Triggers
- An internal host is communicating with an outside IP using HTTPS where another protocol is running over the top of the HTTPS sessions
- This represents a hidden tunnel involving one long session or multiple shorter sessions over a longer period of time mimicking normal encrypted Web traffic
- When it can be determined whether the tunneling software is console-based or driven via a graphical user interface, that indicator will be included in the detection
Possible Root Causes
- A targeted attack may use hidden tunnels to hide communication with command and control servers over SSL on port 443
- A user is utilizing tunneling software to communicate with Internet services which might not otherwise be accessible
- Intentionally installed software is using a hidden tunnel to bypass expected firewall rules
Business Impact
- The use of a hidden tunnel by some software may be benign, but it represents significant risk as the intention is to bypass security controls
- Hidden tunnels used as part of a targeted attack are meant to slip by your perimeter security controls and indicate a sophisticated attacker
- Hidden tunnels are rarely used by botnets, though more sophisticated bot herders with more ambitious goals may utilize them
Steps to Verify
- Check to see if the destination IP or domain of the tunnel is an entity you trust for your network
- Ask the user of the host whether they are using hidden tunnel software for any purpose
- Before removing the offending software via antivirus or reimaging, take a memory snapshot for future analysis of the incident
- If the behavior reappears shortly after a reimaging, this may be a hardware/BIOS tunnel
