Data embedded, encrypted and transmitted out of a network using real time transport protocol (RTP) would seem to...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
be impossible to detect, given current technology. VoIP RTP exfiltration defensive systems are nonexistent as far as one can tell. This would be a great way for attackers to implant malware that a host might never notice. Is there a way to prevent against such attacks?
Ask the expert!
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
Detecting data being tunneled out of a network is nearly impossible to do, regardless of the protocol. Data exfiltration using tunnels is a method known as using a covert channel. Using VoIP for data exfiltration is a new method for sending data out of a network, and RTP attacks are an example of this as they use part of the encrypted tunnel to siphon off other data, but there are many other tools for data exfiltration, such as ICMP tunnels, DNS tunnels , HTTP tunnels and many others. ICMP tunneling goes back to Project Loki in 1996. All of these tools can be used to transport encrypted data out of a network.
Detecting tunneled data is possible, but to do so requires a significant effort, depending on the protocol being used. Information security tools may detect various types of data tunneling, based on network signatures, protocol analysis and flow-data analysis. Application- or protocol-specific tools may be better able to identify anomalies in the outbound traffic, but may be difficult to use for security purposes.
Blocking tunneled data may be more difficult than detecting it, since this process might disrupt legitimate traffic when tunnels are misidentified. ICMP outbound can be blocked at an organization’s border, because of blocked DNS requests to connect to external servers for the parent organization’s DNS servers; rather, users are potentially using a Web proxy to prevent HTTP tunnels. VoIP RTP exfiltration tunneling may be blocked through a significant effort by delaying delivery for a voicemail until it can be sent though an audio processor that looks for encoded data, much like the way antispam software operates. For high-security environments, there may not be a reason to allow outbound network access, but it may be difficult to block all outbound communications without a Faraday cage.
Dig Deeper on Network Intrusion Detection (IDS)
Related Q&A from Nick Lewis
Locky ransomware has, again, changed tactics by moving to using LNK files for distribution. Expert Nick Lewis explains how enterprises can adjust ...continue reading
Hajime malware was discovered to have links to the Mirai botnet that launched powerful DDoS attacks last year. Expert Nick Lewis explains how Hajime ...continue reading
Drammer, or a deterministic Rowhammer attack, was found to be more effective on ARM-based mobile devices. Expert Nick Lewis explains the issue with ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.