Uncovering Covert Attack Communications Inside Your Network

Written by

Cyber attackers are slipping through perimeter defenses and hiding in the shadows and dark corners of networks.

Malicious covert communications are key to their success. These hidden messages make long-running strategic attacks possible, and give attackers virtually unlimited opportunities to spy, spread and steal. Once attackers gain initial access to an organization’s network, they can take their time to orchestrate their next steps.

With control over infected hosts, attackers have full control over their communications. That control allows them to encrypt their traffic, embed messages in seemingly normal communications, and use or modify legitimate applications to blend in with normal network traffic.

Covert communications are specially crafted to bypass traditional perimeter security products that use signatures, reputation lists and malware sandboxes to identify threats. To do so, attackers can use applications that are allowed on the network, hide within encryption, or use a variety of techniques to anonymize their traffic.

Data science and machine learning algorithms are putting an end to attackers’ freedom. Next-generation security products that focus on detecting the behaviors of the covert communication channels—rather than the details of the malware payload—can proactively identify attacks so they can be stopped.

Some organizations decrypt traffic for security inspection, but decryption carries a significant performance penalty. Additionally, decrypting traffic for inspection raises privacy concerns, especially in certain countries and in highly regulated industries. Industry trends that require a specific trusted root certificate (a.k.a. certificate pinning) are also making decryption less feasible in some cases.

Yet with revolutionary advances in data science, it’s no longer necessary to decrypt traffic to detect threats. Mathematical analysis of subtle patterns in packet-level network traffic reveals underlying malicious behaviors such as malware receiving command-and-control instructions and attackers using remote access tools to control infected machines.

By watching the give and take of communication instead of diving into the payload, new security solutions can find threats without decrypting traffic. This ensures security across applications that would otherwise be invisible to signature-based security or log and flow analytics tools.

Hidden tunnels are also very difficult to detect because attackers are hiding in plain sight and the pattern reveals itself only by observing a series of communications rather than looking at a single request and response.

However, advanced analysis of network traffic can reveal the presence of these hidden tunnels. Concealed communications introduce subtle but distinct abnormalities into the flow of the conversation, such as slight delays or unusual patterns in requests and responses, which can reveal hidden tunnels.

Attackers also conceal their communications within legitimate applications or by emulating allowed applications. Hiding within web traffic is a favorite, given the huge volume of web traffic and web applications used in enterprises.

At the simplest level, an attacker can emulate a web browser to blend in. Or an attacker may use an HTTP POST request to communicate with a command-and-control server located anywhere in the world. A more sophisticated approach is to use a fully automated browser and web session to send requests and receive instructions.

Sophisticated data science can be used to sift through apparently legitimate application traffic to differentiate between the behaviors of automated machines and humans.


Covert no more

Attackers use covert communications because they work patiently and purposefully as they direct their attacks—and evade detection. Applying advanced data science and machine learning algorithms reveals the true behavior and purpose of the traffic, ending the attacker’s considerable advantage.

With that power, security teams can pinpoint active cyber attacks as they occur, correlate threats with the hosts under attack, and prioritize the attacks that pose the greatest business risk. Ultimately, they can prevent loss or mitigate it quickly.

What’s hot on Infosecurity Magazine?