Top 20 CIS Critical Security Controls (CSC) Through the Eyes of a Hacker – CSC 12

Top 20 CIS Critical Security Controls (CSC) Through the Eyes of a Hacker – CSC 12

In this blog series, members of Optiv’s attack and penetration team are covering the top 20 Center for Internet Security (CIS) Critical Security Controls (CSC), showing an attack example and explaining how the control could have prevented the attack from being successful. Please read previous posts covering:



CSC 12 Featured


CSC 12: Boundary Defenses


The Control


Detect/prevent/correct the flow of information transferring networks of different trust levels with a focus on security-damaging data.


The Attack


Border protections are generally your first line of defense against an outside attacker. It is extremely common for an attacker to probe for as much information as possible from the perimeter network in order to build a profile on the attacker’s target. While the mindset relating to protecting the perimeter network has been around for quite a while, the methods in which it is enforced have changed. Putting up a firewall is no longer enough, organizations today face complex threats which require additional perimeter solutions such as IDS/IPS, SIEM, SSL Decryption, Outbound Proxy and network monitoring.


For my example attack in this blog post, I am going to demonstrate creating a covert channel of communications to exfiltrate data which could be detected by many technologies mentioned above if they are properly configured. In my five years of penetration testing I have only seen one organization with the ability to track and report on my covert communications channel. 


This attack involves tunneling the TCP protocol used for most Internet activities (web browsing, email, etc.) over the ICMP protocol, which is used primarily for diagnostics. Most organizations make an effort to filter the known exfiltration opportunities to attackers by limiting the websites they can visit and disabling support for other protocols known to exfiltrate data. Many organizations, however, still leave the ICMP protocol enabled for testing purposes, and by leveraging that we can create a covert communications channel to tunnel out sensitive data. Below is a screenshot of how data would flow from a compromised corporate PC to an attacker’s data store.


CSC 12.1

Figure 1: Attack Data Flow


To start this attack, an attacker must configure a proxy to relay the ICMP traffic. This is accomplished using the tool ptunnel. With very little technical aptitude, an attacker could configure this proxy in the matter of minutes.


CSC 12.2_1

Figure 2: A web proxy is configured to listen for and forward ICMP traffic


Next, in order to exfiltrate data, the attacker must already have some level of access on a compromised corporate machine. Using that access an attacker can begin to send data to the ICMP proxy, which will convert the network traffic into normal Internet bound TCP traffic. We can establish the ICMP proxy tunnel by executing ptunnel and specifying the destination port. In this case we want to chain this with SCP so that we can transfer files over the tunnel in an encrypted format, so we will select destination port 22. 


CSC 12.3_1

Figure 3: Establishing the ICMP tunnel to the web proxy


The last step involves using the created tunnel to exfiltrate the file containing sensitive data.


CSC 12.4_1

Figure 4: Transferring data over the covert communications channel


The Solution


For this specific attack scenario, only a few technologies can detect and prevent this attack. From what I’ve seen, none of them do it by default. Generally the adage is to support compatibility over security. Devices that analyze network traffic could have rules applied which detect the malicious activity. Analyzing the exfiltration attempt performed, it is possible to identify the traffic as suspicious.


First, showing what normal traffic looks like I have pinged a machine at Google and analyzed its network traffic. Looking at the communications there were two packets exchanged, one ping request and one ping reply. The size of these packets are 100 bytes which is normal for the ICMP protocol. Everything in this request is legitimate and can be used to determine instances on illegitimate ICMP traffic.


CSC 12.5_1

Figure 5: Legitimate ICMP traffic


Subsequent requests pertain to data exfiltration. Analyzing this data we can see a few key patterns that than can be utilized to create network traffic rules in an IDS/IPS/SIEM/Application Aware Firewall. These patterns include:


  • Large packet size (1000 bytes instead of 100 bytes)
  • Huge amount of replies compared to the number of request
  • The data payload potion of the ICMP traffic is encrypted


CSC 12.6_1

Figure 6: ICMP being used to tunnel data


Fortunately the security industry is full of solutions which, if properly implemented, could detect and potentially prevent this activity from taking place. Boundary defenses are not just about keeping attackers out, but just as much about keeping sensitive information in. Implementing a comprehensive toolset on your perimeter network can give you unseen insight into what is happening and can assist in detecting potentially malicious activity. Some of these tools and strategies are:


  • Perimeter IDS/IPS  – To filter unwanted malicious communications from getting in
  • Outbound Web Proxy – To filter unwanted sites from being visited by employees
  • SSL Decryption – To analyze encrypted data for exfiltration or malicious content
  • SIEM – To correlate and consolidate data from multiple sources
  • Application Aware Firewalls – To analyze outbound communications for abnormalities


The next post will cover CSC 13: Data Protection.

Joshua Platz
Principal Security Consultant | Optiv
Joshua Platz is a principal security consultant in Optiv’s advisory services threat practice on the attack and penetration team. Joshua’s role is to execute advanced service offerings such as the advanced threat simulation purple team activity and provide thought leadership and mentorship to the practice. Joshua also executes internal and external network penetration testing, enterprise password audits, and was one of the designers and first executers of the attack surface management offering.