Data Exfiltration in Depth

2

Speakers

Brad AntoniewiczResearch and DevelopmentIntel Security – Foundstone Professional Services@brad_anton

Ratinder Paul Singh Ahuja, Ph. D.CTO &VPNetwork, Cloud & ContentIntel Security

3

Agenda• Motivation• Data Exfiltration in Depth

– Threat Actors and Data Targets– Staging Infrastructure– Data Transports and Manipulations

• Protections

The Digital Explosion

4

Breaches

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

A Continued Trend

2005 2006 2007 2008 2009 2010 2011 2012 2013 20140100200300400500600700800900

Breaches per year

http://www.idtheftcenter.org/images/breach/MultiYearStatistics.pdf

6

Data Exfiltration Primary Research3,174 Breaches across 522 Respondents ~ 6 Incidents Per Respondent

68%

32%

YesNo

1 2 3 4 5-7 8-10 11-20 >20

22% 23%

12%

9%

16%

3%

7% 7%

Required Public DisclosureNumber of ‘Serious’ Breaches

7

The ‘Grabbing’ Part of ‘Smash and Grab’Data Exfiltration

Segmentation, controls, and network size complicate theft.

Physical access and environmental knowledge aids success.

Step 7: Action on Objectives

Cyber Kill Chain

8

Primary Components Data Exfiltration

Threat Actors

Data Targets

Staging Infrastructure

Data Manipulation

Data Transports

Dump Servers

9

Threat ActorsMotivation Determines Data Targets

Nation State Organized Crime Hacktivists

FinancialInfluence

EspionageMotivation Reputational

Social

Credit Card/BankingTrade SecretsExample Data Targets

Email

10

Internal and External Actors

57%

43% ExternalInternal

Hackers 36%

Malware Authors

23%

Organized Crime 14%

Activists 15%

Nation-State 13%

Others 1%

Who’s Stealing the Data?

Actors Involved in BreachesExternal Actors

Data Targets• File Shares and Similar Systems• Email and Communications

• Database Systems• Source Code Repositories• Specialty Systems

Getting the Goods

11

Data Types

Customer PII

Employee PII

PCI Information

Customer PHI

Intellectual property

Other financial information

Employee PHI

Others

20%

18%

14%

13%

12%

12%

11%

0%

22%

19%

14%

14%

11%

11%

10%

1%

TraditionalCloud

Customer/Employee PII are Primary Targets

13

Data TransportsThe Tubes Out of Your Network

Transport Detail NetworkHTTP/S GET/POST/PUT methods External

FTP Widely available Internal/External

USB Storage device aware malware Internal/External

DNS TXT, A, CNAME records External

Tor/I2P Difficult to trace External

SMTP Attachments and message body External

SMB Common on networks Internal

RDP Supports file transfer, copy/paste Internal/External

Custom Potentially easy to detect Internal/External

14

Formats and Channels

EmailHTTP

HTTPSTunnelled

FTPP2P

SSH/VPNWMI

Images/VideoControl Packets

14%12%

12%

10%

9%

9%

9%

8%

8%

8%

25% MS Office 21% Plain text / CSV 18% PDF

17% Images and video

17% XML

2% Others

15

Data ManipulationPreparing Data for Transport

CompressionFaster transfer and obfuscation

ChunkingHarder to detect, some obfuscation

EncryptionProtects data types from being identified

ObfuscationObscures data on the wire

32%

22%

15%

15%

16

Data Theft at ScaleStaging Infrastructure

Internet

User SegmentsDatabases

Business Systems

Specialty Networks

Dump Servers

17

Repurposing Your SystemsStaging Infrastructure

Exfiltrator/Aggregator

Dump Servers

Aggregator Aggregator

18

Protection Strategies

• Identify Data Sources• Determine Data Flows• Identify Regulatory Requirements• Classify • Assign Owners• Protect• Review Access• Program Review

Keys to Success

Data Protection Challenges• Increasing requirements by privacy laws to

show proof of regulatory compliance. • PCI, HIPAA, ITAR, GLBA, etc.

• Internal data sprawl making it difficult to protect against accidental and intentional data loss.• Intellectual properties, source codes, R&D,

etc.

• Existing broken business processes can’t keep up with data proliferation, cloud, and mobile applications.

20

Sources of Data Loss

Data-in-Motion

Data-at-Rest

Data-in-Use

Data Types Data Loss Vectors

Email Web Post Network Traffic

IM Chat

Desktop/LaptopDatabase

Removable/Devices

CloudEmail/IM

File Share

Clipboard

21

Process

DLP

Classification

Policies

Discovery

Remediation

Awareness

Governance

Risk Assessment

Compliance

22

Comprehensive Data Protection

ePODevice ControlEncryption

Email Gateway SIEM

MobileDLPWebGateway

23

Where to Start: Risk AssessmentDemographics Risk Rationale/Findings

Sarbanes Oxley Data“Material Information” received encrypted. How is it protected from insiders?

IP of Customer UnencryptedIf contract’s require encryption when IP transmitted, this may cause breach of contract and revenue loss.

Internal system account password exposed

System administrator used Webmail to share credentials.

ABC Corp Source Code (IP) transmitted unencrypted

Encrypted file transfers should be required in all situations to protect IP.

PCI Violation – ABC Corp accepts CCN via email to process order

PCI data must always be encrypted when transmitted or stored.

Possible violation of ABC Business Ethics and Conduct Policy

Discussions with competitors are regulated by policy.

24

Resources

• Data Exfiltration Research Reportwww.mcafee.com/dataexfiltration

• August 2015 Threat Reportwww.mcafee.com/August2015ThreatsReport

• Data Protection Web Pagewww.mcafee.com/dataprotection

Intel and the Intel and McAfee logos are trademarks of Intel Corporation or McAfee, Inc. in the US and/or other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright © 2015 McAfee, Inc.