Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity
    • IT Management
    • Networking

    How Attackers Get Away With Data

    By
    Brian Prince
    -
    January 13, 2011
    Share
    Facebook
    Twitter
    Linkedin

      Just as breaking into a bank is pointless without a getaway plan, so too is breaking into a network without the ability to sneak away with data.

      The exfiltration stage of data theft often garners less attention than the methods used to infect computers, but is no less important. At Black Hat DC, Sean Coyne, a security consultant at Mandiant, is offering attendees a look at some of the more advanced ways attackers sneak data out of the digital doors of enterprises.

      “We’ll be covering the basics of data exfiltration along with a few examples of more advanced methods and tricks we’ve seen in recent incident investigations that we have performed for clients,” Coyne told eWEEK. “Specifically, we’ll be talking about archiving and compression, selection of file-staging locations, encrypted tunnels, and malware that uses public Web mail or chat programs to transmit data. We’ll also highlight how many of the common data-theft techniques are simple, use common tools and protocols, yet are widely utilized because they still work.”

      Like an autoimmune disease, sophisticated attackers sometimes turn a target’s IT infrastructure against the target itself. For example, Coyne explained, most organizations maintain a relatively “flat” internal Windows network with little-to-no network-layer access controls restricting workstation-to-workstation and workstation-to-server communication.

      “The same environments tend to reuse local administrator passwords and allow most of their domain users to log in to their own systems with elevated privileges,” he said. “This makes it trivial for an attacker to start out with a small number of victim users, compromised via something like a spear-phishing e-mail, and leverage administrator privileges for lateral movement and access to servers and other systems housing critical data.”

      As a compromise evolves, the attacker may also leverage existing remote access tools such as VPNs after they have obtained the requisite credentials, he added.

      Attackers temporarily compile the data they steal in a staging area on the victim’s network before moving it out to their own systems, the researcher said. The staging point is usually a workstation, but could also be a server or other system on the network with outbound access to the Internet.

      “Attackers typically choose an existing system directory on the host, such as the parent RECYCLER or System Volume Information (Restore Point) folders, and set attributes so that [victims] won’t come across the files during normal usage,” he said. “Once the data has been sent out of the network from the staging point, the attacker can clean the area by removing the files and any other traces of activity.”

      “Host-based detection of in-progress data-theft activity is extremely rare; attackers tend to use and reuse the same staging systems and directories to facilitate consistent processes, minimize their footprint and clean up their tracks,” he continued. “For both victims and investigators, it’s important to be aware of these methods and quickly recognize an attacker’s habits so that they know what to look for throughout a compromised environment.”

      Attackers also look to dodge DLP (data-loss-prevention) tools. Most organizations, Coyne said, have not implemented true end-to-end DLP tools to cover both endpoints and the network. Many of these products appear to be designed to detect unsophisticated or unintentional disclosure of protected data by users rather than protecting against a targeted attack, he added.

      “A more significant problem is that most organizations still give all of their users Local Administrator privileges to their own systems…Specific to DLP solutions that rely on network traffic inspection-our talk covers a myriad of techniques for compressing, encrypting and otherwise obfuscating stolen data in ways that easily bypass this type of monitoring,” he said.

      The best strategies to contain and limit attacks include enforcing strict network-segmentation, privilege-management and fundamental Windows security architecture best practices, he added.

      Coyne’s talk is scheduled for Jan. 18. The conference itself will run from Jan. 16-19 at the Hyatt Regency Crystal City hotel in Arlington, Va.

      Brian Prince

      MOST POPULAR ARTICLES

      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×