3

Considering the scenario when the attacker is able to exfiltrate sensitive data from compromised system to external network or Internet, but there are only limited ways to achieve this because the outbound connection is configured to not allow connection on any application layer protocol based on TCP, so the attacker decided to exfiltrate data via DNS which are allowed by the configuration (Yes! this is the mistake).

In my opinion, there are two ways to detect this kind of exfiltration:

  • Content-based: the content of transferred data must be inspected to find sensitive data or anything such as file signature, header or file properties.
  • Volume-based: the amount of data must be compared with data usage baseline. If the current volume of data (in some amount of time) is larger then data usage baseline, then w00t w00t!

These are my questions:

  • Is there any other effective solution to detect data exfiltration in the scenario like this?
  • For the volume-based detection, is there any recommendations to calculate data usage baseline? Only average data usage for a month is good enough?
Pandora
  • 167
  • 5
  • *"exfiltrate data via not well-known network protocols"* - why are not well-known protocols allowed if the *"outbound connection is strictly configured"*. This sounds more like black-listing some protocols instead of only allowing explicitly white-listed data exchange. I would not call this a strict configuration. – Steffen Ullrich Nov 22 '17 at 14:38
  • @SteffenUllrich Thank you, I decided to replace *strictly* with *well* and specified which protocols are used. If protocols are still not clear, think about network protocols that mostly working in background, or protocols that most forensics analysts decided to *filter out* when analyze. – Pandora Nov 22 '17 at 15:00
  • A good h4x0r will encrypt or obfuscate data before exfiltration. Re data usage, you'd want to look at volumes that were more than 1 standard deviations above the norm – Neil McGuigan Nov 22 '17 at 20:05

1 Answers1

4

DNS and ICMP are not good examples, because in a well configuration, network access is restricted by use of a proxy to thwart DNS and ICMP right from the start.

But there‘s HTTP(S) still available through the proxy.

Usually, websites are not whitelisted in a proxy, so this should work quite well.

As to the content inspection:

You can not do that in general. Even if you have a HTTPS proxy that is doing a MITM, the request payload might still be encrypted within the transport of HTTPS which cannot be scanned for key words.

Additionally, you may not be allowed to MITM for example banking sites for inspection due to normative regulations.

You can however try and find encrypted payload streams in HTTP(S) traffic and analyze them, in the mean time blacklisting the destination hosts.

While volume based exfiltration detection seems like a good plan for DNS and ICMP, for HTTPS it is not as there might be legitimate traffic exceeding your threshold resulting in a big number of false positives and possibly business disruption.

A combined approach would maybe work, maybe with a white list of domains that are safe to upload data to: if you find a significant amount of data is sent through the proxy, you could blacklist the destination if it’s not on the white list and analyze the traffic manually. If the exfiltrated data is small in size, you might still not get it.

All in all: that’s the problem with covert exfiltration: it’s hidden well.

Tobi Nary
  • 14,302
  • 8
  • 43
  • 58
  • In fact, I think content inspection is possible and practical with passive SSL/TLS inspection feature which available on proxy-type device or security gateway that trying to inspect and protect users from malicious domains. I will update and specify more details about *well configuration*. It doesn't exactly answer my question but thank you! – Pandora Nov 22 '17 at 16:38
  • 1
    It does. Sure, HTTPS payload inspection is possible, but all you could get would be encrypted exfiltration content. Encryption of exfiltration data is en Vogue, as we know at least from the Vault 7 documents. Also: how would passive TLS inspection work, exactly? There might be a fields medal in for you if you figure that out. – Tobi Nary Nov 22 '17 at 19:37