Covert Channels and Exfiltration

A covert channel is a communication path that transfers information in a way the system was not designed to allow, evading security controls. Where steganography hides data inside files, covert channels hide data inside system behavior or network traffic.

Attackers use covert channels for data exfiltration smuggling stolen data out of a network and for command-and-control (C2) receiving instructions. The defining trait is that the traffic looks legitimate, so it slips past firewalls, proxies, and data-loss-prevention systems.

Understanding these channels is essential for detecting the final, most damaging stage of an attack: data leaving the building.

Covert channels split into two classic categories:

• Storage channels hide data in a field or location not meant to carry it for example, unused header bits or a value an observer can read directly.
• Timing channels encode data in the timing of events the delay between packets, the order of requests, or response latency. No data field is altered; the information is in when things happen.

Timing channels are stealthier and harder to detect because the packets themselves look entirely normal only their rhythm carries the secret.