Data embedded, encrypted and transmitted out of a network using real time transport protocol (RTP) would seem to...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
be impossible to detect, given current technology. VoIP RTP exfiltration defensive systems are nonexistent as far as one can tell. This would be a great way for attackers to implant malware that a host might never notice. Is there a way to prevent against such attacks?
Ask the expert!
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
Detecting data being tunneled out of a network is nearly impossible to do, regardless of the protocol. Data exfiltration using tunnels is a method known as using a covert channel. Using VoIP for data exfiltration is a new method for sending data out of a network, and RTP attacks are an example of this as they use part of the encrypted tunnel to siphon off other data, but there are many other tools for data exfiltration, such as ICMP tunnels, DNS tunnels , HTTP tunnels and many others. ICMP tunneling goes back to Project Loki in 1996. All of these tools can be used to transport encrypted data out of a network.
Detecting tunneled data is possible, but to do so requires a significant effort, depending on the protocol being used. Information security tools may detect various types of data tunneling, based on network signatures, protocol analysis and flow-data analysis. Application- or protocol-specific tools may be better able to identify anomalies in the outbound traffic, but may be difficult to use for security purposes.
Blocking tunneled data may be more difficult than detecting it, since this process might disrupt legitimate traffic when tunnels are misidentified. ICMP outbound can be blocked at an organization’s border, because of blocked DNS requests to connect to external servers for the parent organization’s DNS servers; rather, users are potentially using a Web proxy to prevent HTTP tunnels. VoIP RTP exfiltration tunneling may be blocked through a significant effort by delaying delivery for a voicemail until it can be sent though an audio processor that looks for encoded data, much like the way antispam software operates. For high-security environments, there may not be a reason to allow outbound network access, but it may be difficult to block all outbound communications without a Faraday cage.
Dig Deeper on Network Intrusion Detection (IDS)
Related Q&A from Nick Lewis
Vonteera adware has the ability to disable antimalware software on endpoint devices. Expert Nick Lewis explains how enterprises can prevent this ...continue reading
ModPOS, a new POS malware, compromised millions of credit card accounts in 2015. Expert Nick Lewis explains how cybercriminals use this malware and ...continue reading
Amex cards have been discovered to be vulnerable to credit card hacking. Expert Nick Lewis explains how this happens, and what can be done about Chip...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.