Data Exfiltration in Depth
-
Upload
intel-security -
Category
Data & Analytics
-
view
4.078 -
download
0
Transcript of Data Exfiltration in Depth
2
Speakers
Brad AntoniewiczResearch and DevelopmentIntel Security – Foundstone Professional Services@brad_anton
Ratinder Paul Singh Ahuja, Ph. D.CTO &VPNetwork, Cloud & ContentIntel Security
3
Agenda• Motivation• Data Exfiltration in Depth
– Threat Actors and Data Targets– Staging Infrastructure– Data Transports and Manipulations
• Protections
Breaches
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
A Continued Trend
2005 2006 2007 2008 2009 2010 2011 2012 2013 20140100200300400500600700800900
Breaches per year
http://www.idtheftcenter.org/images/breach/MultiYearStatistics.pdf
6
Data Exfiltration Primary Research3,174 Breaches across 522 Respondents ~ 6 Incidents Per Respondent
68%
32%
YesNo
1 2 3 4 5-7 8-10 11-20 >20
22% 23%
12%
9%
16%
3%
7% 7%
Required Public DisclosureNumber of ‘Serious’ Breaches
7
The ‘Grabbing’ Part of ‘Smash and Grab’Data Exfiltration
Segmentation, controls, and network size complicate theft.
Physical access and environmental knowledge aids success.
Step 7: Action on Objectives
Cyber Kill Chain
8
Primary Components Data Exfiltration
Threat Actors
Data Targets
Staging Infrastructure
Data Manipulation
Data Transports
Dump Servers
9
Threat ActorsMotivation Determines Data Targets
Nation State Organized Crime Hacktivists
FinancialInfluence
EspionageMotivation Reputational
Social
Credit Card/BankingTrade SecretsExample Data Targets
10
Internal and External Actors
57%
43% ExternalInternal
Hackers 36%
Malware Authors
23%
Organized Crime 14%
Activists 15%
Nation-State 13%
Others 1%
Who’s Stealing the Data?
Actors Involved in BreachesExternal Actors
Data Targets• File Shares and Similar Systems• Email and Communications
• Database Systems• Source Code Repositories• Specialty Systems
Getting the Goods
11
Data Types
Customer PII
Employee PII
PCI Information
Customer PHI
Intellectual property
Other financial information
Employee PHI
Others
20%
18%
14%
13%
12%
12%
11%
0%
22%
19%
14%
14%
11%
11%
10%
1%
TraditionalCloud
Customer/Employee PII are Primary Targets
13
Data TransportsThe Tubes Out of Your Network
Transport Detail NetworkHTTP/S GET/POST/PUT methods External
FTP Widely available Internal/External
USB Storage device aware malware Internal/External
DNS TXT, A, CNAME records External
Tor/I2P Difficult to trace External
SMTP Attachments and message body External
SMB Common on networks Internal
RDP Supports file transfer, copy/paste Internal/External
Custom Potentially easy to detect Internal/External
14
Formats and Channels
EmailHTTP
HTTPSTunnelled
FTPP2P
SSH/VPNWMI
Images/VideoControl Packets
14%12%
12%
10%
9%
9%
9%
8%
8%
8%
25% MS Office 21% Plain text / CSV 18% PDF
17% Images and video
17% XML
2% Others
15
Data ManipulationPreparing Data for Transport
CompressionFaster transfer and obfuscation
ChunkingHarder to detect, some obfuscation
EncryptionProtects data types from being identified
ObfuscationObscures data on the wire
32%
22%
15%
15%
16
Data Theft at ScaleStaging Infrastructure
Internet
User SegmentsDatabases
Business Systems
Specialty Networks
Dump Servers
17
Repurposing Your SystemsStaging Infrastructure
Exfiltrator/Aggregator
Dump Servers
Aggregator Aggregator
18
Protection Strategies
• Identify Data Sources• Determine Data Flows• Identify Regulatory Requirements• Classify • Assign Owners• Protect• Review Access• Program Review
Keys to Success
Data Protection Challenges• Increasing requirements by privacy laws to
show proof of regulatory compliance. • PCI, HIPAA, ITAR, GLBA, etc.
• Internal data sprawl making it difficult to protect against accidental and intentional data loss.• Intellectual properties, source codes, R&D,
etc.
• Existing broken business processes can’t keep up with data proliferation, cloud, and mobile applications.
20
Sources of Data Loss
Data-in-Motion
Data-at-Rest
Data-in-Use
Data Types Data Loss Vectors
Email Web Post Network Traffic
IM Chat
Desktop/LaptopDatabase
Removable/Devices
CloudEmail/IM
File Share
Clipboard
21
Process
DLP
Classification
Policies
Discovery
Remediation
Awareness
Governance
Risk Assessment
Compliance
23
Where to Start: Risk AssessmentDemographics Risk Rationale/Findings
Sarbanes Oxley Data“Material Information” received encrypted. How is it protected from insiders?
IP of Customer UnencryptedIf contract’s require encryption when IP transmitted, this may cause breach of contract and revenue loss.
Internal system account password exposed
System administrator used Webmail to share credentials.
ABC Corp Source Code (IP) transmitted unencrypted
Encrypted file transfers should be required in all situations to protect IP.
PCI Violation – ABC Corp accepts CCN via email to process order
PCI data must always be encrypted when transmitted or stored.
Possible violation of ABC Business Ethics and Conduct Policy
Discussions with competitors are regulated by policy.
24
Resources
• Data Exfiltration Research Reportwww.mcafee.com/dataexfiltration
• August 2015 Threat Reportwww.mcafee.com/August2015ThreatsReport
• Data Protection Web Pagewww.mcafee.com/dataprotection
Intel and the Intel and McAfee logos are trademarks of Intel Corporation or McAfee, Inc. in the US and/or other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright © 2015 McAfee, Inc.