Talk: Data Exfiltration – not just for Hollywood

René Pfeiffer/ June 18, 2011/ Security

Iftach Ian Amit discusses infiltration of networks and exfiltration of data. Imagine you have completed the infiltration, data targeting and acquisition phase. You have secured the data you were looking for. Now what? How do you get to „your“ data out of highly secured environments? You need to

  • avoid data loss protection (DLP) tools,
  • avoid IPS/IDS,
  • avoid updating your payload frequently,
  • need to design a control channel that can handle disconnected operation.

The data itself needs to be protected from filters or pattern matching sensors. SSL/TLS comes to mind, but some infrastructures terminate SSL at proxies and inspect content. End-to-end encryption is a better method if combined with content obfuscation (there are patter matches for GPG/PGP and other ways, too).

Transport needs to use a covert or back channel. This can be a talk page of a wiki (which is „hidden“ on first sight), Facebook, storage services or similar ways. What do you do if the target is not networked? Where’s the covert/back channel then?

  • Prints – looks like a print error, but it isn’t. Print errors usually aren’t shredded, but to recycling instead. So you end up with dumpster diving.
  • VoIP – phone home; look or set up for a PBX, configure a voice mailbox, encode your data into something that sounds like sound, put it into the mailbox and call to retrieve (some mailboxes allow downloading recorded calls which makes things easier). There are tools that can even pack your data in tones that may traverse re-encoding and public telephone lines.
  • Faxes – multi-functional printers can store documents and send/receive faxes, plus these devices have document conversion tools built in. You can save a tree while exfiltrating data.

Now how can you prevent this? There’s no single tool out there that solves all problems magically. Not one. Start with analysis, processes and a complete view of all your data and all persons, departments, machines and entities touching it.

  • Talk to your employees, learn about and map out processes.
  • Know yourself – how does your company work? Talk to everyone! Examine all angles!
  • Talk to developers! Make sure you learn how they work and where they leave their data.
  • Hack, modify, improve, test, hack again.
  • Map your assets based on what you see! If you have 400 servers, show them! Where are they? On what networks are there? How many laptops, phones, computers, … do you have? Tag it, monitor it, track it! Keep the data in your sights!
  • Test everything – down to employees, vendors, everything connected, all processes! Get an external penetration testing team, learn from their report, use the results as homework, improve, hack, test again.
Share this Post

About René Pfeiffer

System administrator, lecturer, hacker, security consultant, technical writer and DeepSec organisation team member. Has done some particle physics, too. Prefers encrypted messages for the sake of admiring the mathematical algorithms at work.