Threats

Data theft can have a significant impact on an organization and many types of data may be targeted. The cost of a data breach continues to rise and large data breaches take the media spotlight as citizens are warned their personal data may be in the hands of cyber criminals.  Stolen data can be sold on the Dark Web, or used for secondary attacks to gain unauthorized access to sensitive resources when credentials are included in the stolen data.

In this article we will go through the typical stages attackers use for data theft and finally review some defensive tactics that are part of a comprehensive Data Loss Prevention (DLP) cybersecurity strategy. 

How Do Attackers Conduct Data Exfiltration?

After gaining initial access to a victim's network, threat actors apply a systematic approach to achieving their ultimate objectives: typically a double punch extortion strategy of ransomware and data theft. During this second stage of a cyber attack attackers typically seek to identify valuable data within the target environment and transfer this data out of the system [TA0010] using covert channels, encryption, protocol manipulation, or even novel side-channel exfiltration techniques.

Here’s a breakdown of how data exfiltration typically works:

• Identify: Attackers identify valuable data within the target system or remote systems that it has access to. This data may be stored in individual local files [T1005], application caches such as password managers [T1555.005] or OS-level password caches [T1555.004], browser caches such as session cookies [T1185] or passwords [T1555.003], messages from email applications [T1114], or in remote locations [T1039] such as network file-shares, or databases. The data may even be collected from real-time screenshots, video, audio, or logged keystrokes. In an attacker has access to network traffic, they can execute Adversary in the Middle (AitM) attacks to record network authentication attempts which they can try to decrypt offline using brute force or dictionary attacks.

• Extract: Once the data is identified, attackers find a way to transfer (load) it into the attacker controlled process where it can be further modified and sent out of the victim's network. InfoStealers are specialized strains of malware that automate the identification and extraction of sensitive information from the wide array of sources that can be found on a typical system. The data that attackers can access is limited to the execution permissions they have. With only user permissions, they can access the applications or remote services that the user has access to, but with root (aka administrator or system) level permissions, an attacker can access more data that is protected from the user, such as domain controller credentials. Another hurdle that attacker face at the extraction stage is encryption. Encrypted data is much more secure than plaintext data, although savvy hackers will try to find a way to circumvent encryption.

• Exfiltrate: At this final stage of data theft, attackers might modify the data to make it easier to exfiltrate or to hide their tracks. This transformation could involve encrypting the data, compressing it, or altering its format to avoid detection. Key methods used during malicious data exfiltration:

• Encryption and Steganography: Encrypted data can better avoid detection during transmission. Steganography techniques could also be used to hide data within seemingly innocuous files or communications.

• Covert Channels: Attackers might use covert channels such as DNS tunnels, ICMP tunnels, or other protocol smuggling techniques to bypass firewalls and sneak data out of a network. Sophisticated attackers may even use novel side-channel exfiltration techniques to transfer sensitive data out of an air-gapped device.

• Data Compression: Large amounts of data can be compressed before exfiltration to reduce the volume of data transferred and to evade detection.

• Protocol Manipulation: Attackers may abuse legitimate protocols such as public cloud OAuth applications or HTTP/HTTPS to transfer data, disguising exfiltration as normal web traffic

• File Splitting: Data can be split into smaller files or packets to evade detection systems that monitor for unusual data transfer sizes.

• USB drives: Attackers may also utilize physical devices such as USB drives or mobile devices as a physical means to exfiltrate data from compromised systems.

Furthermore, once the data is stolen, attackers can impose further damage on their victims by deploying ransomware to encrypt it or deleting it completely, forcing the victim to recover from backups or pay ransom.

Defending Against Data Exfiltration With Data Loss Prevention (DLP)

DLP activities include technologies, policies, and procedures and may be oriented to protect different types of data from organization to organization. In many cases, organizations have a formal responsibility implement compliant Data Loss Prevention (DLP) activities to reduce the risk of exposing sensitive data such as payment card data in the case of PCI-DSS, patient health information in the case of HIPAA, and customer's Peronsally Identifieable Infomration (PII) in the case of GDPR and other national and regional privacy laws such as Bill C-11 in Canada. 

The DLP security paradigm includes the mitigation of unintended or unauthorized destruction, loss, corruption, or exposure of sensitive information. It encompasses more than just data theft.  However, for the purpose of this article, we will only examine and review DLP techniques focused on detecting and preventing the exposure and theft of sensitive information.

Core Data Loss Prevention (DLP) Activities To Detect Data Exfiltration

Data exfiltration can be challenging to detect because attackers pull every trick in the book to hide the data within seemingly legitimate network traffic patterns and encrypt it so network monitoring tools cannot determine its contents. However, organizations can combat data theft through a set of security controls that include network monitoring, egress filtering, anomaly detection, endpoint security controls, and employee training to recognize phishing attacks and other entry points used by attackers.

In the context of DLP,  NIST 800-171 (a set of guidelines for protecting Controlled Unclassified Information in non-federal systems and organizations), emphazes a standardized approach for implementing security measures to prevent unauthorized access and dissemination of Controlled Unclassified Information (CUI). CUI refers to unclassified information that requires safeguarding or dissemination controls based on laws, regulations, or government policies. This type of information is sensitive but not classified, and it may include proprietary information, privacy information, or other types of sensitive data that require protection. This standardized approach includes a combination of administrative, technical and other types of security controls. 

Let's review the main DLP components for protecting organization's sensitive data.

Main Activities in a DLP Program

• Data Discovery and Classification: The foundation of any DLP program is the identification and classification of sensitive data. This involves discovering where sensitive data resides within the organization's systems, networks, and endpoints. Classification tags are assigned based on the sensitivity level of the data, which helps in applying appropriate protective measures. In addition to the data's context being classified, its location is also important for developing appropriate policies and technical controls to protect it.

• Policy Definition and Enforcement: DLP policies dictate how sensitive data should be handled, shared, and stored. These policies are typically based on regulatory requirements, industry standards, and organizational needs. Enforcement mechanisms ensure that data handling practices are compliant and therefore predictably effective at preventing unauthorized access and transmission. Here are just a couple core security controls aimed at preventing data theft.

  • Access Control: Ensuring that only authorized personnel have access to data. This includes applying the Principle of Least Privilege (POLP) to plan and implement strong access controls.  

  • Encryption: Just as attackers may use encryption to hide data as they exfiltrate it, defenders must also use encryption to protecting data from being readible by attackers in the case of unauthorized disclosure.

  • Restrict USB Drives: Implementing restrictions on USB drives thwarts the opportunity for insiders or others with physical access to systems containing sensitive data. Organizations can enforce policies that disable USB ports on sensitive systems, and endpoint security solutions can be used to monitor and control USB activity.

• Monitoring and Analysis: Continuous monitoring is essential for detecting anomalies or suspicious activities that could indicate a data breach. DLP solutions monitor data in motion, at rest, and in use, generating alerts or taking automated actions when policy violations are detected. Analysis of these incidents helps in understanding trends, refining policies, and improving overall security posture.

• Incident Response and Remediation: In the event of a policy violation or data breach, a well-defined incident response plan is crucial. This plan outlines the steps to contain the incident, investigate its scope and impact, mitigate any further risks, and remediate affected systems. Quick and effective response reduces the potential damage caused by data loss incidents.

• User Education and Awareness: Human error remains a significant factor in data breaches. Educating users about data security best practices, the importance of compliance with DLP policies, and the consequences of mishandling sensitive data is essential. Regular training sessions and awareness campaigns help foster a culture of security within the organization.

Conclusion

This article delves into the critical aspects of data exfiltration and core Data Loss Prevention (DLP) activities aimed at safeguarding sensitive information from cyber threats. First, we discussed how attackers conduct data exfiltration at each stage, including identification, extraction, and exfiltration of valuable data. Techniques such as encryption, covert channels, and protocol manipulation are detailed as common strategies employed by threat actors to evade detection and send stolen data to their own remote servers.

The article also outlines key DLP activities essential for detecting and preventing data theft, including data discovery and classification, policy definition and enforcement, access control, encryption, monitoring and analysis, incident response, and user education. These components collectively contribute to mitigating the chances of experiencing data breache and ensuring compliance with regulatory requirements by applying appropriate protections to sensitive data.