The Hidden HTTPS Tunnel detection identifies the use of HTTPS traffic to covertly communicate with external command and control servers by encapsulating another protocol within HTTPS sessions. Attackers use this technique to evade detection by blending malicious traffic with legitimate HTTPS traffic, making it difficult to identify without advanced analysis.
Scenario 1: An internal host communicates with an external IP over HTTPS, displaying consistent communication patterns and unusual payload sizes. Further investigation reveals the presence of malware using HTTPS tunneling to exfiltrate data.
Scenario 2: A security audit detects long-duration HTTPS sessions from an internal host to a suspicious domain. Analysis shows the sessions contain hidden command and control traffic, indicating the host is compromised and part of a botnet.
If this detection indicates a genuine threat, the organization faces significant risks:
Hidden HTTPS tunnels can be used to exfiltrate sensitive data from the organization, leading to potential financial and reputational damage.
Attackers can use these tunnels to maintain persistent remote access, allowing them to control compromised hosts undetected.
The use of encrypted tunnels can bypass traditional network security measures, increasing the risk of undetected malicious activity.
Review logs for unusual HTTPS traffic patterns, focusing on long or multiple sessions, size variability, and communication with uncommon external domains.
Investigate the internal host generating the traffic for signs of compromise, such as malware, unauthorized software, or unexpected configurations.
Look for other signs of compromise, such as abnormal login attempts, unusual system behavior, or other related detections.
Confirm if any authorized activities or legitimate services could explain the detected HTTPS tunnel behavior.
A Hidden HTTPS Tunnel is a technique where attackers use HTTPS traffic to covertly communicate with external command and control servers by encapsulating other protocols within HTTPS sessions to evade detection.
Common signs include long-duration HTTPS sessions, frequent communication with suspicious domains, payload sizes inconsistent with typical HTTPS traffic, and unusual frequency or variability in HTTPS session sizes.
Yes, security tools, legitimate software updates, or misconfigured applications can generate traffic that resembles hidden HTTPS tunnels.
Vectra AI uses advanced AI algorithms and machine learning to analyze HTTPS traffic patterns and identify anomalies indicative of hidden tunneling activities.
It can lead to data exfiltration, unauthorized remote access, and bypassing security controls, resulting in financial and reputational damage.
Detect Hidden HTTPS Tunnels by monitoring for unusual HTTPS traffic patterns, such as long or multiple sessions with variable sizes, and communication with uncommon or suspicious external domains.
They can be used for data exfiltration, maintaining persistent unauthorized remote access, and bypassing traditional network security controls, posing significant risks to the organization.
Investigate the source and nature of the HTTPS traffic, check the host for signs of compromise, review network traffic logs, and consult with IT and security teams to verify if the activity is legitimate.
Tools such as network traffic analysis, firewall logs, and intrusion detection systems can help verify and investigate suspicious hidden HTTPS tunnel activities.
Implement robust network monitoring and alerting, enforce strict access controls, regularly conduct security assessments, and ensure timely patching and updating of systems to minimize vulnerabilities.