Security AnalyticsFind Covert Backchannels

Track and Disable Attackers with Insight Into Their Entry Paths

Comprehensive Visibility That Reveals Concealed Entryways

Attackers know it is likely that certain protocols such as DNS and HTTP will be permitted safe passage through perimeter firewalls. They exploit this fact to establish covert backchannels; ensuring that they can come and go at will without being detected. These types of exposures are difficult to detect without continuous analysis to reveal anomalies in the way these backchannels are actually being used.

Corvil reveals these covert communications channels. Corvil, in real-time, fully decodes payload content and closely tracks communications, exposing anomalies such as DNS tunneling, unusual NXDomain responses, and communication to suspect top-level domains and known command and control servers.

We identify the internal systems using these backchannels and make it easy to pivot investigations to rapidly identify:

  • Which user accounts are using this system?
  • Are those accounts exhibiting any other suspicious behaviors?
  • Do those suspicious behaviors involve other systems?

Answering those types of questions enables a more effective response, thereby eliminating the threat and limiting the damage. Additionally, insight into how the current attack bypassed existing defenses can be used to harden the environment against future threats.

 

Outcomes

  • Streamlined discovery of active security exposures
  • Improved identification of systems exploiting backchannels
  • Simplified investigation of user accounts exploiting backchannels
  • Improved accuracy of response