Protecting sensitive data: an approach to prevent data exfiltration

Pierluigi Paganini March 15, 2015

Data exfiltration is mechanism to data breach that occurs when an individual’s or organization’s data is illegally copied from its systems.

It’s not a matter of “if” you will be attacked, but “when”. Preventing attackers from breaching our system is a necessity and stopping them before they can complete their mission is a requirement. Analyzing our data inflow, outflow productively to find data exfiltration, will help reducing the cost of a data breach.

Data exfiltration is mechanism of a data breach that occurs when an individual’s or organization’s data is illegally copied. They are generally a targeted attack where the hacker copies sensitive data from victim’s machines. The hackers gain access to the target machine through a remote application or by directly installing a malware through portable media.

A medium sized organization will have 20,000 devices connected to the network. It includes mobile phones, laptops, printers, servers and other devices that communicate through the Internet. There are myriads of channels used for data transmission: cloud-based apps like Salesforce and Amazon Web Services, email messaging services, various internet/web portals and social media. The amount of data the company’s network connected devices generate is around 20TB or more in a single day. Exfiltration within normal traffic patterns and sizes is already hard to detect and that’s compounded by the use of increasingly stealthy encryption when sensitive credentials are compromised.

With the introduction of new technologies and devices like drones, IoT, BYOD policies into organizations, we are increasing the risk rate that each individual is forced to face during their online activities.

False positives in DLP and SIEM

An advanced DLP solution and SIEM are used to monitor for risky events, but due to the sheer size of an organization and the amount of data accessed on a daily basis, those solutions on their own are not enough and are generating false positives in high numbers. Many data exfiltration were left unnoticed during the early stages due to the false positive findings of SIEM tools. Shifting to productive monitoring and SIEM intelligence coupled with behavioral analysis will help in early detections of data breaches.

data exfiltration

Incorporating behavioral analysis in DLP tools will reduce false positives up to 99% as analyzed by a case study. Breaches are inevitable, but sensitive data loss isn’t. A traditional perimeter defense will not necessary the attackers from stealing sensitive data. Organizations will need to start with the assumption that some adversary might be successful in their attempt to bypass the defenses. One of the most vital stages in an APT type attack is the data exfiltration step. Companies must invest in preparing a model for understanding the threat vectors and creating a threat model. This will definitely help in identifying adversaries and their approaches.

Organizations must think differently

Companies should adopt a mentality of ‘Think like a hacker’. The motives of hackers are varied but their goals are all same. They intend to steal, leak or expose data from a victim. The victim can be an individual, an organization or even a nation. Instead of companies simply claiming that they cannot be breached, they can put in efforts and time to build a better approach. The traditional risk based approach will not single handedly help in mitigating or tackling a data breach. It should be coupled with proper incident response plans and data loss prevention mechanisms.

Plan for a better plan

Companies planning to invest in cyber security must also focus on different approaches to tackle cyber events. Cyber threats are increasing rapidly throughout the year. Few of the steps that companies can concentrate to build a custom defense strategy can include:

  • Defining a model to differential insider threat and outsider threat
  • Identifying the communication channels like HTTP, SFTP, SSH, RDP etc.
  • Analyzing a content type: Sensitive information ranges from personal identifiable information (social security numbers, credit card numbers) to intellectual property. This information could be contained in a static file (image, software program, and spreadsheet) or a multimedia session (VOIP conversation and video conference). Sensitive information may be leaked to an outsider in its original, modified, or hidden format. Content in its original format has not been modified in any way. Modified content includes data that may be compressed, padded, encoded into a new file type, or encrypted. Hidden content includes content that has been embedded into other content or the communication protocol using steganography techniques.
  • Increasing focus on Cyber Threat intelligence -It can enable defenders to establish a state of information superiority which decreases the adversary’s likelihood of success with each subsequent intrusion attempt. Security managers need accurate, timely and detailed information to continually monitor new and evolving attacks, and methods to exploit this information in furtherance of an improved defensive posture.

Cyber defense strategy and measures like multi-layered security approach that includes network defenses, strong passwords, intrusion detection, and multi-factor authentication to protect sensitive data can help companies to tackle breaches efficiently. The biggest challenge is in the detection because identifying these types of data exfiltration events is tedious because of the amount of data generated.

About the Author Ashiq JA (@AshiqJA)
Ashiq JA (Mohamed Ashik) is a Cyber Security Researcher and Writer passionate about Web Application Security, Security research using Machine Learning and Big Data, Deep web, Security technologies and Threat Analysis. He is currently working as a Security Consultant for a financial firm. He believes in knowledge sharing as the best source for information security  awareness.To catch up with the latest news on InfoSec trends, Follow Ashiq JA on Twitter @AshiqJA.

Edited by Pierluigi Paganini

(Security Affairs –  Hackers, cyber security)

you might also like

leave a comment