#4: T1071

Understanding Application Layer Protocol attacks

MITRE ATT&CK technique T1071 refers to a tactic used by threat actors to communicate with compromised systems using standard application layer protocols. These protocols include familiar tools like web traffic (HTTP/S), email (SMTP), or messaging protocols (like WebSockets or IRC). Attackers use these channels because they are commonly allowed through firewalls and network security tools, making it easier to avoid detection.

This technique helps threat actors control infected devices, move data, or receive commands from command and control (C2) servers. By blending their activity with normal network traffic, attackers can remain hidden in plain sight. Since organizations rely on these protocols every day, cutting off access to them is not usually a practical option. That makes it harder for security teams to detect or block malicious use.

Sub-techniques

T1071 includes several sub-techniques that reflect the different ways attackers use these protocols:

T1071.001 – Web Protocols
Attackers use HTTP or HTTPS to send and receive data between infected systems and remote servers. They often imitate regular web traffic to avoid raising alarms.

T1071.002 – File Transfer Protocol (FTP)
Some use FTP to upload or download files from infected machines. FTP is not always encrypted, so attackers sometimes use it to gather files or install malware.

T1071.003 – Email Protocols
This method uses email to control infected systems. Attackers can send emails that contain commands or receive data from a compromised device via email messages.

T1071.004 – DNS
Threat actors use Domain Name System (DNS) requests to send or receive small pieces of data. These requests often pass through firewalls, making it easy to hide communication.

T1071.005 – Messenger Applications
Messaging apps like Slack or Telegram can be used to issue commands to compromised devices. These apps rely on the internet and are often not fully monitored by security tools.

Managing T1071

T1071 poses a serious challenge because it allows attackers to hide within normal network traffic. Most businesses depend on protocols like HTTPS, DNS, and email to operate. Because these are trusted and expected services, security tools often treat them as safe by default. This creates a gap in visibility. Attackers use this gap to send data out of the network, bring in commands or malware, and avoid detection for long periods. The result is a form of stealth that can lead to data breaches, financial loss, or even complete system shutdowns—without anyone noticing in time to prevent the damage.

The main problem with T1071 is how it makes malicious activity look normal. Since the protocols used are vital to business operations, it becomes difficult for defenders to tell the difference between good and bad traffic. Attackers take advantage of that to stay connected to compromised systems. They can transfer sensitive data or move further into a network without setting off alarms. Because the communication happens through trusted channels, organizations often do not notice the breach until damage has already been done.

Example 1: A Financial Firm with Poor Egress Monitoring

Imagine a mid-size financial firm that allows all HTTPS traffic to pass through its firewall without inspection. An attacker gains access to one of the firm's internal accounting servers using stolen credentials. Once inside, the attacker sets up a hidden program that connects to a command-and-control server over HTTPS. Because the firm does not inspect encrypted traffic and assumes it’s safe, no alarms are triggered. Over the course of several days, the attacker uses this connection to exfiltrate sensitive customer financial data in small batches. The network team only discovers the breach weeks later, after a banking regulator raises concerns about leaked data. By then, the firm faces fines, legal issues, and reputational damage.

Example 2: A Hospital Using Messaging Apps for Coordination

In a busy hospital, staff often use third-party messaging apps like Slack or Telegram to coordinate care. These services are accessible on the hospital network, and IT allows their use to support quick communication. A threat actor gains access to a low-level device on the network through a phishing email. The attacker installs malware that connects to a public Telegram bot, where it receives commands and sends back system information. Because the messaging traffic looks like normal hospital communication, the attack flies under the radar. The attacker uses this channel to explore connected systems, eventually finding a poorly secured server holding patient health records. The data is extracted, and the attacker leaves no visible signs. The hospital only learns of the breach after patients begin reporting identity theft tied to leaked medical details.

In the wild

A real-world case of T1071 involved a healthcare provider that was targeted by a ransomware group. The attackers gained access to the network and used HTTPS to communicate with their control servers. Since HTTPS is used every day for websites and secure communication, the traffic appeared normal. Security tools did not block or inspect the data because it was encrypted. This allowed the attackers to quietly transfer data and later trigger ransomware across the network. The breach resulted in stolen patient data and system downtime, which impacted care delivery.

Mitigating the Issue

To reduce the risk of T1071, organizations can take several steps. They can inspect outgoing traffic more closely, even if it is encrypted. Using tools that understand what normal network behavior looks like can help flag unusual patterns. Limiting which applications and protocols are allowed and setting up alerts for unexpected activity can also help. Monitoring DNS requests and enforcing rules on messaging apps adds another layer of control. Finally, having strong segmentation and access controls makes it harder for attackers to move freely within the network, even if communication channels are open.