Hidden Data Channel In TLS

By   ISBuzz Team
Writer , Information Security Buzz | Feb 07, 2018 04:15 am PST

Security researchers at Fidelis have published a proof-of-concept framework for a new covert channel for data exchange using the Transport Layer Security (TLS) protocol. The method leverages the public key certificate standard X.509 and could allow for post-intrusion C2 communication and data exfiltration without alerting network perimeter protections. Justin Jett, Director of Audit and Compliance at Plixer commented below.

Justin Jett, Director of Audit and Compliance at Plixer:

“By taking advantage of TLS x.509 extensions, malicious actors will try to steal data similarly to how they have done using DNS TXT. By collecting and analyzing certificate details in IPFIX metadata from devices like Gigamon, etc. security and network professionals can detect when anomalous data values are sent over TLS extensions. The data also will reveal connections that use self-signed certificates (the certificates that are likely to be used for such exchanges). This can provide quick remediation of an otherwise hidden data leak.”

Subscribe
Notify of
guest
0 Expert Comments
Inline Feedbacks
View all comments

Recent Posts

0
Would love your thoughts, please comment.x
()
x