A simple guide to data exfiltration

In today's world where data is everything, data security has become a top priority for businesses. One of the biggest security threats to an organization's sensitive and confidential information is data exfiltration. It is a significant risk for organizations that handle sensitive data and can be caused by various factors, such as external attacks, insider threats, and phishing attacks.

What is data exfiltration?

Data exfiltration, also known as data theft or data leakage, is the unauthorized transfer of data from an organization's internal network to an external network. This can be done using a variety of techniques and is often difficult to detect. The stolen data can be financial information, customer data, intellectual property, or any other confidential information.

In recent years, the number of data breaches resulting from data exfiltration has increased, leading to significant financial losses and reputational damage for affected organizations. One of the most well-known data exfiltration cases is the 2013 Target data breach. According to Slate, the attackers stole data, including the detailed information of 40 million credit and debit card accounts as well as the personal information of over 70 million customers, from Target's point-of-sale systems.

The attackers gained access to Target's network through a third-party vendor that had the access. They then installed malware in Target's point-of-sale systems, which allowed them to exfiltrate data to an external server. The impact of the Target data breach was massive. Target's stock price dropped, and the company incurred significant reputational damage, regulatory scrutiny, and financial costs associated with the breach, including fines and legal fees. This highlights the severity of data exfiltration and its impact on businesses and customers.

Types of data exfiltration

Data exfiltration can be performed in many ways. Some of the most common types of data exfiltration are:

• Network-based exfiltration: This involves the transfer of data over a network to an external location (i.e., the attacker's server), using protocols like HTTP, FTP, and DNS. Attackers can exploit vulnerabilities in the network to get access to sensitive information.
• Physical exfiltration: This involves physically removing the data from the network. This method can entail the theft of physical devices, such as laptops, hard drives, or USB drives, that contain sensitive data. Alternatively, the attacker can use removable media, such as USB drives, external hard drives, or memory cards, to copy the data.
• Insider exfiltration: This involves employees or contractors with authorized access to sensitive data stealing and selling it to unauthorized parties.
• Cloud-based exfiltration: This involves the transfer of data to unauthorized cloud storage accounts. This method entails exfiltrating data from cloud-based services, such as AWS, Microsoft Azure, or Google Cloud. The attacker can gain access to the cloud services by exploiting vulnerabilities or stealing login credentials.
• Application-based exfiltration: This involves the transfer of data through application vulnerabilities or malicious code within an application.

Ways to prevent and mitigate data exfiltration

Organizations can take various measures to prevent and mitigate data exfiltration, including:

• Implementing a strong security policy: This helps prevent data exfiltration. The policy should include measures such as access controls, encryption, and regular security audits.
• Conducting regular security audits: Audits help organizations identify vulnerabilities in the network and prevent attacks before they occur.
• Using data loss prevention (DLP) solutions: DLP solutions help prevent data exfiltration by monitoring the data leaving the network and identifying any suspicious activity.
• Deploying endpoint security solutions: These solutions help prevent data exfiltration by monitoring endpoints, such as laptops, desktops, and mobile devices.
• Establishing access controls: This ensures that only authorized personnel can access sensitive data. Access should be provided on a need-to-know basis.
• Monitoring network traffic: This helps organizations detect any unauthorized transfers of data.
• Employing multi-factor authentication (MFA): MFA should be implemented to ensure that only authorized personnel can access sensitive data.

Moreover, organizations can enlist the help of cybersecurity experts to implement SIEM and UEBA solutions like ManageEngine Log360, which helps with these best practices and more.

Additionally, organizations can train their employees to identify and report suspicious activities and to follow security protocols strictly. Also, organizations should encrypt data both at rest and in transit to prevent any unauthorized access.

Data exfiltration in MITRE ATT&CK®

MITRE ATT&CK is a framework that provides a comprehensive approach to identifying, detecting, and responding to cyberattacks, including data exfiltration attacks. By leveraging MITRE ATT&CK, organizations can better understand the tactics and techniques of threat actors when it comes to exfiltrating data. This will allow organizations to implement preventative measures accordingly.

In the MITRE ATT&CK framework, data exfiltration is classified as one of the tactics or objectives of threat actors. The framework lists several techniques that attackers can use for data exfiltration, including:

• Exfiltration over alternative protocol: This technique involves using a protocol other than HTTP or HTTPS to exfiltrate data, such as DNS, FTP, or SMTP. Attackers can use nonstandard protocols to transfer data, making exfiltration more difficult to detect.
• Exfiltration over C2 channel: This technique involves using a command and control (C2) channel, such as a backdoor or remote access tool, to exfiltrate data.
• Exfiltration over physical medium: Attackers can use a physical medium such as an external hard drive, USB drive, or mobile phone to exfiltrate data.
• Data transfer size limits: Attackers exfiltrate data in smaller packet sizes instead of whole files to avoid triggering data transfer limit alerts.
• Scheduled transfer: Attackers choose to exfiltrate data at specific times or intervals in a bid to align their activities with regular traffic and availability patterns.

In conclusion, data exfiltration is a significant threat to organizations, requiring a mindful, comprehensive approach to prevent and mitigate its impact. Organizations must prioritize the implementation of robust security solutions and employee training to safeguard against data exfiltration attacks. The use of frameworks such as MITRE ATT&CK can also help organizations stay ahead of the evolving threat landscape.

Group policy and group policy object (GPO)

Group policy enables the centralized management of computer and user accounts by IT administrators. A group policy is a group of settings that can be applied to multiple users and machines. A group policy object (GPO) is a compilation of policy settings, both computer-related and user-related, that define the behavior of computers and users respectively in an Active Directory environment.

Group policy modification for privilege escalation

Privilege escalation occurs when an adversary gains unauthorized access by exploiting vulnerabilities, misconfigurations, bugs, etc. to launch a cyberattack. One of the common techniques of a privilege escalation attack is group policy modification. Often categorized as a sub-technique under domain policy modification, group policy modification involves modifying group policy objects to bypass discretionary access controls as a means to execute privilege escalation. All user accounts are allowed to read group policy objects in a domain, by default. However, GPO access control permissions can be assigned to specific users or groups in a domain.

An adversary can cause malicious attacks through modification of GPOs. Here are a few examples:

• Scheduled Task:Task scheduling functionality could be misused to initiate and repeat the execution of malicious code.
• Disable or Modify Tools:Security tools could be deleted or modified to prevent detection of potential malware and malicious activities.
• Ingress Tool Transfer:Tools can be transferred from an external source and used for malicious purposes.
• Service Execution:Commands can be incorrectly executed when the service control manager is misused.

A few examples of tools and adversary groups that have a history with GPO modifications are:

• Egregor:A cybercriminal group specializing in ransomware attacks, successfully breached operations at the American bookseller Barnes & Noble, and video game developers Crytek and Ubisoft in October 2020.
• Indrike Spider:An eCrime group that has been in operation since July 2014. The sophisticated Dridex banking Trojan was run in 2015 and 2016. Since then, operations using BitPaymer, WastedLocker, and Hades ransomware have been in use.

Identification process for group policy modification

Group policy modifications can be monitored and detected using event logs on directory service. A few examples of modifications can be found as follows:

• Event ID 5136:A directory service object was modified
• Event ID 5137:A directory service object was created

In general, group policy modifications might come with other behavior anomalies. In some cases, this could be an instance of a scheduled task. These anomalies can be searched for within events that are registered with new logon privileges.

Prevention of a group policy modification

Group policy modification can be restored using techniques such as auditing and user account management.

• Performing an audit (ID M1047) of systems, software, configurations, and others can identify and restore a group policy modification using tools such as BloodHound.
• Focused maintenance of a user account within areas of creation, modification, and permission will help prevent adversaries from misusing GPOs to elevate privileges.

What's next?