Data Exfiltration Is The New Weapon Used By Cyber Criminals
Prevent data exfiltration
Data theft is not only a nuisance, but it also harbors severe risks for companies: the exfiltration of network data can have severe consequences for reputation and even business continuity.
It is essential to identify such activities as early as possible to contain or, at best, prevent damage. The specialist article explains which strategy IT managers should consider and why it is essential to think beyond one’s network boundaries.
It is essential to watch out for telltale signals in advance to prevent the illegal extraction of data.
Cybercrime has been increasing rapidly for years. This was already confirmed by a study by the Federal Association for Information Technology, Telecommunications and New Media (Bitkom) in 2020: According to this, 75 percent of all Indian companies were affected by data theft, industrial espionage, or sabotage in the previous two years, which documents an enormous increase.
For comparison: In 2015, only every second company was hit. The COVID-19 pandemic has made the problem even worse. The IT infrastructures of companies have increasingly become the target of cyberattacks, primarily due to increasing remote working.
One main reason for this: In the home office, the same IT security standards usually do not apply as at the workplace in the company. This is especially true when it comes to protecting against Internet threats.
The types of possible attacks are diverse: whether malware, ransomware, spam/phishing emails, botnets, distributed denial-of-service attacks (DDoS), or advanced persistent threats (APT) – all conceivable species can cause enormous damage.
According to the Bitkom study, one of the most common crimes is data theft, which often occurs in the form of exfiltration. In doing so, data from a computer are transferred to another medium outside the author’s sphere without permission.
This can be done manually, for example, by a company employee, or – the far more common case – through automated access by malware via the Internet or another network.
Loss of sensitive data has devastating consequences.
In “credential stuffing,” for example, hackers steal access data from users and sell them to criminals or use them themselves to gain access to third-party accounts.
Suppose sensitive data gets into the hands of unauthorized persons in this way. In that case, the consequences are usually disastrous: Possible blackmail attempts can lead to considerable financial losses and seriously jeopardize the continued operation of a company.
Those affected are denied access to critical information, which severely hinders business processes. The loss of intellectual property can also lead to serious competitive disadvantages. In addition, the reputation of the organization often suffers in the long term after such an attack. This is particularly important when
To take the horror of possible data exfiltration, predictive behavior is required. It is usually too late if such activities only appear on the radar during or after the attack.
To avert more significant damage, it is essential to identify and prevent impending exfiltration in advance. One problem is that such actions are often not noticed because they are mixed up with legitimate actions.
Combining several techniques, such as obfuscation or superimposition with other activities, can reduce the visibility of such illegal data transfers to a minimum.
Monitor network activity and uncover anomalies
A strategic approach that continuously monitors what is happening in the network and reliably detects conspicuous anomalies in general traffic patterns sheds light on the darkness.
This tactic is up-and-coming when used in combination with identifying suspicious network flows or specific behaviors. The transfer of vast amounts of data can be an indicator of exfiltration.
In particular, long-term, very data-intensive connections such as streaming or remote access in which a large part of the data leaves the network can indicate suspicious, unauthorized activities.
If abnormal, outgoing data streams are not only identified but also linked to a new, previously unobserved network infrastructure or a virtual private server instance, the detection rates of exfiltrations also increase.
However, the strategies and measures mentioned have a decisive disadvantage: You can only identify an illegal data transfer when it is already taking place.
IT managers in companies then receive information about a discrepancy and can react accordingly to limit the damage. Yet, the attack is already underway and has begun to wreak havoc. So the more effective way is to prevent exfiltration completely.
Identify intrusion paths and previous events.
This can be achieved, for example, with the so-called “Whole of Cyber Kill Chain” perspective concerning the monitoring and defense of the network. This method searches for possible intrusion paths and identifies previous events – such as first access, movements in the network, or data collections – even before the data leaves the network.
In the course of this, a critical examination takes place, which requirements must be met for a successful attack. On this basis, well-founded controls can be implemented both on the host and in the network, which identifies exfiltrations and a large number of other intrusion attempts and successfully fends them off.
The possibility of recognizing and combating data exfiltration only exists during the compromise phases marked with the danger symbol.
By recognizing such potential attack mechanisms and monitoring them seamlessly, the probability of a violent intrusion into the network can be minimized.
As part of the controls, outward-facing systems should be regularly patched, and the services available for external access should be reduced. It is also essential to limit the types of traffic entering the network and monitor sensitive activities such as remote administration or access sessions.
In addition, IT managers should design the defense strategies in several layers. This includes thinking beyond the network boundary and keeping an eye on the potential subsequent activities of an attacker.
This requires monitoring of internal network traffic flows as well as host-centric observations. It is of crucial importance to understand the behavior of attackers and understand their techniques.
A combination of solutions for Endpoint Defense and Response and Network Defense and Response is recommended for countermeasures. These ensure multi-layered detection and monitoring of the system environment and close gaps invisibility to ensure maximum protection against attacks.
A dangerous combination of ransomware, data theft, and data exfiltration
Ransomware attacks are constantly being further developed in terms of their technology and procedure and are becoming more dangerous. The latest developments are particularly alarming for cybersecurity experts, as ransomware attacks are increasingly occurring with data theft and data exfiltration.
The combination of these three approaches represents a particularly significant danger for companies and those responsible for cybersecurity.
Conventional data exfiltration is a mixture of data theft and extortion. A hacker intrudes into the security structure of a company and filters data according to their estimated value.
Financial documents, corporate intellectual property, and sensitive business information can be a part of it and confidential messages or planned market activities. After the attacker has secured the data, he determines its respective value by offering it to potential buyers on the black market.
Once this step is complete, the blackmailer contacts the attacked company and demands a ransom to prevent the data from being sold to third parties. As a result, those responsible face the problematic situation with considerable damage to their image, possible penalties from official bodies, or other adverse effects if the stolen data is published.
Over the past year, the Maze and DopplePaymer variants have added data exfiltration to traditional ransomware attacks. Suppose a victim refuses to pay the ransom during an attack.
In that case, the hacker publishes part of the captured and encrypted data, making the attack public and increasing the pressure to cooperate. In connection with the operational failure during the ransomware attack, the resulting combination of image damage and data theft is as effective as it is dangerous. The backup of data is not sole custody more against this double danger.
Conclusion
Data exfiltration is becoming a growing threat to corporate network security. To successfully ward off such attacks, IT managers should use a holistic strategy and multi-layered measures.
To do this, it is not enough to identify suspicious behavior and limit the damage. Instead, effective defense requires the identification of malicious activity at all stages of the attack. On this basis, adequate protective measures can be implemented in the network and on the host, thereby preventing attempts to intrude at an early stage.