Tools / Techniques for detecting persistent connections?

I just watched this video about ‘breaking out’ of a network by bypassing a firewall via tunneling, proxy, and other techniques.

I was aware of some of the techniques, but learned about a few interesting tools and more obscure techniques, like using DNS requests for data exfiltration.

Starting at 23:38 in the video, he mentions that “there are probably an awful lot of alarms and trip wires” to detect tunneling and proxy activity, and that there are tools to detect “long lived” connections through the firewall on ports that should normally only have brief connections.

I’m currently using a SonicWall firewall, and other than the “App Control” feature that can detect some VPN services, I’m not aware how I could detect such outbound connections based on their persistence.

Is there a term for this type of generic “persistent” connection detection in firewalls?

Is there a type of firewall rule or configuration that would detect such connections? Or would that require more advanced network monitoring tools or analysis of firewall logs?

The most common way more advanced firewalls try to figure this out is with tools such as Snort and Suricata. The next step up form there is having a SIEM tool that can collect the flows of traffic and correlate that with the logs from the workstations/servers/systems used. That would be a big part of what the SOC team does looking for anomalies and analyzing that data from the SIEM tools. And despite all of this somethings will get through. The Solarwinds hack is a great example of this. Threat actors were communicating and doing data exfiltration for over 6 month against some of the biggest companies in the world as well as governments before FireEye found them in their network, then found the IP’s being used, and from there updated threat feeds telling others what to look for and now that methodology is know and can be watched for.

I also have a video on how to use proxychains which is another fun way to get around systems.