In this blog series, we explore security validation techniques for the preemptive protection of networks, applications, and data. The scenario templates for the various threats are based on the most popular among our customers.
In the previous post of this series, we discussed credential dumping and gaining an initial foothold through abusing credentials. The topic selected for this second template in the series reflects the high popularity among Cymulate users of assessments related to data exfiltration.
287 Days to Acknowledge a Data Breach
Data exfiltration, the unauthorized transfer of data from a computer or network, is a prevalent threat in the cybersecurity landscape and should be taken as seriously as ransomware attacks.
However, most data exfiltration incidents never make it to news outlets because they lack the business interruption component of ransomware attacks, or, worse, simply go undetected. In addition, it is common for APT groups and state-sponsored agents to focus their efforts on data exfiltration, ultimately.
Data exfiltration victims are facing challenges in evaluating the true scope of the threat. Some might rely on their cyber insurance coverage to carry associated costs, instead of investing in full forensics capable of identifying exfiltration and preventing data leakage.
In cyberattacks, lightning often strikes twice. Threat actors publish and sell data on the dark web and are more likely to come back into the victim’s network to attack harder than before.
Yet, silent data exfiltration victims may wrongly assume that their data is safe simply because a stealth theft has not been detected and their operations are proceeding undisturbed. With the average time to detect a breach still at 287 days, preemptively validating the efficacy of data exfiltration protection is highly recommended.
Most Popular Exfiltration Techniques
According to MITRE ATT&CK, the top eight executions relied upon to exfiltrate data are:
- Exfiltration Over DNS:
DNS exfiltration is a technique used to transfer data from a compromised network to a remote attacker by encoding the data into DNS queries. This method is particularly effective because DNS queries are often allowed through firewalls and are rarely blocked. Attackers can use this method to exfiltrate sensitive data from a network without being detected.
- Exfiltration using PSFTP:
PSFTP (Parallel Secure File Transfer Protocol) is a secure file transfer protocol that can be exploited to transfer misappropriated files from one system to another. Attackers can use this method to exfiltrate data from a network by abusing PSFTP to transfer files to a remote server under their control. This method is particularly effective because PSFTP is often permitted through firewalls and is rarely monitored.
- HTTP Data Exfiltration from String (XOR Encrypted):
HTTP data exfiltration from a string is a technique that involves encoding sensitive data into a string and then encrypting it using the XOR encryption method. The encrypted data is then sent over an HTTP connection to a remote attacker. This method is particularly effective because HTTP traffic is often permitted through firewalls and is rarely monitored. XOR encryption makes it difficult for security tools to detect and block this type of exfiltration.
- HTTP (Data Hidden in Cookie) Data Exfiltration from String:
In this method, attackers hide sensitive data within a cookie and then send the cookie over an HTTP connection to a remote attacker. This technique is particularly effective because cookies are often permitted through firewalls and are rarely monitored. This method can be used to exfiltrate sensitive data from a network without being detected.
- TELNET Data Exfiltration from String:
TELNET is a protocol used for remote access to a computer or network. Attackers can use TELNET to exfiltrate data by encoding the data into TELNET packets and sending the packets to a remote attacker.
- Exchange Exfiltration using Basic HTTP Request:
This technique involves using a basic HTTP request to exfiltrate data from a compromised network to a remote attacker. The data is encoded into the request and sent over an HTTP connection. This method is particularly effective because HTTP traffic is often permitted through firewalls and is rarely monitored.
- Webupload:
Webupload is a method used to upload a file from a compromised network to a remote account controlled by an attacker. Attackers can use this method to exfiltrate sensitive data from a network without being detected. This method is particularly effective because cloud services such as Google Drive are often permitted through firewalls and are rarely monitored.
- Git Exfiltration (Windows):
This technique involves using the Git version control system to exfiltrate data from a compromised Windows system to a remote attacker. The data is encoded into a Git repository and sent to the attacker via a Git protocol. This method is particularly effective because Git traffic is often permitted through firewalls and is rarely monitored.
Preventing Data Exfiltration
To ensure a network’s resilience to various data exfiltration techniques, preemptively running the template with the eight executions listed above, either chained or atomically, is an easy-to-implement and effective proactive measure.
Additionally, simulating these techniques can be leveraged to test incident response plans and identify areas for improvement.
