As a followup to “Top Five Security Threats You Should Be Detecting,” this blog post goes a bit deeper into certain attacker techniques, such as data exfiltration.
What is data exfiltration? This is when an adversary is trying to steal data, typically falling in the latter stages of a cyber attack (known as the ‘cyber kill chain’). Data exfiltration also comes later in the attacker tactics on the MITRE ATT&CK Framework after discovery, lateral movement, collection, etc.
The concept of data leaving an organization’s network has been used to help define a data breach. However, if data is leaving your network, it means you’ve definitely had an intrusion, and it indicates that earlier protective measures prior to exfiltration failed to detect or prevent against stolen data.
Data Exfiltration Techniques
The different techniques used to transfer data out of your network include sending it over their command and control channel, and packaging, compressing and encrypting data prior to exfiltration in order to both minimize the amount of data as well as hide the information being sent over the network.
Command and Control
What is command and control? Also known as C&C or C2 servers, these are used by an attacker to send commands to systems after they’ve compromised them in order to send back stolen data. MITRE lists out different procedure examples (known backdoors and techniques used by each tool) for sending data over command and control channels.
By establishing C2 communications, attackers can also send commands to steal data or spread malware throughout several different compromised machines in a botnet. They can initiate distributed denial of service (DDoS) attacks that overwhelm and disrupt internet services by flooding them with internet traffic, such as in the Mirai botnet attack of 2016 that infected many unprotected Internet of Things (IoT) devices.
Detecting Data Exfiltration
As Blumira’s Director of Security, Mike Behrmann puts it – every organization has at least some capacity to detect C2 in a classic network architecture, whether it’s with next-generation firewalls, intrusion prevention systems, email security solutions or proxies, etc.
Pairing this with threat intelligence is useful to help enrich and narrow the scope of detection. Since data must pass through a designed egress point in order for it to leave the network, typically a next-generation firewall (NGFW) or network intrusion prevention system (IPS) with visibility into traffic protocols can help detect exfiltration. They can include signature-based antivirus capabilities that are useful for C2 detection.
However, quality C2 detection doesn’t just rely on signatures, according to Behrmann. Based on the design of a network, attackers must use whatever egress channels are available to them for C2 or data exfiltration – these particular “choke points” are advantageous for defense as they make attackers predictable. In the military, a choke point is a land feature (such as a narrow strait connecting bodies of water) that an armed force must pass, making it more difficult for passage and decreasing their combat power.
Blumira’s threat detections bring together threat intelligence, geo-specific data and other attack patterns such as outbound data volume in order to identify data exfiltration in progress. We also enable security and IT teams to quickly respond to detections through our platform with guided pre-built playbooks that walk you through different remediation steps.
Examples of Data Exfiltration Rules
In one example of Blumira’s detections, we found that there was a 50GB+ outbound connection to an external source via a generic network protocol, which can indicate either a legitimate business-related connection or potential data exfiltration.
In the workflow steps, we recommend that the source machine is taken offline immediately, if the outbound connection of 50GB+ of data isn’t correlated to a typical business operation, such as a large backup process.
In another example of detected exfiltration, Blumira has identified a specific user attempting to transfer data to a public IP address that they/no one else in the organization had never connected to previously, indicating potential data theft in progress.
In the workflow steps, Blumira recommends temporarily stopping access for the user by locking out their account, disabling their Active Directory account ID, and killing active sessions that allow the outbound connection, such as virtual private networks (VPNs).
We also recommend investigating access control lists (ACLs) associated with the user’s access within the environment that data could be stolen. You can do this by using the Windows AccessEnum tool that can allow you to get a view of your file system and Registry security settings to help identify security holes and lock down permissions, according to Microsoft.
Other rules that Blumira uses to detect potential data exfiltration include a major spike in anomalous outbound web traffic (such as 1000%), and allowed outbound or inbound evasive/malicious encrypted-tunnel software.
Learn more about how to replace your SIEM with an automated platform that can help with detecting and responding to data exfiltration tactics in “The Modern SIEM Evaluation Guide.”