When every firewall rule shows green and no alerts are firing, an attacker could still be quietly draining your network — one DNS query at a time. This episode of Cybersecurity examines covert channels: the technique of weaponizing trusted, everyday protocols to smuggle data and commands past security controls that were never designed to look twice at them. Drawing on this deep-dive on covert channels in legitimate protocols, the episode walks through why these attacks are so difficult to catch and what defenders can realistically do to surface them.

Here's what the episode covers:

• Why legitimate protocols are ideal hiding spots — DNS, ICMP, and HTTP are pervasive, plausible at any hour, and typically waved through by firewalls that only check whether a packet is syntactically valid, not what it's actually carrying.
• DNS tunneling in depth — how attackers base64-encode stolen data into subdomain labels, route it through port 53 to an attacker-controlled name server, and run a full bidirectional command-and-control channel entirely within normal-looking DNS traffic.
• ICMP and beyond — embedding encrypted C2 instructions inside ICMP echo request payloads, and how the same covert-channel logic extends to HTTP POST bodies, WebSocket frames, cloud storage APIs, VoIP packet slack space, and more.
• The emerging blind spot of DoH and DoT — how DNS over HTTPS and DNS over TLS, introduced to protect user privacy, inadvertently defeat traditional DNS monitoring and give tunneling traffic a nearly invisible path out of the network.
• A layered detection framework — building per-host baselines for DNS and ICMP volume, applying deep packet inspection for payload entropy, routing all internal DNS through logged resolvers, correlating network anomalies with endpoint process telemetry, and enforcing Zero Trust egress segmentation.
• Operational hardening — extending log retention beyond 30 days to catch slow-drip exfiltration, tuning SIEMs for high-entropy domain labels, and running purple-team exercises that specifically test DNS and ICMP tunneling detection.

The central takeaway is that covert channels are not undetectable — they leave fingerprints in query volume, payload entropy, and timing regularity. The gap between "undetected for months" and "caught in hours" usually comes down to whether defenders have built the visibility infrastructure to see those fingerprints in the first place. For more on securing the infrastructure attackers love to abuse, check out the episode on Container Security: Hardening Kubernetes and Docker Environments.

SEC