffic.
SSH Tunneling
SSH tunneling uses Secure Shell (SSH) connections to securely forward network traffic. Attackers establish SSH tunnels to transmit data and commands encrypted end-to-end, thereby preventing content analysis and interception by network monitoring tools. This method allows them to bypass network restrictions and maintain persistent, encrypted communication channels with compromised hosts, often exploiting legitimate SSH services to avoid raising suspicion.
ICMP Tunneling
ICMP tunneling involves encapsulating data within Internet Control Message Protocol (ICMP) packets, such as echo requests and replies commonly used for network diagnostics like ping commands. Attackers exploit this by embedding their data inside ICMP packets, taking advantage of the fact that ICMP traffic is often permitted through firewalls to facilitate network troubleshooting. This technique allows them to bypass firewall rules and transfer data covertly, as ICMP traffic is less likely to be inspected closely.
VPN and Encrypted Tunnels
Attackers create Virtual Private Networks (VPNs) or custom encrypted tunnels to encapsulate their traffic within secure channels. By establishing VPN connections using standard protocols or custom encryption methods, they can transmit data, commands, or malware across network boundaries while maintaining confidentiality and integrity. This approach makes it difficult for network monitoring tools to inspect or analyze the traffic, enabling attackers to maintain anonymity, evade detection, and persistently communicate with compromised systems under the guise of legitimate encrypted connections.
Platform Detections
How to detect hidden tunnels
Despite attackers' efforts to blend in with hidden tunnels, their communications inevitably introduce subtle deviations in the flow of network conversations. It’s possible to identify these with advanced AI-driven detections.
Vectra AI provides detections specifically for hidden DNS, HTTPS and HTTP tunnels. Each one employs highly sophisticated analysis of network traffic metadata to identify subtle anomalies that indicate the presence of hidden tunnels. By meticulously examining protocol behaviors, Vectra AI detects slight irregularities that betray the presence of these covert pathways. This allows you to act fast, before your network data is compromised.
