1. InfoconDB
  2. Black Hat
  3. Black Hat Europe 2020 Virtual
  4. Circumventing the Guardians: How the Security Features in State-of-the-Art TLS Inspection Solutions can be Exploited for Covert Data Exfiltration

Circumventing the Guardians: How the Security Features in State-of-the-Art TLS Inspection Solutions can be Exploited for Covert Data Exfiltration

Presented at Black Hat Europe 2020 Virtual, Dec. 10, 2020, 1:30 p.m. (30 minutes)

<p><span style="font-size: 10pt;" data-mce-style="font-size: 10pt;">In this talk, we will reveal a new stealthy method of data exfiltration that specifically bypasses security solutions created to detect this attack scenario. By using our exfiltration method SNIcat, we will show how we can bypass a security perimeter solution performing TLS inspection, even when the Command & Control domain we use is blocked by threat prevention and reputation features.</span><br><br><span style="font-size: 10pt;" data-mce-style="font-size: 10pt;">Generally speaking, the complexity of exfiltrating data is relatively low, especially when a security device is not present to attempt detecting it. One would expect that a SOC analyzing decrypted data on the wire, or data being mirrored to an IDS, would have the ability to detect exfiltration attempts. </span><br><br><span style="font-size: 10pt;" data-mce-style="font-size: 10pt;">However, what if the aforementioned traffic never reaches the IDS in the first place? This is the case with almost every security solution we have tested SNIcat on, be it from solutions from F5 Networks, Palo Alto Networks to Fortinet. All of these products are designed to work as legitimate MiTM devices, in order to decrypt and inspect traffic, either by mirroring a copy of the traffic to other security devices (IDS), inspect the traffic themselves, or forward the traffic to in-line devices (IPS, NGFW, etc).</span><br><br><span style="font-size: 10pt;" data-mce-style="font-size: 10pt;">In addition, for some products, the ability to create false negatives is possible, wherein traffic is logged as 'blocked' whilst being successfully exfiltrated.</span><br><br><span style="font-size: 10pt;" data-mce-style="font-size: 10pt;">We will begin by presenting how the exfiltration method works, its consequences and most importantly; how it remains undetected and not blocked by security features in devices performing TLS inspection.</span><br><br><span style="font-size: 10pt;" data-mce-style="font-size: 10pt;">Furthermore, we will talk about our disclosure process with a few vendors, their proposed workarounds and other ways to mitigate the issue. </span><br><br><span style="font-size: 10pt;" data-mce-style="font-size: 10pt;">Finally, we will finish with a live demo of our exfiltration tool exchanging data with its C2 while bypassing an in-line security device, acting as a MiTM performing TLS inspection.</span></p>

Presenters:

  • Matteo Malvica - Principal Security Researcher, NortonLifeLock
    <span>Matteo Malvica is a</span><span> Principal Security Researcher at NortonLifeLock Labs (NASDAQ: NLOK</span><span lang="EN-US">) </span><span>where he is focusing on vulnerability research, exploitation and reverse engineering. He holds a B.Sc in Music Information Science and has previously worked with application security, pentesting </span><span lang="EN-US">and </span><span>critical telco's infrastructures.</span>
  • Morten Marstrander - Senior Security Consultant, mnemonic
    <span>Morten Marstrander works as a Senior Security Consultant in the Norwegian security company mnemonic. Having worked in the IT industry since 2003 and in various technical roles throughout the years, Morten has developed a broad understanding of multiple technologies, products, and solutions. He has worked as a product specialist on a multitude of WAFs, NGFWs and web proxies, and has in-depth experience with security assessment of web applications, DevSecOps implementation, and security architecture.</span>

Links:

Similar Presentations: