Data embedded, encrypted and transmitted out of a network using real time transport protocol (RTP) would seem to
be impossible to detect, given current technology. VoIP RTP exfiltration defensive systems are nonexistent as far as one can tell. This would be a great way for attackers to implant malware that a host might never notice. Is there a way to prevent against such attacks?
Ask the expert!
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
Detecting data being tunneled out of a network is nearly impossible to do, regardless of the protocol. Data exfiltration using tunnels is a method known as using a covert channel. Using VoIP for data exfiltration is a new method for sending data out of a network, and RTP attacks are an example of this as they use part of the encrypted tunnel to siphon off other data, but there are many other tools for data exfiltration, such as ICMP tunnels, DNS tunnels , HTTP tunnels and many others. ICMP tunneling goes back to Project Loki in 1996. All of these tools can be used to transport encrypted data out of a network.
Detecting tunneled data is possible, but to do so requires a significant effort, depending on the protocol being used. Information security tools may detect various types of data tunneling, based on network signatures, protocol analysis and flow-data analysis. Application- or protocol-specific tools may be better able to identify anomalies in the outbound traffic, but may be difficult to use for security purposes.
Blocking tunneled data may be more difficult than detecting it, since this process might disrupt legitimate traffic when tunnels are misidentified. ICMP outbound can be blocked at an organization’s border, because of blocked DNS requests to connect to external servers for the parent organization’s DNS servers; rather, users are potentially using a Web proxy to prevent HTTP tunnels. VoIP RTP exfiltration tunneling may be blocked through a significant effort by delaying delivery for a voicemail until it can be sent though an audio processor that looks for encoded data, much like the way antispam software operates. For high-security environments, there may not be a reason to allow outbound network access, but it may be difficult to block all outbound communications without a Faraday cage.
Dig deeper on Network Intrusion Detection (IDS)
Related Q&A from Nick Lewis, Enterprise Threats
Expert Nick Lewis explains how to avoid a detrimental VPN bypass flaw that allows malicious apps to infiltrate Android devices.continue reading
Expert Nick Lewis explains how to keep call center employees from getting duped by social engineering scams and pretexting.continue reading
Researchers reportedly succeeded in extracting decryption keys using sound-based attacks. Is this a threat enterprises should worry about?continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.