Getting Out: Data Exfiltration Gets Sophisticated

What’s the goal of any malicious actor? While stated purposes may differ — monetary gain, activism or national defense — ultimate aims remain the same: Find a way to access and then control critical data. To combat this threat, companies build higher walls and deeper moats, but as noted by CSO Online, this focus on keeping attackers at arms’ length falls apart when they inevitably breach corporate defenses.

Instead of worrying about illegal entry, businesses need better ways to handle data exfiltration. Access means nothing if data can’t be moved.

Easy Way In for Data Exfiltration

Attackers don’t have any trouble breaking into corporate networks. According to a new McAfee Labs and Intel Security report, cybercrime has in fact become an industry unto itself, with suppliers, markets, service providers and even trading systems. What’s more, companies often lag behind when it comes to applying security updates and ensuring that users follow password security protocols. Also of interest is the increasing criminal focus on mobile and IoT-connected devices, which are prime targets for compromise not as end goals, but a way to access higher-value data assets.

In addition to mobile device compromise, malicious actors are also leveraging physical devices such as USB keys and social engineering techniques to discover the lay of the land before they launch an attack. Ultimately, however, all of this is prep work: The real aim is data exfiltration.

Quick Way Out?

So how do cybercriminals get data out of corporate systems once they’ve breached perimeter defenses? One option is compressing critical assets to allow easy mobility or slicing the data up into multiple pieces for quick transport. Another option is making critical information look like something else — something companies won’t flag as worrisome when it leaves the system. The CSO Online piece pointed to Twitter as one legitimate way to exfiltrate data: Attackers embed stolen data into images uploaded by employees, then follow the Twitter-post trail to retrieve the stolen information.

It’s also possible to use graphics processors to move stolen data since graphics processing units (GPUs) are isolated from the other components of a corporate network and aren’t monitored in the same way. This does require more effort on the part of attackers since GPUs are relatively limited in scope, but it speaks to the level of ingenuity displayed by dedicated cybercriminals.

Holding Down the Fort

To keep company data from drifting off unannounced, companies need to change the way they view network security. First is a shift in data priorities: While traditional hacking groups typically seek out financial information or payroll data, hacktivist and nation-state actors are often looking for incriminating or embarrassing information. They may target executive emails or other communications to get what they want. This leads to the second necessary shift: discovering avenues of data removal.

The goal here? Instead of making it harder for cybercriminals to get in, companies need to make leaving the difficult task. Think of it like a door that only swings one way — attackers can get in but they have trouble getting out, giving IT admins time to discover oddities in data movement and clamp down on exfiltration.

Attackers have mastered the art of getting in. Rather than fight the losing battle of open doors, enterprises are better served looking for ways to keep data at home and malicious actors trapped on the wrong side of the wall.

Contributor'photo

Douglas Bonderud

Freelance Writer

A freelance writer for three years, Doug Bonderud is a Western Canadian with expertise in the fields of technology and...