Tech Insight: Cutting-Edge Techniques For Data Exfiltration

  /     /     /  
Publicated : 22/11/2024   Category : security


Tech Insight: Cutting-Edge Techniques For Data Exfiltration


Its 3 a.m. Do you know where your data is? Heres a look at how it might be getting out



As security breaches occur with alarming frequency, one of the first things IT organizations want to know is what data was lost -- and how.
The concept of data exfiltration -- the removal of sensitive information from a companys network -- is becoming a crucial part of any data breach investigation. And whether the attack is carried out through physical theft or digital transfer from a compromised internal machine, the result is the same: The loss of sensitive data can have disastrous results for the organization.
Many organizations are fighting this threat with data leak prevention (DLP) technology, which can help identify and stop sensitive information before it leaves the corporate network. Unfortunately, it is often easy to manipulate, encode, or encrypt the information in a way that makes it easy to bypass DLP functions: Take a look at the Web_PII module in the recently released
vSploit modules
for Metasploit.
Data exfiltration techniques were the focus of a talk presented at
BSides Las Vegas
earlier this month. The presentation, by Iftach Ian Amit of Security Art, illustrated a trend that has been emerging as more and more companies recognize their vulnerability to data theft.
Data exfiltration is at the heart of this trend. Penetration-testing firms today are being tasked with more than just finding the different ways they can get to a companys data: Enterprises also want to know all the ways the data can be removed from the internal network.
Amit described some data exfiltration techniques that vary in practicality but have the same goal -- getting the sensitive data out. One method is simply encrypting the data before or during transmission to the Internet. This approach is very easy to accomplish, simply by connecting to a remote Web or FTP server that supports SSL or by using file-based encryption (i.e., WinZip, PDF).
Once the data is encrypted and encoded, then how does an attacker get it out? Forget email and FTP. Amit recommended using social networking sites to post the content and retrieve it later. Its incredibly easy (and free) to create a WordPress or Blogger site prior to a penetration test and then post the information there once youve obtained it.
Amit also proposed an interesting question regarding Wikipedia and wikis, in general. What is one of the pages that people rarely view? The answer came from the audience: the talk page, which is basically a discussion page about the wiki page. Put the encrypted and encoded data there, Amit said, and its likely to go unnoticed.
What can an attacker do when there is no network access outside of the target environment? This is common in high-security environments, where the internal network is air-gapped from the Internet. Amit offered three options. The first is to encode the data and send it to a network printer in the hopes that anyone who finds it will view it as gibberish and trash it. When the trash is taken outside, the attacker can dumpster-dive for the discarded paper, scan it in, and decode it.
The second option -- one deserving of a cool hack award -- is to leverage the VoIP or phone system for the data exfiltration. First, encode the data to audio. Then, make a call out to a voicemail system or conference calling service and play the audio through the phone to record it. When ready, call to retrieve the recording and decode it.
Amit has developed a proof-of-concept tool to handle the encoding and decoding that is currently available for
download
.
The third option leverages an email-to-fax interface, where an internal email address receives files that can be faxed anywhere. Similarly, an attacker could leverage a multifunction printer that has the ability to scan directly to a fax number or email address.
If the data to be exfiltrated is in hard copy form, then it could be scanned or faxed and sent out directly from the device, Amit observed.
Data exfiltration options abound, which means there is no one way to prevent it. For network defenders, implementing SSL inspection at the companys Internet gateway can help identify suspicious data transfers. Web/email content filters can be configured to block encrypted file transfers. Amit recommends approaching the defensive controls first by addressing the human element, then adding technology.
In addition to doing user training, enterprises must address the issues of where data is stored and how it is stored, Amit said. If users are allowed to store data on removable media, make sure they have the means for encrypting the data and know how to use it, he advised. Better yet, make it automatic with self-encrypting flash drives.
Fax machines and multifunction devices should have controls that prevent any machine on the network from connecting to them -- and to prevent individuals from walking up and using them without a password, Amit advised.
Once the controls are in place, monitor your assets so that you know what they are and where they are, Amit said. There is no reason to be shy about monitoring your own assets, he noted. After that, he said, Test. Then, test some more. Performing regular tests that involve internal employees and external penetration testers can help IT to identify where the controls are breaking down -- and where addition training could be needed.
Defending against data exfiltration is impossible unless you understand your organizations data flow and assets on the network. Do some exercises to see just how easy it is to get data out -- and how exposed the sensitive data stores are. Then shore up your defenses to prevent it.
Have a comment on this story? Please click Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security

▸ Senate wants changes to cybercrime law. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Tech Insight: Cutting-Edge Techniques For Data Exfiltration