We study Adversarial Tactics, Techniques & Common Knowledge (ATT @ CK). Enterprise Tactics. Part 10

Exfiltration or Data Leakage (Exfiltration)

Links to all parts:
Part 1. Getting Initial Access
Part 2. Execution
Part 3. Persistence
Part 4. Privilege Escalation
Part 5. Defense Evasion
Part 6. Getting Credential Access
Part 7. Discovery
Part 8. Lateral Movement (Lateral Movement)
Part 9. Data Collection (Collection)

In this section, ATT & CK Enterprise Tactics describes data transmission techniques used by hackers / malware to extract / steal / leak target information from a compromised system.

The author is not responsible for the possible consequences of the application of the information contained in the article, and also apologizes for any inaccuracies in some formulations and terms. The published information is a free recount of MITER ATT & CK content.

Automated Exfiltration (Automated Exfiltration)

System: Windows, Linux, macOS
Description: The exfiltration of data containing confidential information can be performed using automated information processing tools and scripts after or during the collection of targeted information. In conjunction with exfiltration automation tools, exfiltration methods via the control channel (C2) or an alternative protocol can also be used to transmit data over the network.
')
Protection tips : Identify and block potentially dangerous and malicious software using white-listing tools such as AppLocker or Software Restriction Policies.

Data Compressed

System: Windows, Linux, macOS
Description: In order to reduce the amount of data, an adversary can compress target data collected for exfiltration. Compression is performed outside the transmission channel using custom software, a compression algorithm, or a common library / utility, such as 7zip, RAR, ZIP, or zlib.

Protection recommendations: In order to bypass IPS or DLP, blocking the transfer of files of a certain type or containing a certain header over unencrypted communication channels, an attacker can switch to using encryption of the exfiltration channel. Compression software and compressed files can be detected in advance by monitoring the processes and command line arguments associated with calling known data compression utilities, but this approach involves analyzing a large number of false events.

Data Encryption

System: Windows, Linux, macOS
Description: Before exfiltration, target data can be encrypted in order to hide the stolen information, escape detection, or make the process less noticeable. Encryption is performed using a utility, library, or custom algorithm and is performed outside the control channel (C2) and the file transfer protocol. Common archive formats with data encryption support are RAR and zip.

Security Tips: Running well-known file encryption software can be detected by monitoring processes and command line arguments, but this approach involves analyzing a large number of false events. Processes that load Windows crypt.32.dll DLLs can be used by an adversary to encrypt, decrypt, or verify file signatures. Detection of the fact of transmission of encrypted data can be performed by analyzing the entropy of network traffic. If the channel is not encrypted, then transfer of files of known types can be detected by IDS or DLP systems that analyze file headers.

Data Transfer Size Limits

System: Windows, Linux, macOS
Description: In order to protect against protections and possible warnings about exceeding the allowable threshold for data transmitted over a network, an attacker can split exfiltered files into many fragments of the same size or limit the size of network packets below a threshold value.

Security Tips : IDS and DLP using traffic signature analysis can be used to detect and block only known specific management and control tools (C2) and malware, so the adversary is likely to change the tools used over time or set up a data transfer protocol to avoid detection by known means of protection.

As a detection technique, we recommend analyzing network traffic for unusual data streams (for example, the client sends much more data than it receives from the server). A malicious process can maintain a connection for a long time by sequentially sending packets of a fixed size or opening a connection and performing data transfer at fixed intervals. Such activity processes, which usually do not use the network, should be suspicious. The mismatch of the port number used for data transmission and the port number set in the default network protocol may also indicate malicious activity.

Exfiltration over Alternative Protocol (Exfiltration Over Alternative Protocol)

System: Windows, Linux, macOS
Description: Data exfiltration is usually performed using an alternative protocol other than the one used by the adversary to establish the control channel (C2). Alternative protocols include FTP, SMTP, HTTP / S, DNS and other network protocols, as well as external web services, such as cloud storage.

Security Tips: Follow the recommendations for configuring firewalls, restricting traffic to entering and exiting the network from allowed ports only. For example, if you do not use the FTP service to send information outside the network, then block the ports associated with the FTP protocol around the network perimeter. In order to reduce the possibility of organizing the control channel and exfiltration, use proxy servers and dedicated servers for such services as DNS, allow interaction of the systems only through the appropriate ports and protocols.

To detect and prevent known methods of organizing the control channel and exfiltration of data, use IDS / IPS systems that use traffic signature analysis. However, attackers are likely to change the control and exfiltration protocol with time so as to avoid detection by means of protection.

As a detection technique, we also recommend analyzing network traffic for unusual data streams (for example, the client sends significantly more data than it receives from the server). Not matching the port number used and the port number set in the default network protocol may also indicate malicious activity.

Exfiltration via the C2 control channel (Exfiltration Over Command and Control Channel)

System: Windows, Linux, macOS
Description: Data can be exfiltrated using the same protocol that an attacker uses as a control channel (C2).

Protection recommendations: Use IDS / IPS systems to organize traffic signature-based analysis to identify known means of organizing the control channel and exfiltration. Analyze traffic for unusual data streams (for example, the client sends significantly more data than it receives from the server). Not matching the port number used and the port number set in the default network protocol may also indicate malicious activity.

Exfiltration over Other Network Medium

System: Windows, Linux, macOS
Description: Data exfiltration can take place in a network environment different from the environment in which the control channel (C2) is organized. If the control channel uses a wired connection to the Internet, then exfiltration can occur via a wireless connection — WiFi, a cellular network, a Bluetooth connection, or another radio channel. If there is availability and proximity, the adversary will use an alternative data transmission medium, since the traffic in it will not be routed through the attacked corporate network, and the network connection may be either protected or open.

Security Recommendations: Ensure that the security sensors on the hosts support auditing the use of all network adapters and, if possible, prevent the connection of new ones. Track and analyze changes in network adapter settings related to the addition or replication of network interfaces.

Exfiltration through an alternative physical medium (Exfiltration Over Physical Medium)

System: Windows, Linux, macOS
Description: Under certain circumstances, such as physical isolation of a compromised network, exfiltration may occur through physical media or a device connected by the user. Such media can be an external hard drive, USB drive, cell phone, mp3 player, or any other removable storage or information processing device. The physical medium or device can be used by the adversary as an end point for exfiltration or for transitions between isolated systems.

Security Tips: Disable autorun removable storage devices. Prohibit or restrict the use of removable devices at the level of an organization’s security policy if they are not required for business operations.

As a measure to detect exfiltration through the physical environment, it is recommended to organize monitoring access to files on removable media, as well as auditing processes that start when removable media are connected.

Scheduled Transfer

System: Windows, Linux, macOS
Description: Data can be exfiltrated only at certain times of the day or at regular intervals. Such scheduling is used to mix the filtered data with normal traffic on the network. When using planned exfiltration, other methods of information leakage are also used, such as exfiltration via a control channel (C2) and an alternative protocol.

Protection recommendations: The use of IDS / IPS systems with traffic signature analysis. As measures to detect malicious activity, it is recommended to monitor the access patterns of processes to files, and the processes and scenarios that scan the file system and then send network traffic. Network connections to the same address occurring at the same time of day for several days should be suspicious.