Israel-based security firm SafeBreach conducted an extensive analysis of covert data exfiltration to come up with what they believe is the perfect technique.
In 2015, the researchers began to focus on getting small amounts of sensitive data such as cryptographic keys or passwords from highly secure organizations. They recently presented the results in Amsterdam at the Hack in the Box Conference.
The researchers had a few preconditions to their attack, like the assumption that an external attacker has already managed to insert malware on a device within the targeted organization. They also consider the case of a malicious insider wanting to send out sensitive data without getting caught.
The 10 Commandments of Exfiltration
Following the experiment, the researchers came up with a technique of exfiltration based on their newly established 10 commandments. According to the SafeBreach presentation, these commandments are:
- No security through obscurity should be used.
- Only Web browsing and derived traffic is allowed.
- Anything that may theoretically be perceived as passing information is forbidden.
- Scrutinize every packet during comprehensive network monitoring.
- Assume TLS/SSL termination at the enterprise level.
- Assume the receiving party has no restrictions.
- Assume no nation-state or third-party site monitoring.
- Enable time synchronization between the communicating parties.
- There’s bonus points for methods that can be implemented manually from the sender side.
- Active disruption by the enterprise is always possible.
These assumptions imply certain exfiltration techniques, such as using regular browsing, modifying an application and being able to observe the change remotely.
The Ideal Data Exfiltration Method
The researchers came up with an attack that meets all their commandments. According to SecurityWeek, it involves the sender and receiver both agreeing on a popular Web page in a victim’s zone of access and a given time. If the sender doesn’t access the specified page at the specified time, a 0 bit of data is sent. If the sender does make an HTTP request at the specified time, a 1 bit is sent.
The receiver can determine if the sender accessed the page by checking the cache. Did the sender access it to send a 1 bit or was it cached by the receiver’s own visit (the sender did not access it to send a 0 bit)?
Basically, this method allows the attacker and the receiver to send digital Morse code to each other. It is admittedly low-bandwidth and unidirectional, so it’s only useful for small amounts of data.
A proof of concept tool was released by the researchers just to automate the method and show they weren’t fooling around. They have come up with a unique method of exfiltrating data that needs to be appreciated for the principles it demonstrates — and then dealt with on a practical level.