The State of Reverse Tunneling in 2023

Network firewalls are powerful tools to defend health delivery organizations (HDOs) against unauthorized traffic. They block traffic based on many different criteria, including source and destination IP addresses, particular ports, and protocols depending on organizational priorities. 

Setting up network firewalls requires a deep understanding of reverse tunneling tactics, how network protocols operate, how communication patterns function, and potential threats. This complexity often leads to operational challenges like misconfigurations, leaving networks accidentally open to attack.

Should HDOs properly deploy their firewalls, however, there’s still the risk of a bypass. One of the common ways that this occurs is through the use of protocol reverse tunneling, a tactic used to circumvent network detection and filtering tools and allow threat actors to create connections with their command and control servers. 

HDOs need to deploy new solutions designed to detect this particularly damaging tactic, especially as more connected medical devices come online and create more security risks.

How Reverse Tunneling Bypasses Network Firewalls

Protocol reverse tunneling involves hiding one protocol within another to bypass network detection and filtering. Specifically, it means explicitly encapsulating one protocol within another. This action could conceal malicious traffic by blending it with existing traffic or adding an outer layer of encryption similar to a VPN.  

Different protocols are used as part of this particular tactic. DNS tunneling is one of the most common forms; DNS is required for almost any device communicating over the Internet so traffic is almost always allowed. Because DNS traffic isn’t restricted, it’s the perfect reverse tunneling candidate. In this form of attack, threat actors register a domain name that points to their command and control server and then infects a computer behind the firewall to use as the origination point of the traffic. With the DNS request allowed through, the computer hits the malicious server and allows data to be exfiltrated past the company’s firewall. 

Another common form of a reverse tunneling attack, especially with connected medical devices, leverages TCP hole-punching. In the Internet of Medical Things (IoMT) devices, TCP ensures that the device can communicate with the outside world. Hole-punching allows two devices to connect via outbound TCP requests while leaving the firewall in place. This is a legitimate practice for valid traffic, say when two users behind firewalls need to set up a videoconferencing session. 

TCP reverse tunneling does have legitimate uses, but tactics such as hole-punching can allow threat actors to circumvent network security and establish a foothold readily. From there, they can propagate through lateral movement or create a connection to their command and control server to exfiltrate data.  

Ultimately, protocol reverse tunneling functions similarly regardless of the protocol used. Outbound traffic is used from within the network to bypass the network firewall and communicate with a malicious server. Threat actors are then allowed to exfiltrate data via the tunnel without firewall detection rules or network filtering interrupting their attack. 

How Asimily Defends Against Protocol Reverse Tunneling 

HDOs need a new type of solution to defend against attacks that bypass network firewalls. Detection rules and network filtering don’t always prevent threats, especially in the case of protocol tunneling or reverse traffic generated from inside the network. 

Asimily has developed a series of tools designed to detect abnormal behavior that can signify an incident. Protocol reverse tunneling may bypass detection rules, but the reality is that these indicators of compromise are still able to be found. If IoMT devices begin communicating with foreign IP addresses, potentially showcasing a connection with a command and control server, Asimily’s security and monitoring solution will be able to uncover it. 

Specifically, HDOs using Asimily have access to three core tools:

  • Policy Management – Asimily provides a suite of granular policy management capabilities that allow HDOs to build simple rules based on the volume of traffic, services, and many other parameters. Admins can use more than 30 parameters for policy creation, allowing them to build custom, on-the-fly policies per network, per facility, or per device type basis. This empowers HDOs with alerts for specific incidents and streamlines honing in on unusual activity.    
  • Distributed Sniffer – The Distributed Sniffer allows security teams at HDOs to capture data on either an arbitrary or pre-programmed interval. The information that the sniffer captures can help cybersecurity teams accurately and immediately identify a breach. Most medical devices don’t keep detailed logs of network events and what does exist aren’t necessarily easy to collect into a SIEM or workflow management. Distributed Sniffer captures any data in PCAP format either on-demand or automatically in response to an anomalous event, allowing the easy ingestion of IoMT network events into any security orchestration or analysis solution. 
  • Flow Analysis – Knowing which protocol a device is talking on to which systems is a key part of incident response for HDOs. Asimily’s flow analysis capabilities show which protocols a device is talking on and the systems that it’s talking to. Examining the data from Flow Analysis provides additional intelligence for incident response. For example, if a device is sending large amounts of data to other systems or leveraging protocols that are unusual for its type or model, then that might indicate the source of the incident.

With Asimily’s capabilities for incident response, protocol tunneling attacks can be readily recognized in any HDO’s network of connected medical devices. Responding to an incident quickly and efficiently, as with Asimily, ensures that HDOs can reduce the risk of extensive data exfiltration from a protocol tunneling attack. 

Defending the HDO Network 

Executives and directors need compliance reports that empower them to monitor and understand their current medical device security posture more effectively to implement future strategies that protect Firewalls are absolutely critical for HDOs to deploy effectively around their network. But they’re not enough and can be bypassed through tactics such as originating traffic from a trusted external source or protocol tunneling. HDOs need a new solution to defend their organizational infrastructure from these threats. With Asimily’s powerful policy management functionality, and distributed sniffer to collect traffic and flow analysis, the playing field shifts back in favor of HDO security teams.  HDOs have the confidence in surfacing protocol tunneling and other network bypass threats to reduce their risk and focus on their core mission.

To learn more about the Asimily risk remediation platform, visit our website or contact us today.

Reduce Vulnerabilities 10x Faster with Half the Resources

Find out how our innovative risk remediation platform can help keep your organization’s resources safe, users protected, and IoT and IoMT assets secure.