Research and whitepapers published on data exfiltration by advanced attackers
Recent research carried out by global information security firm MWR InfoSecurity, supported byCPNI (Centre for the Protection of National Infrastructure), has revealed current and new techniques being used by cyber criminals to steal sensitive information from companies. The papers also show what companies can do to protect themselves.
Amongst these techniques, researchers have found that it is possible to exfiltrate a large amount of information through a number of popular websites such as Facebook, Flickr, YouTube and LinkedIn.
Alex Fidgen, Director at MWR InfoSecurity, which is one of the small number of companies certified under the CESG/CPNI Cyber Incident Response Scheme, said: “There are two disturbing facts that every major organisation needs to accept. First, that it certainly possesses commercially sensitive information, such as intellectual property, intended acquisitions or resource development plans, which – if it fell into the wrong hands – could prove deeply damaging to the future of the enterprise. And secondly, that a sophisticated cyber attack targeting that data is almost certain to succeed.”
He added: “Modern organisations have networks that are complex and large. However, they often have few security controls in place, meaning that attackers encounter few barriers to stop them and are able to sidestep or compromise the few controls they do encounter. Once inside the network, attackers will move between computers, hunting the information they seek and then exfiltrating that data back to themselves.”
MWR works with companies that are under constant threat or have been compromised, and has both skilled (white hat) attackers and defenders with experience in understanding the methods and strategies of advanced attackers. The company identified a number of methods currently being used to steal sensitive data.
MWR researcher and lead author of the whitepapers Dr David Chismon said: “As there are few restrictions, attackers typically transfer files the same way any technical user would do. Many use the connections they have set up for command and control. HTTP and HTTPS (web traffic) are highly common and the File Transfer Protocol (FTP) is often used as well.
“Others use emails, employing simple techniques like setting up an email forwarding rule for the target so any email they receive is copied to the attacker. Others are increasingly using cloud storage such as Google Drive and Microsoft OneDrive. Interestingly, attackers have been seen deploying tools to use cloud storage, but not using them as there are other options available to them.”
He added: “If organisations block access to websites to prevent attackers, they can use popular websites that are likely to be permitted as vectors to exfiltrate data. In an experiment we carried out it was possible to exfiltrate 1TB of data via Flickr in 200mb chunks (see video). It was also possible to exfiltrate 20Gb via YouTube in a single chunk, and smaller amounts via popular websites such as Facebook and Tumblr.
“Increasing use of mobile devices, remote working and VPNs (Virtual Private Networks) will present new opportunities for attackers, who are using more covert methods to exfiltrate the data, such as hiding it as other data types.”
MWR extrapolated business and technology trends as well as techniques attackers are just beginning to use, and identified new methods that may be used to steal data in the future.
Dr Chismon said: “Attackers, who are often state sponsored, are already being seen using forensics tools and methods to both find information they otherwise wouldn’t and to better hide the data they are stealing. This is likely to become more common.”
“Cloud storage and email services are likely to be the predominant method in the future. Connections are encrypted and the services will be used normally by employees, making it hard for investigators to find the malicious connections and it obscures the final destination of the data.”
He added: “As more organisations use cloud services for business functions and remote work, attackers can compromise passwords for these services and get the data directly from there rather than needing to obtain it from the organisation’s network.”
Modern networks are becoming increasingly complex, meaning that there will always be routes that an attacker can take to access sensitive data. In the whitepapers, MWR details what organisations can do to better protect themselves.
Dr Chismon commented: “Sadly, there is no magic bullet that can prevent attackers from obtaining data. To stand the best chance of detecting and deterring advanced attackers, organisations need to force them through controlled routes. They then need to increase the number of actions attackers would have to take to access the data and finally, develop and hone their ability to detect suspicious actions or movements to effectively investigate alleged breaches.
MWR InfoSecurity, supported by CPNI, has published a high level animation and two whitepapers – one paper for senior executives giving a high level overview of the work and the other, a detailed guide for implementers. These are available here: