Exfiltration: The Great Data Escape

Exfiltration is a military term for the removal of assets from within enemy territory by covert means. It now has an excellent modern usage in computing, meaning the illicit extraction of data from a system.

So once inside an enterprise, how do hackers exfiltrate all that data in so short a time? And how do they extract it without being detected?

The answer to the first question may surprise a few, because once hackers are in the system (or “own3d,” in hacker terminology), weeks and even years of exfiltration may follow. For example, in one study conducted in 2009 on a sample of 218 breaches around the world, Trustwave's SpiderLabs found that on average, 156 days lapsed between an initial breach and its detection.

This is relatively short, in comparison to the discovery by McAfee Inc. (NYSE: MFE) of the “Night Dragon” APT (advanced persistent threat) attack, which hung around for up to four years. And the exfiltration of all the US State Department data for WikiLeaks took place over several months.

Contrary to what many perceive, hackers do not always try to make a quick getaway with their booty, although for some, a quick smash-and-grab is the name of the game. They can, however, lie low to avoid detection, waiting for the best time to make their escape or even extract small bits of data over a long period of time.

Hackers may store the stolen data in temporary password-protected RAR, ZIP, or CAB compressed folders or files, which are common enough to go unnoticed, until the utilized disk space becomes dangerously close to detection levels -- often somewhere around 1 per cent -- before leaving the premises.

In only 38 cases reported by Trustwave was the same remote access application used for entry as well as for exit. Breaches by malware, such as keystroke loggers’ data exfiltration, most often used FTP and email capabilities, such a malicious SMTP server directly on the compromised system.

The most covert data extraction method is DNS (domain name server) exfiltration. This method can even be used on systems without a public network connection by resolving domain name queries outside the perimeter of trusted hosts through a series of internal and external nameservers.

While many server operations do observe and record log files from content serving, it is the database server that is often overlooked. More than any other type of query, outgoing DNS requests are permitted access to arbitrary hosts on the Internet. Even when firewalls are set up to prevent a database server from sending data straight to the Internet, hackers can send DNS requests from the internal DNS server using SQL injection.

Hackers also exploit automated time delays between transmitted packets. And they extensively use steganography, which is the exfiltration of data hidden within transmissions -- images, PDFs, or multimedia files. Additionally, spyware – and, if the hacker has physical access, surreptitiously hidden hardware devices -- is commonly used to perform data exfiltration.

Ultimately, hackers use our biggest weakness against us by monitoring “egress,” or exit traffic, which receives scant attention in most organizations. Enterprises, in general, do not know enough about the data that they own and the flow of data within their own internal systems, let alone what data is leaving those systems.

Virtually all commercial and governmental enterprises focus on incoming traffic; that is, how many visitors are arriving at a site. Analysis of egress is viewed in the context of positive reporting about downloads of reports or of various multimedia files. Perhaps site owners would pay more attention if they realized that their valuable data can be exfiltrated while hidden within these apparently innocuous downloads.

It may be time for a major change to prevent data breaches or exfiltration. A better way of protecting data would be to quantitatively analyze the outward flow of data and constantly check for anomalies, in conjunction with better outbound firewall procedures.