Data exfiltration: Do you know where your data is?

Published in English by CIO Watercooler

Intellectual and industrial property, personal data, bank data, providers and client directories, personal communications..

Nowadays, data is one of the most important assets in our organizations and even in our private lives.

2017 ended with important data leaks that are still fresh in our memory.

Just to name a few: Uber tried to cover up a leak spilling data on some 57 million; Equifax suffered a leak revealing data on an astounding 145.5 million users; and here in Spain, Anonymous exposed databases from a police-related forum and the Madrid regional government.

These leaks come about due to failures in the infrastructure we use, like what happened in the case of the Western Digital ‘My Cloud” service, noted by my colleague Claudio in Internautas.org or the the NSA Amazon buckets…

In other cases, an intrusion targets the heart of the organization, driven by concrete and often evident interests.

For example, in recent times there have been “Ransomware” cases that contact the target entity and inform them that their data was stolen, encrypted and published on the Internet.

What happens if they don’t pay what they ask for? They simply publish the keys to decrypt, and now it’s a question of the will of $deity.

We have to be aware that we are in a world where it is more than probable that at some point you will be compromised, in one way or another, and the more complex or bigger the organization, the worse the problem will be.

I would say that in the event you are pwned: be resilient, have a fast and efficient response to incidents, and be sure to add this experience to our know-how and share it with other defensive security actors.

And of course, use the experience to think about how to make it harder for the “bad guys” to steal our data!

Data exfiltration is more than merely burning a CD, copying files to a pendrive or printing off a ton of documents onto paper…

Some “classic” methods of this data hack include:

• Sending data through an HTTPS connection to the attacker’s server
• Using cloud services like Pastebin
• Using SMTP or FTP
• Using TCP or ICMP packet forgery.

I shall also cite some of the more curious and obscure methods I’ve seen in my experience:

• Encrypted tweets using stolen data.
• Upload stolen data into a Youtube video, Flickr Image or Linkedin document, using stenographic methods
• DNS queries to subdomains from a domain under the attacker’s control when, in reality, these queries are stolen and encrypted data.
• Using Skype and other chat protocols (e.g. IRC)
• Creating wireless networks with different ESSIDs, whose names in actuality are the stolen data

This brief and simple list is intended to be an example to bring these issues to the attention of the reader.

In the end, DLP (Data Loss Prevention) technology should not be used for merely inspecting SSL traffic, but rather for creating a complex data management and defense strategy.

“Data is the new oil”