How Attackers Get Away With Data

At the upcoming Black Hat DC conference, a security researcher talks about some the more advanced techniques for sneaking data out of enterprises.

Just as breaking into a bank is pointless without a getaway plan, so too is breaking into a network without the ability to sneak away with data.

The exfiltration stage of data theft often garners less attention than the methods used to infect computers, but is no less important. At Black Hat DC, Sean Coyne, a security consultant at Mandiant, is offering attendees a look at some of the more advanced ways attackers sneak data out of the digital doors of enterprises.

"We'll be covering the basics of data exfiltration along with a few examples of more advanced methods and tricks we've seen in recent incident investigations that we have performed for clients," Coyne told eWEEK. "Specifically, we'll be talking about archiving and compression, selection of file-staging locations, encrypted tunnels, and malware that uses public Web mail or chat programs to transmit data. We'll also highlight how many of the common data-theft techniques are simple, use common tools and protocols, yet are widely utilized because they still work."

Like an autoimmune disease, sophisticated attackers sometimes turn a target's IT infrastructure against the target itself. For example, Coyne explained, most organizations maintain a relatively "flat" internal Windows network with little-to-no network-layer access controls restricting workstation-to-workstation and workstation-to-server communication.

"The same environments tend to reuse local administrator passwords and allow most of their domain users to log in to their own systems with elevated privileges," he said. "This makes it trivial for an attacker to start out with a small number of victim users, compromised via something like a spear-phishing e-mail, and leverage administrator privileges for lateral movement and access to servers and other systems housing critical data."

As a compromise evolves, the attacker may also leverage existing remote access tools such as VPNs after they have obtained the requisite credentials, he added.

Attackers temporarily compile the data they steal in a staging area on the victim's network before moving it out to their own systems, the researcher said. The staging point is usually a workstation, but could also be a server or other system on the network with outbound access to the Internet.

"Attackers typically choose an existing system directory on the host, such as the parent RECYCLER or System Volume Information (Restore Point) folders, and set attributes so that [victims] won't come across the files during normal usage," he said. "Once the data has been sent out of the network from the staging point, the attacker can clean the area by removing the files and any other traces of activity."

"Host-based detection of in-progress data-theft activity is extremely rare; attackers tend to use and reuse the same staging systems and directories to facilitate consistent processes, minimize their footprint and clean up their tracks," he continued. "For both victims and investigators, it's important to be aware of these methods and quickly recognize an attacker's habits so that they know what to look for throughout a compromised environment."

Attackers also look to dodge DLP (data-loss-prevention) tools. Most organizations, Coyne said, have not implemented true end-to-end DLP tools to cover both endpoints and the network. Many of these products appear to be designed to detect unsophisticated or unintentional disclosure of protected data by users rather than protecting against a targeted attack, he added.

"A more significant problem is that most organizations still give all of their users Local Administrator privileges to their own systems...Specific to DLP solutions that rely on network traffic inspection-our talk covers a myriad of techniques for compressing, encrypting and otherwise obfuscating stolen data in ways that easily bypass this type of monitoring," he said.

The best strategies to contain and limit attacks include enforcing strict network-segmentation, privilege-management and fundamental Windows security architecture best practices, he added.

Coyne's talk is scheduled for Jan. 18. The conference itself will run from Jan. 16-19 at the Hyatt Regency Crystal City hotel in Arlington, Va.