A Brief Note On The And The Network

2096 Words9 Pages
Analysis started on 12/1/2014 06:00PM (MST). Five (5) covert exfiltration methods are listed next. The first part of each method will list what it takes to exfiltrate, the second part will list how to detect the exfiltration. The first two (2), SSH Tunnel and HTTP POST will be descriptive exfiltration and the last three (3), Browser-Base Convert, Backdoor Trojan, and SSL HTTP will be demonstrated exfiltration. SSH Tunnel An SSH tunnel encrypts a channel using an SSH session. Network traffic is then routed through he encrypted channel through a local proxy. Once data transfer is complete the channel is closed. To Exfiltrate – SSH Tunnel First an attacker will create an SSH session with one of their zombie remote host(s) and use an existing library like openSSL to secure the channel. The proxy will then be initiated and traffic will be sent to the zombie remote host. To Detect – SSH Tunnel Typically company employees don’t create connections to remote SSH servers. A network admin could implement a whitelist for the users that do legitimately need to use SSH Sessions. The other event to look for is a local proxy. Any packets sent to 127.0.0.1 can lead to an existence of a local proxy. Exfiltration with IRC or XMPP (peer to peer) Instant messages is good way to send small amounts of data using different overlay protocols. One of the most popular protocols that exist is Internet Relay Chat (IRC) and Extensible Messaging and Presence Protocol (XMPP). Both clients can authenticate to the same server and traffic can be passed between both endpoints. IRC is one of the most popular ways for botnets to communicate with an attackers command and control server. To Exfiltrate – IRC or XMPP The attacker must authenticate with a server... ... middle of paper ... ...als of the author. From the lab research and exfiltration techniques, it is clear that the attackers must carefuly plan their exfiltration. The attacker must choose to compress and encrypt traffic covertly and avoid detection or send traffic in clear text to not raise any alarms from the defenders or any tools they deploy. ICMP, IRC, XMPP may be ideal for sending small data from a keylogger or other such malware, but this becomes an unreliable method if the data is larger. SSL and DNS tunnels would better serve large data. Another factor is the timing of the exfiltration for many reasons. If an exfiltration is to be blended in with normal day to day traffic, it shouldn’t occur in the middle of the night. Or spreading the data exfiltration over a period of time, but would be more risky that if detection was to occur, that the exfiltration technique could be stopped.
Open Document