About the Speaker

In this talk, we are presenting a novel data exfiltration / C2 technique exploiting implicit characteristics of TLS Client Hello (CHLO) packets to effectively evade Next-Generation Firewalls (NGFWs) with advanced security features.

Present day NGFWs apply proven countermeasures against covert channels in different layers. They can effectively counteract most data exfiltration techniques exploiting layers 3 & 4, as well as classic non-TLS applications such DNS, FTP and more. Many malware agents leverage TLS-secured third-party applications for data exfiltration, such as filesharing and social media apps. However, these are often short-lived techniques that are defeated by both the TLS deep-inspection feature of NGFWs, as well as content filtering  by application providers. 

When it comes to TLS CHLO, there are ongoing compliance efforts to ensure that NGFWs do not excessively alter TLS handshake packets during deep-inspection and adhere to relevant RFC standards. Furthermore, to counteract client identification through TLS CHLO fingerprinting, leading web browsers are now implementing evasion tactics that involve parameter randomization.

Leveraging this evolving landscape, we’ve developed a novel covert channel technique called “Helol tunnel”. We will demonstrate how an attacker can leverage it to  exfiltrate a sensitive file and establish a C2 channel while hardly leaving any trace in the compromised infrastructure.

We will illustrate how Helol tunnel can be used in the context of passive covert channel attacks. Helol tunnel can be implemented using an IP-less receiver that wiretaps the application traffic leaving the victim network. Finally, we will extend this to a supply-chain attack scenario, where compromised switches & routers can communicate across the network boundaries by embedding information in TLS CHLO packets belonging to other hosts. We will conclude by discussing the potential remediation strategies and their impact in the context of TLS compliance.

Rakesh Seal is a Senior R&D Engineer with the Application & Threat Intelligence Research Center (ATIRC) at Keysight Technologies. He specializes in network application simulation, network steganography, IoT device security, and AI vulnerability research. A passionate full-stack developer, Rakesh enjoys building scalable systems and automating repetitive tasks—even when the automation takes longer than doing it manually.
Beyond his engineering work, Rakesh actively shares his expertise through technical blogs on security and by speaking at security conferences and community meetups. He has previously presented his research at renowned conferences such as ROOTCON and c0c0n.

Dr. Reza Soosahabi is a Principal R&D Engineer at the Application & Threat Intelligence Research Center (ATIRC) at Keysight Technologies. He holds a Ph.D. in Computer Engineering and has contributed to IEEE journals and conference proceedings in security and signal processing since 2011. His research focuses on secure communications, covert channels, and machine learning–based statistical algorithms for security applications, and he has presented at the DEF CON main stage and numerous academic conferences.