Two Days Left to Get a Free GIAC Certification Attempt or Take $350 Off with OnDemand or vLive Training!

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

Covert Channels

Featuring 20 Papers as of March 25, 2019

  • SSL/TLS Interception Challenge from the Shadow to the Light by Ngoc Huy Nguyen - March 25, 2019 

    Secure Sockets Layer and Transport Layer Security (SSL/TLS) protocols are created to provide confidentiality for sensitive information exchange over the Internet. They can be used to protect privacy and confidentiality but can also be used to hide malicious activities. Organizations are currently facing traffic inspection challenges due to growing encrypted SSL/TLS traffic on the Internet. From criminal perspectives, attackers are moving more and more to encrypted traffic to hide their nefarious activities. Data exfiltration, malicious communication with Command and Control (C&C) and malicious downloads use SSL/TLS encrypted traffic. SSL/TLS interception is a double-edged sword that could be used to prevent and detect abnormal communications. This paper explains how organizations and security analysts can manage these challenges. It describes how to overcome them with advantages and drawbacks.

  • Botnet Resiliency via Private Blockchains STI Graduate Student Research
    by Jonny Sweeny - September 22, 2017 

    Criminals operating botnets are persistently in an arms race with network security engineers and law enforcement agencies to make botnets more resilient. Innovative features constantly increase the resiliency of botnets but cannot mitigate all the weaknesses exploited by researchers. Blockchain technology includes features which could improve the resiliency of botnet communications. A trusted, distributed, resilient, fully-functioning command and control communication channel can be achieved using the combined features of private blockchains and smart contracts.

  • PORTKnockOut: Data Exfiltration via Port Knocking over UDP by Matthew Lichtenberger - September 29, 2016 

    Data Exfiltration is arguably the most important target for a security researcher to identify. The seemingly endless breaches of major corporations are done via channels of various stealth, and an endless array of methods exist to communicate the data to remote endpoints while bypassing Intrusion Detection Systems, Intrusion Prevention Systems, firewalls, and proxies. This research examines a novel way to perform this data exfiltration, utilizing port knocking over User Datagram Protocol. It focuses specifically on the ease at which this can be done, the relatively low signal to noise ratio of the resultant traffic, and the plausible deniability of receiving the exfiltration data. Particular attention is spent on an implemented Proof of Concept, while the complete source code may be found in the Appendix.

  • Under The Ocean of the Internet - The Deep Web by Brett Hawkins - May 27, 2016 

    The Internet was a revolutionary invention, and its use continues to evolve. People around the world use the Internet every day for things such as social media, shopping, email, reading news, and much more. However, this only makes up a very small piece of the Internet, and the rest is filled by an area called The Deep Web.

  • Skype and Data Exfiltration STI Graduate Student Research
    by Kenneth Hartman - April 21, 2014 

    Few software packages have been as controversial, yet as ubiquitous as Skype.

  • Securing the “Internet of Things” Survey Analyst Paper (requires membership in community)
    by John Pescatore - January 15, 2014 

    Survey reveals the risks introduced by an increasing array of "smart" things with wireless or Internet connections.

  • Finding Hidden Threats by Decrypting SSL Analyst Paper (requires membership in community)
    by Michael Butler - November 8, 2013 

    Paper describes the role of SSL, the role SSL decryption/inspection tools play in security, options for deploying inspection tools, and how the information generated by such inspection can be shared with other security monitoring systems.

  • Needle in a Haystack? Getting to Attribution in Control Systems Analyst Paper (requires membership in community)
    by Matthew E. Luallen - January 17, 2012 

    In control system protection, mechanisms for achieving attack attribution must be implemented across physical, cyber and operational controls using additional tools.

  • Critical Control System Vulnerabilities Demonstrated - And What to Do About Them Analyst Paper (requires membership in community)
    by Matthew E. Luallen - November 29, 2011 

    A study of four common infrastructures (agriculture and food, transportation, water and wastewater, and physical facilities) demonstrates what vulnerabilities could be found in specific control systems and how they might be exploited and protected.

  • BYOB: Build Your Own Botnet by Francois Begin - August 17, 2011 

    A recent report on botnet threats (Dhamballa, 2010) provides a sobering read for any security professional. According to its authors, the number of computers that fell victim to botnets grew at the rate of 8%/week in 2010, which translates to more than a six-fold increase over the course of the year.

  • Building a Better Bunker: Securing Energy Control Systems Against Terrorists and Cyberwarriors Analyst Paper (requires membership in community)
    by Jonathan Pollet - December 9, 2010 

    This paper, the second in the series, explains the advanced persistent threats being aimed at SCADA and utility control systems, followed by advanced measures to take against these threats.

  • Securing a Smarter Grid: Risk Management in Power Utility Networks Analyst Paper (requires membership in community)
    by Matthew E. Luallen - October 17, 2009 

    This paper will address the security issues facing smarter grid operators and will provide policy advice points.

  • Covert Data Storage Channel Using IP Packet Headers by Jonathan Thyer - February 7, 2008 

    A covert data channel is a communications channel that is hidden within the medium of a legitimate communications channel. Covert channels manipulate a communications medium in an unexpected or unconventional way in order to transmit information in an almost undetectable fashion. Otherwise said, a covert data channel transfers arbitrary bytes between two points in a fashion that would appear legitimate to someone scrutinizing the exchange. (Bingham, 2006)

  • Covert communications: subverting Windows applications by D. Climenti, A. Fontes, A. Menghrajani - September 13, 2007 

    This article describes an approach to covert channel communications in the Microsoft Windows environment, which is appllcable to all versions of Windows. The goal of this approach is to bypass network firewalls, as well as personal firewalls. We achieve this by using Windows messaging to hijack and control applications that have network access; accordingly such applications are not blocked at the application level.

  • Inside-Out Vulnerabilities, Reverse Shells STI Graduate Student Research
    by Richard Hammer - November 10, 2006 

    Keeping data from leaking out of protected networks is becoming increasingly difficult due to the increase of malicious code that sends data from infected systems.

  • Network Covert Channels: Subversive Secrecy by Ray Sbrusch - October 25, 2006 

    Steganography is the practice of concealing information in channels that superficially appear benign. The National Institute of Standards and Technology defines a covert channel as any communication channel that can be exploited

  • HTTP Tunnels Though Proxies by Daniel Alman - September 9, 2003 

    This paper covers the topic of HTTP tunnels, the risks they pose, and discusses how those risks can be limited with proper administration.

  • A Discussion of Covert Channels and Steganography by Mark Owens - March 19, 2002 

    Although the current threat of steganographic technology appears to lag its usefulness, the diligent information systems person needs to be mindful of the security ramifications that a covert channel in their enterprise carries.

  • A Detailed look at Steganographic Techniques and their use in an Open-Systems Environment by Bret Dunbar - January 18, 2002 

    This paper's focus is on a relatively new field of study in Information Technology known as Steganography.

  • Steganography: Why it Matters in a "Post 911" World by Bob Gilbert - January 14, 2002 

    This paper discusses cryptography attempts that to conceal messages by various translation methods that create new, unrecognizable messages.

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact

All papers are copyrighted. No re-posting or distribution of papers is permitted.

STI Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.