Tech Insight: Throwing A Net Around Data Exfiltration

  /     /     /  
Publicated : 22/11/2024   Category : security


Tech Insight: Throwing A Net Around Data Exfiltration


Emerging techniques for stealing data present new challenges for data defenders



Whether its a malicious attacker or a penetration tester trying to infiltrate your network, the goal is the same -- get your data and get out with little to no detection. Today, attackers arent looking to deface your website with messages to their friends; they want to steal your data and sell it.
At the recent
ShmooCon
security conference, hackers from all over gathered to learn from one another during the snowmageddon snowstorm affecting the northeastern U.S. The topics included hardware hacking, Bluetooth sniffing, and exploiting multifunction print devices. One theme that surfaced in several presentations was data exfiltration -- and techniques used by attackers and penetration testers.
The first presentation touching on data exfiltration was Gone in 60 Minutes: Stealing Sensitive Data from Thousands of Systems Simultaneously with OpenDLP (
video
) by Andrew Gavin. He looked at finding and gathering data from a penetration testers viewpoint. Gavin uses OpenDLP, a tool he wrote himself, in pen-testing engagements after he gains Active Directory domain administrator credentials.
With OpenDLP, an agent gets deployed to all the Windows systems. It scavenges their hard drives looking for data matching certain patterns, like credit cards and SSNs, then pulls the data back to the OpenDLP controller. With this tool, Gavin can walk out with the controller and the data is his.
The OpenDLP approach is powerful and effective, but noisy. An astute network or systems administrator might catch the traffic or agent installation if theyre monitoring their systems diligently. A network behavioral anomaly detection system like Lancopes StealthWatch could detect the sudden uptick in traffic from the hosts sending data to the controller. Controls that monitor for new Windows services and software installations may sound an alarm when the agent is pushed to the victims workstations.
Detection is unlikely, though, according to Sean Coynes presentation and whitepaper,
The Getaway: Methods and Defenses for Data Exfiltration
. Coyne, a consultant for Mandiant, wrote, Not nearly enough emphasis is placed on internal network traffic monitoring -- especially lateral movement from workstations to workstations, and workstations to servers. Most security pros know how true this statement is.
Another interesting exfiltration technique was covered in the Printers Gone Wild presentation at Shmoocon. Ben Smith explored using printers for temporary storage of data that could later be transferred to an attackers or pen testers system. He has created a soon-to-be-released tool called printFS that uses printers for covert storage. Since printer security is often overlooked, exploiting the storage on a printer could easily go unnoticed. Good thing your printers are locked down, right?
The presentation, The Getaway, held some interesting and inventive techniques for advanced data exfiltration. The case studies presented were from actual investigations performed by Mandiant consultants. The first case involved a compromised system where data was transferred via copy/paste in a Windows Remote Desktop (RDP) session. The files were saved as .EML files in Outlook Express and then copied over the RDP session.
How does one monitor for traffic across an RDP session? There may be an increase in traffic, but its likely to be indistinguishable from normal RDP traffic. Instead, RDP connections to unusual hosts can indicate an issue or host-based monitoring for abnormal behavior.
In the preceding case study, Outlook Express had never been run until the attack. A system like
El Jefe
, a free, centralized process logging system from Immunity Inc., could have flagged the first run of an application, as well as something unlikely to be run on a server (i.e., Outlook Express).
The last case study presented in The Getaway involved a client who experienced an intrusion following the cleanup from a previous compromise. The attackers took advantage of an unused installation of a Microsoft Internet Information Services (IIS) Web server to host the data to be exfiltrated. Using a network tunnel back to a system controlled by the attacker, the data was transferred from the IIS Web server through the tunnel to the attackers system.
The latter case provides a good example of why unused services should be removed, but it also gives a look into just how far an attacker will go to get data out. Instead of attempting to transfer data via the usual FTP or HTTP methods, the attacker attempted to download 144 GB of data via tunneled HTTP using malware on the compromised system -- most likely to get around firewall rules preventing inbound connections to the IIS server.
Attackers looking to get data out of your organization will go to great lengths, but every action on the network and systems leaves a trail. The key is to be monitoring the network, servers, and workstations so that the trail can be picked up before it is too late.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact Dark Readings editors directly, send us a message.

Last News

▸ New threat discovered: Mobile phone ownership compromised. ◂
Discovered: 23/12/2024
Category: security

▸ Some DLP Products Vulnerable to Security Holes ◂
Discovered: 23/12/2024
Category: security

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Tech Insight: Throwing A Net Around Data Exfiltration