Hiding in Plain Sight - How Adversaries Use Fundamental Protocols To Fool Defenders
Cybersecurity is rife with tools that can alert on the immediate and obvious threats but sophisticated threat actors know that it's better to hide in plain sight and go through intricate architecture than to go around. Threat actors often use and abuse standard protocols like DNS and ICMP for data ex filtration, communication with C&C botnets, and to deliver malicious payloads. Mainline applications like YouTube, Gmail, and Twitter can be used for communication with command and control botnets as well.
For example, Gmail remains one of the most frequently used personal (and occasionally business) email applications around. This is exactly why traffic associated with Gmail is a perfect way to hide malicious code and other instructions. Enterprise level defenders cannot easily monitor (or view) all traffic associated with Gmail, and additionally it cannot be blocked (nor should it be) in anything but the most stringent environments. Researchers from ESET have found the ComRAT trojan using “the Gmail web interface to receive commands and ex filtrate data”, and it was also used for command and control in a wave of attacks that took large parts of the power grid of Ukraine offline.
Other bedrock protocols of the internet are also abused for the same reason – blocking them would interfere with normalized business usage. DNS tunneling and misuse of ICMP echo requests (Ping) are often used by malicious actors in tightly controlled environments. While blue team enterprise vendors are catching up and can reportedly catch some of this traffic, it is important for analysts to remain aware of how legitimate tools can be turned inward to harm the exact things they are defending.