The data, or the results found here were tested in controled environment, may or may not correspond to a real life situations. My employer has nothing to do with it =D
Agenda
Data Exfiltration.
Remote Access, Botnet C&C and so on
If you play defensive: Knowledge
Motivation
Data Exfiltration.
Remote Access, Botnet C&C and so on
If you play defensive: Knowledge
Covert Channels
Intention to leak information
vs
Side Channels
Not intended to leak any information
Types
Storage
Timing
Protocol
Hopping
Hybrid
Storage
Timing
Protocol
Hopping
Scenarious
By network position:
Active vs Passive
By Capacity:
Client/Server vs Both
Properties
stealh
Top-Down approach
OSI-model
but first...
shall we play a game ?!
Layer 7 8(Users)
Common protocols:
OSI-model
Layer 7
Common protocols:
OSI-model
Layer 6
Common protocols:
OSI-model
Layer 5
Common protocols:
OSI-model
Layer 4
Common protocols:
OSI-model
Layer 3
Common protocols:
OSI-model
Layer 2
Common protocols:
OSI-model
Detections and Defenses
Kinda hard to detect and eliminate. Always prefereable detect than eliminate
As usual:
segment your network
Manage & block unused protocols
Signatures or Heuristic
Detections and Defenses
keep going...
packet normalization
inject random delay on network
Document the covert channel technique
limit their capacity
Conclusions
Any Questions ?!
Capture The Flag - Results
Based on ACK - first written in 2006 by Laurent Butti http://rfakeap.tuxfamily.org/#Raw_Covert
The 1st flag is: FLAG
The is a 2nd ?! it's matter of time ! Tweet and meet me @Pr0teusBR and @CONFdence!