Exfiltration and Covert Channels in Cyber Defense Magazine

Hey all, we wanted to give you a heads up on an article we put together in the new Cyber Defense Magazine. The article talks about current data exfiltration techniques – both by automated and manual techniques, and commonly used tools in that environment. Here’s a small excerpt from the article:

A point of access must first be established – this is what is traditionally referred to as the security breach. This is commonly occuring via a client-side exploit, weak system credentials, or SQL injection. According to recent reports, the most commonly used technique today by sentient attackers is via your own remote access applications – RDP or even your own VPN.

Once that point of access is obtained, the attacker then goes looking for interesting data in the environment. Data at rest is often gathered via built-in Windows shares or FTP, and data in transit is gathered with a variety of techniques, the most common of which is now parsing memory, where data is unencrypted and available for the taking.

Attackers are likely to use your own built-in tools to exfiltrate data too. Because these remote access tools are typically encrypted, and traditionally hard to inspect, this is an easy way for the attacker to pull data out of the environment without detection. One of the best things you can do to protect yourself is monitor usage of the channels, and watch for anomalies.

Today’s malware is also using common internet protocols to send your data out. Partially because of the complexity of automating remote access solutions, and in part due to the availability HTTPS, FTP and SMTP libraries, these protocols are often used by malware to send data out of the environment.

The article goes on to talk about advanced techniques in data exfiltration, something we’ve focused on a lot here at Pwnie Express:

Using a technique called “tunneling,” data can be encrypted in archives or in transit, limiting the ability to inspect it at a proxying firewall – It just looks like traffic over HTTP/S, or DNS, or ICMP, among others. These are commonly referred to as “covert channels.” With covert channels, attackers can hide what they are saying or passing by writing a message inside a message, much like stenography can hide a picture inside a picture.

We fact-checked against the recent breach reports, specifically Trustwave’s excellent ‘Global Security Report‘. If you’re interested in the full article, check out Cyber Defense Magazine.

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *