High volume of outbound ICMP traffic indicating tunneling
Description
AlphaSOC has detected network traffic indicating ICMP tunneling activity. This involves encapsulating data within ICMP packets to bypass network security controls. It is often used by threat actors to establish covert communication channels, exfiltrate data, or maintain persistent access to compromised systems. ICMP tunneling can be difficult to detect as it mimics legitimate network traffic.
Impact
ICMP tunneling can compromise network security by creating hidden communication channels. Threat actors can use this technique to bypass firewalls, intrusion detection systems, and data loss prevention tools. It enables adversaries to exfiltrate sensitive data without raising immediate suspicion.
Severity
| Severity | Condition |
|---|---|
Medium | High volume of outbound ICMP traffic |
Investigation and Remediation
Investigate the source and destination of the ICMP traffic, analyzing packet content and patterns. If the traffic is confirmed to be malicious, isolate the affected systems, block the associated IP addresses, and conduct a thorough forensic analysis. Update firewall rules to restrict ICMP traffic only to necessary protocols.
Known False Positives
- Custom applications designed to operate over ICMP