A point of access must first be established – this is what is traditionally referred to as the security breach. This is commonly occuring via a client-side exploit, weak system credentials, or SQL injection. According to recent reports, the most commonly used technique today by sentient attackers is via your own remote access applications – RDP or even your own VPN.
Once that point of access is obtained, the attacker then goes looking for interesting data in the environment. Data at rest is often gathered via built-in Windows shares or FTP, and data in transit is gathered with a variety of techniques, the most common of which is now parsing memory, where data is unencrypted and available for the taking.
Attackers are likely to use your own built-in tools to exfiltrate data too. Because these remote access tools are typically encrypted, and traditionally hard to inspect, this is an easy way for the attacker to pull data out of the environment without detection. One of the best things you can do to protect yourself is monitor usage of the channels, and watch for anomalies.
Today’s malware is also using common internet protocols to send your data out. Partially because of the complexity of automating remote access solutions, and in part due to the availability HTTPS, FTP and SMTP libraries, these protocols are often used by malware to send data out of the environment.
Using a technique called “tunneling,” data can be encrypted in archives or in transit, limiting the ability to inspect it at a proxying firewall – It just looks like traffic over HTTP/S, or DNS, or ICMP, among others. These are commonly referred to as “covert channels.” With covert channels, attackers can hide what they are saying or passing by writing a message inside a message, much like stenography can hide a picture inside a picture.