Known bad tunneling provider traffic
Description
AlphaSOC detected network traffic associated with a tunneling provider. Tunneling protocols can be used to encapsulate network traffic, potentially bypassing security controls. Adversaries may leverage tunneling to establish covert communication channels, exfiltrate data, or circumvent network restrictions.
Impact
Unknown tunneling traffic can significantly impact network security by creating hidden pathways for malicious activities. It may enable threat actors to maintain persistent access, exfiltrate sensitive data undetected, or bypass security measures designed to monitor and control network traffic. This can lead to prolonged compromise and increased difficulty in detecting and mitigating threats.
Severity
| Severity | Condition |
|---|---|
Low | Traffic associated with a tunneling provider |
Medium | Traffic exhibiting suspicious properties |
High | Traffic to a blocklisted domain or IP |
Investigation and Remediation
Investigate the source and destination of the tunneling traffic, identifying the involved systems and users. Analyze logs and network captures to determine the nature and content of the tunneled data. If malicious activity is confirmed, isolate affected systems, terminate unauthorized connections, and conduct a thorough security assessment.