This post is the third of a multi-part series called Advanced Methods to Detect Advanced Cyber Attacks. The series explores advanced investigative analytic searches that analyze network traffic and enable incident responders and security analysts to think and react as fast as the attackers targeting their organization’s network. In today’s installment we’ll cover data theft, or the successful “exfiltration” of valuable or sensitive information from a network.
Undetected exfiltration is a very common end goal for network attackers and was the unfortunate outcome of many high profile breaches in 2014 (Target, Home Depot, etc.). Attackers target companies and organizations that have credit card information, protected engineering designs, personnel records, and other valuable stores of data and intellectual property. This information can then be sold on the black market, given to competing or foreign engineering teams to accelerate research and development, and used for espionage and intelligence activities. So prevention and detection of data theft is a critical security need for commercial and government organizations alike.
Once attackers have successfully breached a network, data exfiltration can be difficult to prevent and detect because attackers use stealthy methods to get data back to their infrastructure. Attackers typically exfiltrate the data in batches across commonly used channels permitted by firewalls like unencrypted web (HTTP) and encrypted web (HTTPS). The data is usually compressed, encrypted, password protected, and then uploaded from within the victim network to an external drop server. The attackers can later access the drop server via an anonymized and protected connection to retrieve the stolen data.
Attackers prefer to use common traffic channels so that they can hide within the noise of the network — their uploads will not stick out as abnormal because web traffic is permitted and consists of a lot of data transfer activity. If this is the case then, how does one go about detecting data exfiltration when it does take place?
By applying big data analytics principles to network traffic, an advanced proactive network security system can spot potential exfiltration attempts. In Novetta Cyber Analytics, the “HTTP(S) Exfiltration Analytic” looks for traffic where the following conditions are met:
- The service being used by the client and server are HTTP or TLS
- The protocol being used by the client and server are TCP
- The duration of the session is greater than 3 seconds
- The total amount of traffic exchanged is greater than 1MB
- The ratio of bytes exchanged to/from the server is 5:1 (configurable) in favor of the server
These conditions will reveal unencrypted and encrypted web browsing activity where the client uploads a non-trivial amount of data to the server. Since normal web browsing traffic usually has more traffic being provided to the client by the server than vice versa, this collection of traffic will contain candidates for data exfiltration.
Although detection of this activity means that some damage has been done, it is still beneficial to detect exfiltration as early as possible. Attackers have been known to steal large volumes of data from enterprises over periods of weeks or months, so early detection can dramatically reduce both the attacker’s dwell time and the amount of damage that can be inflicted.
False positives for this analytic search are possible since legitimate users upload files to web servers as well. Through careful filtering and tuning, however, legitimate traffic can be set aside so that the malicious transfers rise to the top more quickly.
Stay tuned for more powerful searches that can reveal malicious behavior as we move through this entire advanced analytics series.
Read the next post in this series: Port Scanners.