Posted by Crixus 12:59 AM (CDT)
Wednesday April 12, 2017
NATO's Cooperative Cyber Defence Centre of Excellence has published a research paper claiming that IPv4 to IPv6 transition tools have security holes that can be utilized to create undetectable communications channels across networks. Through these channels an attacker could exfiltrate data and gain remote control over target devices.
The testing was conducted in a virtualized environment and assumed that an insider threat would be the culprit. From a Blue Team perspective this lessens the risk associated with this attack quite a bit. If you already have an insider threat in your environment there are a million ways to exfiltrate data and wreak havoc. However, the findings do point to some rather disturbing trends regarding existing security tools as only the best performing devices were able to detect this traffic a third of the time. The "proof of concept" attacks outlined by these researches show that detection mechanisms are easily defeated by using IPv6 tunneling and dual-stack transition mechanisms in a manner unbecoming of a legit member of a network. Essentially, this method of attack demonstrates that modern detection systems are simply not up to the task..
"Adding IPv6 support to the security devices would not solve this problem, since fundamental changes would be required in the way how network traffic is interpreted and parsed, while being able to trace the context of various data streams and perform their correlation."