Circumventing the Guardians: How the Security Features in State-of-the-Art TLS Inspection Solutions can be Exploited for Covert Data Exfiltration

The talk discusses a new method of data exfiltration that bypasses security solutions created to detect this attack scenario by using the SNI field in TLS inspection devices. The method remains undetected and not blocked by security features in devices performing TLS inspection.

• TLS inspection devices use the SNI field to instruct the server on the hostname the client is trying to connect to and what certificate the server should present to the client
• The SNI field can be abused for exfiltration by using it as a container for data exfiltration
• The exfiltration method remains undetected and not blocked by security features in devices performing TLS inspection
• The proof of concept open source project named SNIcat is capable of navigating the file system of the compromised host and exfiltrating files through TLS inspection devices sitting in between
• The talk includes a live demo of SNIcat exchanging data with its C2 while bypassing an in-line security device, acting as a MiTM performing TLS inspection

The talk presents a new method of data exfiltration that specifically bypasses security solutions created to detect this attack scenario. By using the exfiltration method SNIcat, the presenters show how they can bypass a security perimeter solution performing TLS inspection, even when the Command & Control domain they use is blocked by threat prevention and reputation features. The presenters explain that the complexity of exfiltrating data is relatively low, especially when a security device is not present to attempt detecting it. However, what if the aforementioned traffic never reaches the IDS in the first place? This is the case with almost every security solution they have tested SNIcat on, be it from solutions from F5 Networks, Palo Alto Networks to Fortinet. All of these products are designed to work as legitimate MiTM devices, in order to decrypt and inspect traffic, either by mirroring a copy of the traffic to other security devices (IDS), inspect the traffic themselves, or forward the traffic to in-line devices (IPS, NGFW, etc).

In this talk, we will reveal a new stealthy method of data exfiltration that specifically bypasses security solutions created to detect this attack scenario. By using our exfiltration method SNIcat, we will show how we can bypass a security perimeter solution performing TLS inspection, even when the Command & Control domain we use is blocked by threat prevention and reputation features.Generally speaking, the complexity of exfiltrating data is relatively low, especially when a security device is not present to attempt detecting it. One would expect that a SOC analyzing decrypted data on the wire, or data being mirrored to an IDS, would have the ability to detect exfiltration attempts. However, what if the aforementioned traffic never reaches the IDS in the first place? This is the case with almost every security solution we have tested SNIcat on, be it from solutions from F5 Networks, Palo Alto Networks to Fortinet. All of these products are designed to work as legitimate MiTM devices, in order to decrypt and inspect traffic, either by mirroring a copy of the traffic to other security devices (IDS), inspect the traffic themselves, or forward the traffic to in-line devices (IPS, NGFW, etc).In addition, for some products, the ability to create false negatives is possible, wherein traffic is logged as 'blocked' whilst being successfully exfiltrated.We will begin by presenting how the exfiltration method works, its consequences and most importantly; how it remains undetected and not blocked by security features in devices performing TLS inspection.Furthermore, we will talk about our disclosure process with a few vendors, their proposed workarounds and other ways to mitigate the issue. Finally, we will finish with a live demo of our exfiltration tool exchanging data with its C2 while bypassing an in-line security device, acting as a MiTM performing TLS inspection.