Published on 31 Jul 2014
Organisations these days have to be prepared for various types of cyber-attacks, from sophisticated phishing attempts, Distributed Denial-of-Service (DDoS) to website defacements. Perhaps the most sinister of them all is an attack designed to siphon off your organisation’s data, otherwise known as data exfiltration.
Data exfiltration is a security breach that occurs when confidential information, such as customer records, proprietary information, intellectual property and business secrets, are illegally copied, transferred, or retrieved from an organisation’s systems or networks. Organisations should be aware that data breaches can happen right within their own backyard due to cyber-attacks on the corporate networks and systems.
Common Forms of Data Exfiltration
Understanding how data exfiltration takes place can prepare organisations for cyber threats, and allow for better priortisation of investments on infocomm security controls and technologies. Some data exfiltration means are listed in the table below:
The use of malware (e.g. Worm, Virus and Trojans) to compromise computers and servers and steal information is a common tactic used by malicious attackers as it is the easiest to execute. Such malware may infiltrate your organisation’s network and system through email attachments, drive-by downloads from web browsing, or even personal thumbdrives shared between employees. To mitigate this threat, organisations should ensure that anti-virus software definitions for all endpoints are up-to-date, deploy web filtering solution and intrusion detection system to detect unusual activities of the malware, and control Internet access to block prohibited sites (e.g. public email services) and blacklisted / malicious websites.
Attacks on Web Applications
Stolen administrator credentials and exploitation of vulnerabilities (e.g. SQL-injection) on organisations’ web applications are common attacks used for data exfiltration. Organisations can protect their web applications by performing a web vulnerability assessment and penetration testing prior to its launch; or deployment of changes. Prior to that, organisations should ensure that web security practices such as performing input validation checks are in place. The OWASP Top 10 serves as a good reference for organisations.
Insider and Privileges Misuse
Organisations should also not discount attacks from within their backyards. Insider misuse of account privileges on the corporate network is a common cause of data exfiltration. Organisations’ partners and vendors are also potential culprits because they may be provided with ac3count privileges. Start protecting your data by reviewing user privileges and revoke account access when employees leave or change roles.
Physical Theft and Loss
Theft can happen anywhere, including theft within the office premises. Employees commuting may also lose their mobile devices containing confidential data. Organisations should enforce clean desk policy where possible, practice encryption of storage media and mobile devices (e.g. through Mobile Device Management solutions) to protect data if the devices are lost.
Data breaches resulting from employees posting private data to public resources, or emailing information to wrong recipients, fall under this category. End user awareness is one avenue to mitigate this risk. Organisations may also invest in Data Loss Prevention solutions to avoid the leakage of sensitive information to unauthorised parties.
Determining Data Exfiltration
Was confidential data sent out in an email attachment, through instant messaging, or perhaps uploaded to public sites? What data was stolen? These are questions organisations may ask after falling victim to data exfiltration despite all the best practices they have put in place to prevent it. Determining that it has happened is only the first step; to know exactly what data has been breached is often the tedious and arduous task. There are staggering amounts of possibilities when it comes to data exfiltration.
Monitoring the system and network (e.g. full packet inspection) may aid organisations in detecting and determining data exfiltration, but this is often an expensive and difficult task, and not suitable for everyone. However, without the help of forensic analysts, organisations are still able to conduct some form of review to determine data exfiltration.
First introduced in Windows XP systems, Pre-fetched files are designed to speed up application start-up processes. These files can provide indicators to data exfiltration. For example, a cyber-attacker may use a file archiving program such as zip.exe to archive stolen information before siphoning it off the organisation’s systems. The Pre-fetch file for zip.exe, found within the “%SystemRoot%\Prefetch” directory, may contain references to the directory paths and file names of the data that was included in the siphoned archive.
Registry Files and Keys
Using the registry as a log file is an interesting approach in conducting a log analysis. Valuable data can be derived from the Registry when combining values with available time stamps. For example, it may be possible to discover the types of devices (e.g. thumbdrives) that were connected to the compromised system, and when was it connected.
System and Security Logs
Performing a review on system and security logs may help to provide hints to detect data exfiltration.
The Windows Event Viewer may provide traces on what has happened to the compromised machine. Organisations may review these events occasionally to determine if something suspicious was taking place.
Application event logs such as logs from Microsoft’s Malicious Software Removal Tool, Windows Defender, or the various Anti-Malware solutions, can provide clues to the nature of the data breached, if malware was involved.
Advanced sensory and logging software are also available and they can help organisations in their investigation process. Such logging software can monitor the execution of events and applications, file modifications, registry modifications, network connections, the relationship between these events, and other details that organisations need during an investigation.
The age old adage of “prevention is better than cure” still holds true here. Having good security hygiene is a wiser investment than going through an expensive and time-wasting route of determining a data exfiltration event.