Recent research under the auspices of NATO Cooperative Cyber Defence Centre of Excellence uncovers significant vulnerabilities and serious drawbacks in the way how the modern network security solutions and intrusion detection techniques detect recent threats. The analysis titled „Hedgehog in the Fog: Creating and Detecting IPv6 Transition Mechanism-Based Information Exfiltration Covert Channels“ offers also practical, publicly released tools for cyber security experts to test and allow improvement of the defenses of their IT systems.
„This research for the first time engages multiple technical domains, covering the topic from the offensive red teaming to the defensive – monitoring and detection perspectives,“ says Bernhards Blumbergs, principal author of the research and researcher at NATO Cooperative Cyber Defence Centre of Excellence. „Such technical synergy has produced a research paper that has both the scientific and truly practical approaches combined. The developed tools are made public and allow cyber security community to test and verify the research deliverables against their own information systems.“
The Internet Protocol Version 6 (IPv6) transition opens a wide scope for potential attack vectors. IPv6 transition-based mechanisms could allow the set-up of egress communication channels over an IPv4-only or dual-stack network while evading detection by a network intrusion detection system (NIDS).
In this paper, the authors addressed relevant transition technologies, described two newly-developed IPv6 transition mechanism-based proof-of-concept tools for the establishment of covert information exfiltration channels, and compared their performance against common detection mechanisms. Commonly used exfiltration tools were evaluated in an automated and virtualized environment, and assessed covert channel detection methods in the context of insider threat.
An analysis of the generated test cases confirms that IPv6 and IPv6-based evasion techniques pose a difficult task for network security monitoring. While detection of various transition mechanisms is relatively straightforward, other evasion methods prove more challenging. Additionally, some security solutions do not yet fully support IPv6.
This research was conducted with the support of NATO Cooperative Cyber Defence Centre of Excellence, Tallinn University of Technology and Estonian IT Academy (Study-ITin.ee).
The entire extended version of the research is available here