Data embedded, encrypted and transmitted out of a network using real time transport protocol (RTP) would seem to...
be impossible to detect, given current technology. VoIP RTP exfiltration defensive systems are nonexistent as far as one can tell. This would be a great way for attackers to implant malware that a host might never notice. Is there a way to prevent against such attacks?
Ask the expert!
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
Detecting data being tunneled out of a network is nearly impossible to do, regardless of the protocol. Data exfiltration using tunnels is a method known as using a covert channel. Using VoIP for data exfiltration is a new method for sending data out of a network, and RTP attacks are an example of this as they use part of the encrypted tunnel to siphon off other data, but there are many other tools for data exfiltration, such as ICMP tunnels, DNS tunnels , HTTP tunnels and many others. ICMP tunneling goes back to Project Loki in 1996. All of these tools can be used to transport encrypted data out of a network.
Detecting tunneled data is possible, but to do so requires a significant effort, depending on the protocol being used. Information security tools may detect various types of data tunneling, based on network signatures, protocol analysis and flow-data analysis. Application- or protocol-specific tools may be better able to identify anomalies in the outbound traffic, but may be difficult to use for security purposes.
Blocking tunneled data may be more difficult than detecting it, since this process might disrupt legitimate traffic when tunnels are misidentified. ICMP outbound can be blocked at an organization’s border, because of blocked DNS requests to connect to external servers for the parent organization’s DNS servers; rather, users are potentially using a Web proxy to prevent HTTP tunnels. VoIP RTP exfiltration tunneling may be blocked through a significant effort by delaying delivery for a voicemail until it can be sent though an audio processor that looks for encoded data, much like the way antispam software operates. For high-security environments, there may not be a reason to allow outbound network access, but it may be difficult to block all outbound communications without a Faraday cage.
Dig Deeper on Network Intrusion Detection (IDS)
Related Q&A from Nick Lewis
The new Trochilus RAT can avoid detection in cyberespionage attacks. Expert Nick Lewis explains how it works, and if enterprises need to adapt their ...continue reading
The Asacub Trojan has new banking malware features. Expert Nick Lewis explains how it made this transition and what enterprises should be watching ...continue reading
BlackEnergy malware may have been part of the attacks on Ukrainian utility and media companies. Expert Nick Lewis explains how this malware works and...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.