ATT&CK Series: Exfiltration

Many security professionals from all sectors have had the misfortune of experiencing an exposure of sensitive information. In some instances, the breach was so severe that it had to be publicly disclosed to warn individuals that private information may be at risk. This type of data breach occurs when cybercriminals slip through defenses, gain control of the network and ultimately escape with the treasured “crown jewels,” such as:

• Customer Data
• Financial Data
• Employee Personal Identifying Information (PII)
• Strategy Documents
• Intellectual Property
• Other Sensitive/Confidential Data (which may affect the company brand or reputation)

In this post, we will address some of the MITRE ATT&CK’s Exfiltration techniques and tactics, from an attacker’s point of view, that could be used to extract some of the above data types. The methods described are not the full set of techniques available to an attacker or malicious user, but those commonly used today to exfiltrate critical and sensitive data.

Techniques 

T1002 – Data Compressed

Description 
Data compression is the process of reducing the amount of data needed for the storage or transmission of a given piece of information, typically via encoding techniques. For an attacker, this process reduces the size of data frames transmitted over a network link, thus reducing the time and amount of network traffic required to send the sensitive documents to an attacker-owned host.

Compression is typically carried out separately and before the exfiltration process per se. In general, the data is compressed while on disk and later moved outside of the victim’s network. An attacker could use one of many compression technologies, such as a custom implementation or algorithm, or even common compression libraries or utilities such as 7zip, RAR, ZIP, or zlib. In addition, the adversary could password-protect archived files before the exfiltration to further shield the information from detection, during a potential inspection.

Risk
The compression process on data does not necessarily carry any significant risk. This, of course, assumes the use of lossless compression algorithms where a small amount of data loss is not tolerated. (In contrast, lossy compression is specifically used in video and audio, where a small amount of data loss is tolerable and does not affect the user.) The former saves all repetitive data and the latter deletes all repetitive data.

Finally, an argument to consider is how CPU-intense and memory-intense a particular algorithm may be and how it can affect other legitimate tasks in the system while the data compression process is executing.

Mitigation
There are several ways to attempt the mitigation of data compression once access to it has already been accomplished. One of the most common methods is to Identify unnecessary operating system utilities, third-party tools that may be used to compress files, and audit them for abnormal behavior or block them by using whitelisting tools such as AppLocker, or Software Restriction Policies if possible.

Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known compression utilities. This may yield a significant number of benign events, depending on how systems in the environment are typically used.

Note that while host and network-based intrusion prevention systems, as well as data loss prevention tools, can detect and block certain file types when traversing the network in an unencrypted manner, this should not be by any means be the only approach, since the attacker may simply switch to use an encrypted channel.

T1022 – Data Encrypted

Description 
Encryption can be simply defined as the process in which one or several files or data are protected by the use of an algorithm that scrambles its components, making opening without a key impossible. If anyone other than the intended recipient intercepts encrypted data, the data would consist of a group of illegible characters, since a unique key is required to decrypt them back to the original format.

Data Encryption is very closely related to data compression, as an attacker may choose to compress and encrypt the data to further hide exfiltrated information or to make the process less conspicuous upon inspection by a defender.

Like compression, encryption is also performed by a utility, programming library or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol the attacker may use. Most well-known file archive formats that can encrypt files are RAR and zip, which are commonly installed on enterprise systems by default.

Risk
Similar to the compression process, encryption itself does not necessarily carry any significant risk – except for the argument of how CPU-intense and memory-intense a particular algorithm may be and how it can affect other legit tasks in the systems while the data encryption process is executing. The encrypted data could potentially leave the network unnoticed if network traffic is not adequately analyzed for entropy to determine whether encrypted data is being transmitted. This could lead to the false assumption that no data has ever left the organization. But even the network traffic analysis poses a challenge because of other legitimate traffic traversing the network.

Mitigation
Similar to the mitigation strategies for data compression, encryption mitigation techniques also rely on the identification of unnecessary operating system utilities and third-party tools that may be used to encrypt. Whitelisting tools could be used to audit and block them.

Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known encryption utilities. Furthermore, in Windows systems particular attention should be put on a process that loads the Windows DLL crypt32.dll. This Windows library may be used to perform encryption, decryption or verification of file signatures.

Network monitoring appliances may also analyze network traffic for entropy and thus determine if encrypted data is moving through the network. If information is traversing the network in an unencrypted fashion, known encrypted file types can be detected by analyzing the file headers. However, defenders should not rely solely on this approach since the attacker could easily use an encrypted channel for the exfiltration efforts. Nevertheless, this remains an option that could be used in conjunction with other mitigation techniques in a defense-in-depth approach.

T1011 – Exfiltration Over Another Network Medium

Description 

A Network Medium refers to the channel used for the transmission of data in a network. Some typical examples include standard TV coaxial cable, ethernet cables and optical fiber cables used in wired networks, and radio waves used in wireless data communications networks.

Exfiltration could occur over a different network medium than the one used as a command and control channel. For example, if the command and control network is a wired Internet connection, the exfiltration may occur over a WiFi connection, modem, cellular data connection, Bluetooth or another radio frequency (RF) channel.

Risk
Non-enterprise network mediums may not be as secured or monitored as the primary and/or traditional network channels as they aren’t routed through the same enterprise network. Therefore, the external channels could allow an attacker to bypass enterprise security controls and perform exfiltration, unnoticed. In addition, if the data is not secured while being transmitted by the attacker, others that have an associated vantage point may be able to intercept the information while in transit. Thereby introducing further information disclosures.

Mitigation
There are several ways to mitigate and detect exfiltration over another medium. One of the most common methods is to ensure host-based IDS and sensors maintain visibility into usage of all network adapters and prevent the creation of new ones where possible. Monitor for and investigate changes to host adapter settings, such as addition and/or replication of communication interfaces.

Mitigation strategies should involve identifying and auditing processes that do not normally need network communication or where this behavior has never been observed before and thus, deviating from a baseline. Also, attention should be given to processes that generally require user-driven events to access the network (for example, a mouse click or key press), accessing the network without such event may be malicious activity.

Conclusion 

While we have covered three common exfiltration techniques here, we should note that there are others that an adversary could utilize to transfer information out of the network. Mitigation strategies rely mostly on monitoring and auditing of processes and tool usage deviating from a baseline as well as network monitoring appliances. All mitigation techniques described here should be used in conjunction with others in a defense-in-depth approach. This series will continue with other ATT&CK techniques in use by adversaries, to provide insight into the tactic, detection and mitigation strategies.

Read more in Optiv’s ATT&CK series. Here's a review of related posts on this critical topic:

• ATT&CK Intro - September 2018
• ATT&CK Initial Access - October 2018
• ATT&CK Privilege Escalation - November 2018
• ATT&CK Discovery - March 2019
• ATT&CK Persistence - April 2019
• ATT&CK Credential Access - April 2019
• ATT&CK Execution - May 2019
• ATT&CK Defense Evasion - May 2019
• ATT&CK Lateral Movement Techniques - June 2019
• ATT&CK Exfiltration - July 2019
• ATT&CK Series: Command and Control - August, 2019
• ATT&CK Series: Collection Tactics – September, 2019
• ATT&CK Series: Collection Tactics Part Two – April, 2020
• ATT&CK Series: Impact – September, 2019