NetworkTigers examines how threat actors hide in network traffic using stealth tactics that evade detection and mimic legitimate activity.
In today’s hyper-connected digital world, cyber threats may be hiding in plain sight. Threat actors have become increasingly sophisticated, leveraging stealthy techniques to infiltrate and roam within networks undetected. While firewalls and intrusion detection systems (IDS) have evolved, so have the evasion methods used by attackers. One of the most insidious tactics involves hiding malicious activity within legitimate-looking network traffic.
Are you familiar with these stealthy ways that threat actors might be lurking in your network traffic?
1. DNS tunneling
The tricky thing about DNS (Domain Name System) exfiltration or tunneling is that DNS is rarely blocked inside corporate networks. DNS is almost always allowed within even carefully firewalled systems, meaning that this technique can bypass many perimeter defenses. What is more, DNS logs are by nature clogged and noisy in appearance, meaning that they are rarely analyzed closely.
With DNS tunneling, threat actors encode malicious payloads or stolen data into DNS queries and responses. The traffic may appear as a flood of unusual domain lookups or abnormally long subdomain strings. Consider monitoring your system for excessive DNS requests or odd domain names. If patterns pop up, you may want to install DNS traffic analysis tools to flag and separate the anomalies.
2. Encrypted traffic abuse (TLS/SSL Tunneling)
Encryption is a double-edged sword. While it secures communications, it also creates blind spots for security teams. Threat actors exploit encrypted channels like HTTPS or SSL/TLS tunnels to cloak command-and-control (C2) communications, data exfiltration, or malware downloads.
Because the payload is encrypted, traditional security tools often can’t inspect the contents of the traffic. Attackers may even use legitimate platforms like Google Drive or Dropbox to bypass detection, hiding in plain sight within trusted services.
3. Living off the land (LotL) techniques
Attackers don’t need to reinvent the wheel every time they attempt to infiltrate systems. Rather than downloading new malware that could trigger alerts, attackers often use what’s already available on the system. Tools like PowerShell, WMI, and Remote Desktop Protocol (RDP) are common in LotL strategies.
These techniques are difficult to detect because they generate traffic patterns that appear normal. However, if these utilities are used outside expected times or contexts, they may indicate lateral movement or privilege escalation. Monitor the use of administrative tools in your network to identify irregular access patterns, and consider a zero trust architecture to restrict access across multiple accounts or intersecting networks.
4. Domain fronting
Domain fronting is a technique often used to shield users from surveillance. When used by journalists and white hat hackers, it can cloak a request from censors. When used by a threat actor, however, malicious traffic can be disguised as legitimate requests. For example, threat actors may make network traffic appear to be going to a benign domain (like a CDN or cloud provider), while the actual data is routed to a malicious backend.
Domain fronting works by concealing the true destination of an HTTPS request from network security filters by “fronting” the request with a TLS connection set to go to a different domain. Both are hosted on the same CDN service. Domain fronting often takes advantage of high-trust domains to reduce its detection frequency. Always analyze SNI (Server Name Indication) and DNS request patterns for inconsistencies. Use an allowlist, or a whitelist, to control the flow of traffic in your network, and inspect what is allowed access carefully.
5. Steganography in Network Payloads
Steganography is the art of hiding in plain sight. At times, it is done for good reason, such as to streamline data, improve security and code creatively. However, in the context of cybersecurity, steganography tends to involve hiding malicious data within innocent-seeming files, such as images, audio, or even video. Once embedded, these files are transmitted through regular web or email traffic.
For instance, a JPG file could be crafted to carry an encrypted payload. Since the image still opens normally, most security tools won’t flag it. This makes it ideal for data exfiltration or delivering malware in low-and-slow attacks.
6. Beaconing with low-and-slow traffic
Some malware establishes persistence by “beaconing”. Periodic signals are sent back to a C2 server as beacons. These beacons are often engineered to mimic regular network noise and operate under thresholds that would trigger alerts. A ping every few hours or days can easily go undetected. This low and slow attack style is commonly used to target larger systems where a threat actor can live undetected for an extended period. Beaconing in this way might be used to conduct surveillance on a nation-state or steal information from a multinational corporation.
7. Abuse of legitimate cloud services
Threat actors increasingly use legitimate cloud platforms, like AWS, GitHub, Google Docs, or Pastebin, to host malware or transfer stolen data. Since organizations often allow access to these services, malicious traffic disguised as regular cloud activity can fly under the radar. Consider reigning in your access permissions, even on legitimate cloud service providers, to stay abreast of hackers who may be exploiting coding flaws or simply transmitting stolen data along otherwise trusted networks.
The takeaway? In today’s world, cybersecurity is no longer about keeping the bad guys out. Instead, it’s often about continuously hunting for the ones who are already inside. Traditional tools like firewalls can fail to detect threats that expertly mimic legitimate network activity. The rise of encrypted traffic, the abuse of trusted tools like DNS, and the popularity of cloud services have created a new level of risk in threat detection.
About NetworkTigers
NetworkTigers is the leader in the secondary market for Grade A, seller-refurbished networking equipment. Founded in January 1996 as Andover Consulting Group, which built and re-architected data centers for Fortune 500 firms, NetworkTigers provides consulting and network equipment to global governmental agencies, Fortune 2000, and healthcare companies. www.networktigers.com.
