Analysts estimate that over half of all network attacks leverage encryption. By using forged or compromised keys and certificates, attackers create malicious tunnels into your network where they hide while they conduct surveillance, install malware and ultimately exfiltrate valuable data. This type of attack is particularly nefarious because the tunnels that attackers use appear to contain everyday business communications, unless they are inspected. But let’s face it, how many organizations inspect 100% of their network traffic?
The relative vulnerability of encrypted tunnels depends on a variety of factors, such as the security of their protocols, their attributes and an organization’s overall awareness of how tunnels are being used. Below, I’ve outlined the types of encrypted tunnels that cybercriminals most often employ and how they may contribute to an attack.
Use IPsec Tunnels to Gain Initial Access
Organizations use Internet Protocol Security (IPsec) to create a VPN that secures internet communication across an IP network. Because IPsec tunnels are frequently used to set up a tunnel from a remote site into a central site, they are an ideal infiltration tool for cyber criminals. An IPSec/L2TP tunnel is most often used during the discovery and incursion attack phases. The tunnel is used to gain initial access to an organization, perform reconnaissance and establish a beachhead. This type of attack generally compromises only established VPN endpoints, because creating a new tunnel would require the attacker to penetrate perimeter layer defenses to gain access to the VPN administrative console—a much more technically complex task.
Pivot within Site-to-Site VPN Tunnels
Large organizations use a site-to-site VPN to connect their main location networks to multiple offices and business partners. Because they are the most flexible and adaptable option, they are a perfect tool for moving quickly from site to site within an extended network. Attackers use site-to-site tunnels after they have compromised the initial internal system as part of a pivot portion of an attack. These tunnels are ideal for the reconnaissance phase of the attack—when attackers are trying to gain access to other network segments or devices. Because of the impact to performance, site-to-site VPN tunnels are rarely inspected, which allows attackers to go undetected while using them.
Move Payloads through SSH Tunnels
The SSH, or Secure Shell, protocol is the most convenient way to administer remote servers and applications. SSH keys are increasingly sought after by attackers because they grant administrators privileged access to applications and systems. By authenticating each machine via stored servers and client keys, SSH allows them to securely connect to each other, bypassing the need for manually typed authentication credentials. That’s why SSH tunnels are an easy way for attackers to pivot across network segments and devices. They are also ideal for moving malicious payloads undetected between file servers and applications because attackers can transfer concealed malware in compromised SSH tunnels. Often, SSH tunnels are used to exfiltrate data from a file server because copying files is a routine, automated task used to transfer data between machines, and, since the data is encrypted, it’s thought to be safe.
Falsify Machine Identities in SSL and TLS Tunnels
Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the most common forms of tunnels. SSL/TLS tunnels provide a secure session from any PC browser to an application server and are used to secure web-based transactions, such as banking or payments. Attackers create false identities and steal data from their victims, so they can use man-in-the-middle attacks to eavesdrop on encrypted traffic. Or, they can use stolen keys to decrypt a session to steal data from victims.
Create Phishing Sites Using SSL and TLS Tunnels
Another very common attack is to set up phishing websites, either on the internet or on organizations’ intranets. Attackers use stolen or compromised certificates to establish an identity that the victims’ browsers will trust. The victims connect to the malicious site, establish encrypted sessions and, because they believe they are connected to a trusted machine, begin to send sensitive data to the attackers. Since HTTPS sessions are trusted and are rarely inspected by layered security technologies, these attacks often go undetected.
Any type of encrypted tunnel can be misused in a cyber attack. Virtual Private Networks (VPNs) are the most recognizable example of encrypted tunnels and are understood to be vulnerable, but many organizations do not realize that SSL/TLS and SSH tunnels are also susceptible. As a result, most organizations don’t provide adequate oversight for the full range of tunnels that travel into and out of their networks. Does yours?