Data Exfiltration: Staying One Step Ahead Of Thieves

Cyber ​​attacks pose a massive threat to companies. In Germany, too, data is more and more often successfully accessed through harmful attacks. To prevent data exfiltration, companies need to recognize the early phase of the attack and prevent the threat instead of only reacting after the perpetrator has already penetrated the network. In the following, it is analyzed which steps are necessary for a successful defense against damage.

As the latest espionage attacks by the hacker software Pegasus and the worldwide REvil Kaseya attack show, cyber-attacks have increased sharply for years – especially since the beginning of the corona pandemic. This is also proven by the CyberEdge Group’s Cyberthreat Defense Report: Cybercriminals took advantage of the crisis. 86 percent of the companies surveyed in 2021 were victims of a successful cyberattack at least once in the past twelve months – more than ever before. German companies were also increasingly the target of the attacks; 91.5 percent of those surveyed stated that they had been the target of an attack. Together with China, Germany ranks second among the countries in which attackers have successfully penetrated organizations. For businesses, malicious intrusion into the network means not just loss of data but often long-term financial and reputational effects. 

As a result of the exfiltration of data, i.e., the unauthorized transfer of data from a network, the perpetrators use the stolen information to blackmail the company. If customer data is also affected by the attack, the circle of victims expands, and there can be considerable damage to reputation. It is therefore essential for companies to effectively defend the network and cover the attacker’s subsequent actions. Numerous steps and complex methods must be observed, which are analyzed in detail below. But often long-term effects on finances and reputation. As a result of the exfiltration of data, i.e., the unauthorized transfer of data from a network, the perpetrators use the stolen information to blackmail the company. 

If customer data is also affected by the attack, the circle of victims expands, and there can be considerable damage to reputation. It is therefore essential for companies to effectively defend the network and cover the attacker’s subsequent actions. Numerous steps and complex methods must be observed, which are analyzed in detail below. But often long-term effects on finances and reputation. As a result of the exfiltration of data, i.e., the unauthorized transfer of data from a network, the perpetrators use the stolen information to blackmail the company. If customer data is also affected by the attack, the circle of victims expands, and there can be considerable damage to reputation. It is therefore essential for companies to effectively defend the network and cover the attacker’s subsequent actions. Numerous steps and complex methods must be observed, which are analyzed in detail below. 

To blackmail the company. If customer data is also affected by the attack, the circle of victims expands, and there can be considerable damage to reputation. It is therefore essential for companies to effectively defend the network and cover the attacker’s subsequent actions. Numerous steps and complex methods must be observed, which are analyzed in detail below. To blackmail the company. If customer data is also affected by the attack, the circle of victims expands, and there can be considerable damage to reputation. It is therefore essential for companies to effectively defend the network and cover the attacker’s subsequent actions. Numerous steps and complex methods must be observed, which are analyzed in detail below, which are analyzed in detail below, which are analyzed in detail below.

Also Read: Security In The Flexible Working World

The Attacker’s Goal Has Changed

Data exfiltration is a form of malicious cyber operation. In this type of attack, actors gain access to sensitive data, for example, with the help of malware. However, the attacker’s goal has changed over time. In the past, these were used by state actors or other clients to spy on certain companies and steal innovations specifically; today, it is less about the advantages for the attacker himself. Cyber ​​attacks are no longer aimed at using the stolen data for their purposes but use the information obtained to harm the victim. Since companies fear disclosure of their data, perpetrators have the opportunity to extort large sums of money. Exfiltration is now practiced for monetary or hacktivist reasons. For network owners, operators and defenders, this change means that they must put sufficient controls to detect, contain or, given the potential costs, prevent malicious attacks.

Exfiltration Has Multiple Effects

Numerous sources of danger in cybersecurity have immediate and drastic consequences, such as a virulent ransomware incident. Nevertheless, data exfiltration should not be underestimated: In addition to direct effects, the loss of sensitive data can also harbor long-term dangers.

Three main risks are of central importance: the loss of sensitive data or intellectual property, reputational damage, and extortion. The former can set companies back in competition with competitors. If customer or client data is also tapped, the consequences can be regulatory measures, loss of customer confidence, and thus impairment of relationships. If the incident becomes public, it can cause long-term reputational damage. The company is forced to intensify its public relations work to counteract the loss of image. Reputation damage represents a significant risk in that a reputation can be destroyed quickly but can only be rebuilt with great difficulty. The third key risk is blackmail by cybercriminals.

Therefore, the risks associated with data loss or exfiltration events have a significant impact on the company and its relationships. In addition, the quantification and the time to manifest the consequences can hardly be estimated. Intellectual property theft can still hit the company years or decades after the actual incident. Reputation losses, on the other hand, are difficult to measure and can hardly be compensated for. Against the background of the increase in hacker attacks and the changed goals of attackers, data exfiltration will gain importance in the future and have more acute consequences for companies than before. To protect the company’s data, network defenders and operators must align their defense measures so that these attacks can be detected as quickly as possible and, at best, even prevented.

Identify Exfiltration Activities At An Early Stage

Exfiltration moves large amounts of data to new or unknown sources. This can be done either through direct physical access to the computer or through the use of malware. Contrary to what one would think, however, it is not easy to recognize this movement. This requires a combination of network visibility and active network monitoring. If both of these are not available to the necessary extent, companies will not gain insight into the malicious behavior or notice activities but not recognize the intent behind them. The misjudgment of the attacks as legitimate activities results in considerable “noise” during detection.

But even if companies have sufficient insight into their network, identifying the attacker is a challenge. Using techniques such as obscuring or overlaying other activities, they minimize visibility and thus evade detection. This is possible using the following methods:

  • Use legitimate third-party services such as B. Cloud backup systems or web-based storage as a target for leaked data. The examples range from common products such as Google Drive and Dropbox to more specific effects of an ecosystem such as those connected with the Mega.io service.
  • Tunnel traffic over non-HTTP services or alternate protocols for large data transfers that may not be monitored with the same level of care.
  • Breaking the data into smaller pieces for exfiltration to avoid abnormally large data streams leaving the network.

Although these techniques make it more difficult to track down the attacker, they do not make them impossible. If the general traffic pattern anomalies are monitored together with a specific identification of certain techniques or behaviors, attacks can be detected. Access to datasets such as the network flow enables this even if the data is encrypted or the insight into network activity is limited.

Identifying suspicious network flows is a reliable way to identify exfiltration activity. In addition to the search for large data streams, identifying the directional dependency and the upload/download ratio plays a major role. The assessment of whether a data stream can be regarded as “large” naturally depends on the standard dimensions within the monitored network. Large data streams indicate suspicious activity as they indicate data-intensive connections such as streaming, remote access, or similar activities. It can be identified whether the data is leaving the network by including the directional dependency and the upload/download ratio. If this is the case for most of the data (80-90 percent), this indicates a large upload session. Since such meetings also exist in a corporate legal context, a more detailed examination of these activities is a necessary next step. In addition to harmful attacks, the shared use of large project files could also generate a correspondingly large data flow.

The effectiveness of the procedure described can be increased if an analytical approach for network connections is used. In this way, the unauthorized outgoing data streams are identified, but the network infrastructure connected to them is also analyzed. Linking a suspicious outbound data flow to new network infrastructure or a Virtual Private Server (VPS) instance can reveal suspicious activity. This technique can also be applied to non-standard connections (such as FTP or other protocols) to unknown or untrusted destinations to identify potential exfiltration activity.

The combination of these strategies provides companies with an effective method of detecting exfiltration events. You can identify exfiltration when or shortly after it occurred. Rapid detection enables companies to take action to respond and mitigate damage, which can reduce the time it takes for an undetected attack to take place and the time it takes to respond. Conversely, however, this means that the attacker has succeeded in penetrating the network, which is why the approach described only relates to an already successful attack. To completely avert damage, it is, therefore, necessary to prevent exfiltration at all.

Prevent Attacks At An Early Stage With The “Whole Of Kill Chain” Defense

To completely prevent exfiltration, a “whole of cyber kill chain” perspective must be pursued. This relates to the course of a typical cyber-attack and tries to stop the attacker from taking the first steps in the context of network monitoring and defense. To succeed, defenders look for overarching paths and dependencies through which attackers can enter the network and data could be funneled out of the network. Necessary trailblazers relate, for example, to initial access, lateral movements, data collection, and data provision.

New security precautions can be derived by adopting the attacker’s perspective and critically examining the prerequisites for a malicious intrusion. Implementing more general controls on the host and in the network can prevent exfiltration operations and a variety of intrusion attempts. Identifying the attacker’s likely intrusion mechanisms and closely monitoring them reduces the likelihood of successful access by a threat actor. The controls that have also been introduced significantly reduce the attack surface. Such controls are primarily the patching of externally directed systems, reducing services available for external access, limiting the types of traffic entering the network, and monitoring sensitive activities such as remote administration or remote access sessions.

Many companies focus on these steps to reduce the risk of attack. However, true, multi-level defense requires going beyond the network boundary to cover the attacker’s subsequent actions. The attacker has almost unlimited possible initial access mechanisms at his disposal, and he can also infiltrate systems or users, even if elements are patched or otherwise monitored. Therefore, the defense must also extend to internal network traffic flows and host items. Defenders need to identify lateral movement techniques and their artifacts in both the network and host behavior.

While the increasing adoption of Endpoint Defense and Response (EDR) products covers host-centric observations, investing in visibility and monitoring of east-west traffic is essential to detect intruders entering protected networks. Defenders need to identify lateral movement techniques and their artifacts in both the web and host behavior. These elements can ensure that adversarial operations are covered when implemented together, ranging from opportunistic criminal actors to targeted hacktivists to government-sponsored threats.

To protect a company’s data and sensitive information, defense forces need to understand the attacker’s behavior and tendencies to identify what the adversary is doing and what techniques are being used to attempt an intrusion. Once these points have been identified, a combination of EDR and Network Detection and Response (NDR) must be used to ensure multi-level detection and monitoring and to close potential gaps in visibility that attackers may use to their advantage.

Conclusion

Cyber ​​threats increasingly involve data exfiltration. Numerous actors, from criminals to hacktivists to state-controlled intruders, target sensitive data from companies to blackmail them. By applying and monitoring strong network controls, defenders and asset owners can detect such behavior as early as possible. This enables companies to react quickly to the attack and limit potential damage.

Defenders can’t just focus on detecting abnormal outbound data streams: instead, robust defense requires identifying enemy actions at all stages of the attack. Therefore, a reaction is needed not only when the attacker has already penetrated the network but rather in advance. Once this is understood, protections can be implemented on the network and on the host to cover every step of the intrusion. Only through this robust, in-depth defense approach can defenders ensure awareness of potentially malicious activity and enable an intrusion to be prevented or interrupted if the actions are detected early in the attacker’s life cycle. Defending against modern cyber threats, from ransomware operations to data exfiltration for various purposes, is neither simple nor inexpensive. Still, it is necessary to ensure that defenders keep pace with the rapidly evolving threat landscape.

Also Read: Ransomware: Pay Or Not Pay, That Is The Question

Tech Gloss
Tech Gloss is a site dedicated to publishing content on technology, business news, Gadget reviews, Marketing events, and the apps we use in our daily life. It's a great website that publishes genuine content with great passion and tenacity.
RELATED ARTICLES