June 1, 2016 By Larry Loeb 2 min read

Israel-based security firm SafeBreach conducted an extensive analysis of covert data exfiltration to come up with what they believe is the perfect technique.

In 2015, the researchers began to focus on getting small amounts of sensitive data such as cryptographic keys or passwords from highly secure organizations. They recently presented the results in Amsterdam at the Hack in the Box Conference.

The researchers had a few preconditions to their attack, like the assumption that an external attacker has already managed to insert malware on a device within the targeted organization. They also consider the case of a malicious insider wanting to send out sensitive data without getting caught.

The 10 Commandments of Exfiltration

Following the experiment, the researchers came up with a technique of exfiltration based on their newly established 10 commandments. According to the SafeBreach presentation, these commandments are:

  1. No security through obscurity should be used.
  2. Only Web browsing and derived traffic is allowed.
  3. Anything that may theoretically be perceived as passing information is forbidden.
  4. Scrutinize every packet during comprehensive network monitoring.
  5. Assume TLS/SSL termination at the enterprise level.
  6. Assume the receiving party has no restrictions.
  7. Assume no nation-state or third-party site monitoring.
  8. Enable time synchronization between the communicating parties.
  9. There’s bonus points for methods that can be implemented manually from the sender side.
  10. Active disruption by the enterprise is always possible.

These assumptions imply certain exfiltration techniques, such as using regular browsing, modifying an application and being able to observe the change remotely.

The Ideal Data Exfiltration Method

The researchers came up with an attack that meets all their commandments. According to SecurityWeek, it involves the sender and receiver both agreeing on a popular Web page in a victim’s zone of access and a given time. If the sender doesn’t access the specified page at the specified time, a 0 bit of data is sent. If the sender does make an HTTP request at the specified time, a 1 bit is sent.

The receiver can determine if the sender accessed the page by checking the cache. Did the sender access it to send a 1 bit or was it cached by the receiver’s own visit (the sender did not access it to send a 0 bit)?

Basically, this method allows the attacker and the receiver to send digital Morse code to each other. It is admittedly low-bandwidth and unidirectional, so it’s only useful for small amounts of data.

A proof of concept tool was released by the researchers just to automate the method and show they weren’t fooling around. They have come up with a unique method of exfiltrating data that needs to be appreciated for the principles it demonstrates — and then dealt with on a practical level.

More from

Cybersecurity dominates concerns among the C-suite, small businesses and the nation

4 min read - Once relegated to the fringes of business operations, cybersecurity has evolved into a front-and-center concern for organizations worldwide. What was once considered a technical issue managed by IT departments has become a boardroom topic of utmost importance. With the rise of sophisticated cyberattacks, the growing use of generative AI by threat actors and massive data breach costs, it is no longer a question of whether cybersecurity matters but how deeply it affects every facet of modern operations.The 2024 Allianz Risk…

Autonomous security for cloud in AWS: Harnessing the power of AI for a secure future

3 min read - As the digital world evolves, businesses increasingly rely on cloud solutions to store data, run operations and manage applications. However, with this growth comes the challenge of ensuring that cloud environments remain secure and compliant with ever-changing regulations. This is where the idea of autonomous security for cloud (ASC) comes into play.Security and compliance aren't just technical buzzwords; they are crucial for businesses of all sizes. With data breaches and cyber threats on the rise, having systems that ensure your…

Adversarial advantage: Using nation-state threat analysis to strengthen U.S. cybersecurity

4 min read - Nation-state adversaries are changing their approach, pivoting from data destruction to prioritizing stealth and espionage. According to the Microsoft 2023 Digital Defense Report, "nation-state attackers are increasing their investments and launching more sophisticated cyberattacks to evade detection and achieve strategic priorities."These actors pose a critical threat to United States infrastructure and protected data, and compromising either resource could put citizens at risk.Thankfully, there's an upside to these malicious efforts: information. By analyzing nation-state tactics, government agencies and private enterprises are…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today