1. No category

Identifying and Defending Against Data Exfiltration Attempts

Game Changer: Identifying and
Defending Against Data Exfiltration
Attempts
SANS Cyber Defense Summit 2015 – Nashville, TN
Ismael Valenzuela, Lead IR/Forensics Technical Practice Manager
(Foundstone Professional Services)
Intel Security Public - @aboutsecurity
‘The greater art heist in
American history’
March 18, 1990
• At 1.24 am, while people was still celebrating St.
Patrick’s day, two men wearing police uniforms
walked up to a side entrance of the Museum
• They pressed the buzzer near the door and
ordered: "Police! Let us in. We heard about a
disturbance in the courtyard." They gained entry
without question…
• Thieves were inside for a total of 81 minutes and
stole 13 works of art
• Local alarms were smashed, and rendered useless
• 25 years later, there is still no sign of the art work,
today valued at over $500 million
• Who pulled them off is still a mystery
Intel Security Public - @aboutsecurity
Intel Security Public - @aboutsecurity
UK’s greatest jewellery robbery of all times
Hatton Garden safe deposit heist ~ total stolen had a value over ~$300m
• On April 7, police reported that the Hatton
Garden’s underground safe deposit was
broken into
• There was no sign of forced entry: thieves
drilled through the 20 inch thick vault
walls
• CCTV revealed that the attack
commenced on April 2nd.
• A major underground fire nearby may
have been started to create a diversion as
part of the theft
5
Intel Security Public - @aboutsecurity
Is data exfiltration any
different?
Not really…
• An insider assisted the intruders
• The thieves circumvented the typical path to the
assets and took some unexpected routes
• Some monitoring was in place but was not
comprehensive or used in real-time / proactive
manner
• Personnel was inadequate in size and training
• Thieves were in the secure zone for hours-days,
causing damage, without being noticed (!!)
• Victims spent most of their security resources
preventing a break in, but little to detect one and
minimize the impact
http://www.techtimes.com/articles/33043/20150216/hackers-steal-1billion-from-up-to-100-banks-how-did-cyber-criminals-did-it.htm
6
Intel Security Public - @aboutsecurity
About me
Twitter: @aboutsecurity
• +15 years of experience in InfoSec
• Leading the Incident Response and Forensics
team at Intel Security
• Community SANS Instructor
• Author of security articles for Hakin9,
INSECURE, SANS Forensic Blog &
OpenSecurityResearch
• http://blog.ismaelvalenzuela.com
• With a bunch of SANS certificates…
• Love eating packets for breakfast (specially nonRFC compliant – yummy!!)
7
Intel Security Public - @aboutsecurity
Is this a lost battle?
Let’s start by admitting that we have a problem
• We are spending more $$$$$$ in security than
ever!
• Studies* reveal that attackers maintained access
for an average of 7 months prior to discovery of the
exfiltration
• Initial discovery of the compromise is usually
accomplished by a third-party (~ 70% of the cases)
• Organization’s NIDS, HIDS and Log Review
combined accrued for 3% of detections ONLY
• MSSPs discovered less than 1% of the breaches
• Is this EVER going to change?
* Mandiant M-Trends, Verizon DBIR, Ponemon data breach reports
8
Intel Security Public - @aboutsecurity
It’s time to REDEFINE the
game
If they don’t win, YOU WIN!
• Adversaries are dominant, and this will not change
• And they are already IN, in case you didn’t notice it
• Therefore, winning requires a ‘new definition’, a
new security paradigm, focused on preventing
attacker’s success
• Yes, YOU WIN every time you prevent the
attacker from achieving their goal, and that
usually involves, data exfiltration
• New game RULES
1.
Detecting attacker activity toward data exfiltration
ASAP
2.
Preventing the exfiltration
9
Intel Security Public - @aboutsecurity
SANS SEC 511: Continuous Monitoring and
Security Operations
Shameless Plug!
• Approaching security with these goals in mind is
the primary concern of this new SANS course
• Written by SANS Instructors and GSEs Eric
Conrad and Seth Misenar
• Mapped to Critical Security Controls
• Focus on:
• Defensible Security Architecture
• Network Security Monitoring (data in motion)
• Continuous Security Monitoring (data at rest)
10
Intel Security Public - @aboutsecurity
How did they get in?
In case you didn’t know they are ALREADY in
• With the help of an insider! (of course)
• Yes, that PDF / Javascript / Email / Flash file…
• Bypassing your mostly preventive, perimeter
focused, security devices
• IPS, Firewalls, AV and other block & forget technology
• What mechanisms will enable you to detect, stop or
at least disrupt data leakage from your network
following such a compromise?
• Let’s analyze the sequence of events following the
compromise while focusing on 10 practical,
actionable steps we can take
11
Intel Security Public - @aboutsecurity
Finding the crown jewels
Intel Security Public - @aboutsecurity
Once past the initial breach…
Lateral Movement
• Their goal:
• Locating the servers storing the crown jewels (payment data, IP, source code, etc.)
• Gain access to those servers (pivot/lateral move) using valid credentials
• How they do it:
• Attackers commonly leverage the credentials of service accounts and authorized individuals that
they’ve obtained through the use of pass-the-hash techniques or password extraction tools such as
Mimikatz or Windows Credential Editor
• With valid credentials on the network, the attacker appears to be a legitimate user, making it very
difficult to detect them past the initial breach
• On certain servers attackers might install additional malware for specific purposes: i.e. memory
scraping malware on POS terminals
• Since locating the data might take weeks/months, some kind of persistence is typically required
13
Intel Security Public - @aboutsecurity
What are they looking for?
Threat Actors and Motivations
Column Heading
APT / Nation State
Sophistication of
Exfiltration
Techniques
Location on the
Network
General Motives
Example Data Types
Espionage
Influence
Trade Secrets
Insider Information
Source Code
Emails
Internal Documents
Small – Large
High
Unknown / Often
Scattered
Financial
Bank Accounts
Credit Card Data
PII (SSNs, Names,
etc.)
ePHI
Large
Medium - Low
Known
Reputational Social
Emails
Employee
Information
Any Sensitive
Internal Data
Small – Large
Medium - Low
Both Known and
Unknown / Often
Scattered
Organized Crime
Hacktivists
Amount of Data
Pursued
14
Intel Security Public - @aboutsecurity
Action 1: Create a list of defensible assets
KISS principle: start small, then expand
• Where is my data located?
• If you don’t know where the data is, how are you going to protect it?
• Create a list of prioritized defended assets, in example:
• Domain controllers, exchange servers, network infrastructure devices
• Internal Databases and web servers
• External facing data-providing services
• Then associate pre-approved IR actions on them: blocking ports, blackhole traffic, disable
accounts, isolate the system, scan for vulnerabilities, etc.
• Start applying all the following actions to a small subset of assets, then expand
15
Intel Security Public - @aboutsecurity
Action 2: Segment, Segment, Segment
Or how to turn your mostly preventive firewall into your best IDS!
• Will you leave attackers moving around freely internally?
• In many environments, internal users have access to all or most critical assets
• While most networks are architected to defend against external attackers
• But now the attacker owns a trusted internal system!
• Quickwin:
• Determine who should access your prioritized list of defensible assets, and how
• Segment the network based on the trust levels of the information stored on those servers
– Locate them on separate VLANs with firewall filtering
• Default deny outbound across all INTERNAL segments
– Layer 3: Blacklist oriented (competitors, GeoIP, reputation based)
– Layer 4: Whitelist oriented (default deny all TCP/UDP)
• Every denied outbound connection is a potential pivot, C&C or Exfil attempt!
16
Intel Security Public - @aboutsecurity
Action 3: Mitigate Pass-The-Hash attacks
• Attackers will pivot from the initial victim, in most cases using local credentials
• Pass-the-Hash attack is a popular technique in Windows environments where NTLM is
supported
• Attackers use the HASH of an authorized user
• Lack of ‘salts’ and synchronized accounts HELP attackers tremendously
• Microsoft fixed part of it in 2014: most local accounts are not vulnerable now
• But local administrator (RID 500) and all domain account are still vulnerable!!
• Quickwins*:
• Restrict local accounts to local authentication (no non-domain network logons!)
• Leverage Windows 8.1 and Server 2012 built-in defenses
* NSA guide – Reducing the Effectiveness of Pash The Hash (2013)
17
Intel Security Public - @aboutsecurity
Action 4: Fighting Mimikatz & other animaltz
Pass the Password!
• Attackers are using recompiled versions of Mimikatz
extensively to steal plain text passwords from memory
and evade AV
• Try it yourself, just grab the source code from
https://github.com/gentilkiwi/mimikatz , change mimikatz for
mimidogtz, compile and upload to Virustotal…
• Mitigation is possible…
• Again, Windows 8.1 and Server 2012 provides better protection
(removing MOST plaintext passwords from RAM)
• Application whitelisting
• Restricted Admin Mode RDP – no delegation tokens left with
RDP
• Require two-factor authentication where possible, at least for
admins (not a panacea though)
18
Intel Security Public - @aboutsecurity
Action 5: Detecting ‘pivoting’ with Honeytokens
Or how to deceive the attacker
• Honeytokens or non-computer based honeypots
• Also, honeyhashes, credential canaries, password phonies, fake SATs, etc.
• They can be extremely useful to increase your capabilities to detect
and react faster to credential theft and lateral movement
• echo “superpassword” | runas /user:mydomain.com\superadmin /netonly
ipconfig
• Create a scheduled task that checks for Event ID 4625 in the Security event
log (logon failed) and a script that sends an alert whenever the ‘superadmin’
account is found on that log
• Also add the HASH of “superpassword” to a rule in your IDS and alert
anytime it’s seen in the internal network
https://isc.sans.edu/forums/diary/Detecting+Mimikatz+Use+On+Your+Network/19311/
19
Intel Security Public - @aboutsecurity
Calling back home!
20
Intel Security Public - @aboutsecurity
Action 6: Spotting the abnormal – C&C
Bad guys want to be resilient too
• Usually your best opportunity to detect Exfil attempts for compromises that have already
evaded initial prevention and detection
• Spotting abnormal requires knowing what normal is!
• Quickwins:
• Configure your firewalls to track unusually long (more than ~10 mins) TCP sessions and investigate
them
• Review firewall and proxy logs to identify an IP connecting outbound every X minutes over a long
period of time
• You will probably find unauthorized VPNs, the ‘logmein’ and similar.. but also malware!
• Look for abnormal ICMP, HTTP and HTTPS traffic
– Target breach and ICMP: embedded status updates transferred to the internal dump server
– Unusual User Agents in HTTP
– X.509 certificates with weird or empty fields
Intel Security Public - @aboutsecurity
Ask BRO!!
Well, maybe this bro too…
22
Intel Security Public - @aboutsecurity
Ask BRO! (now for real)
Another shameless plug…
• Blog post at OpenSecurityResearch, now
also included in SEC503 material
• http://blog.opensecurityresearch.com/2014/03/id
entifying-malware-traffic-with-bro.html
23
Intel Security Public - @aboutsecurity
DNS logs FTW!
• Outbound DNS traffic is generally ignored
• Debugging tools? Seriously? Thanks Microsoft!
• Quickwin:
• Log and monitor:
– Large DNS queries with high entropy
– Large TXT record responses
– High volume of NXDOMAIN responses (typically a sign of
compromise)
• BRO, wireshark/tshark are your friends!
• i.e. tshark –r sample.pcap -T fields -e dns.qry.name
-e ip.dst -R "dns.flags.rcode==3" | sort |uniq –c
24
Intel Security Public - @aboutsecurity
DGAs and How to Detect Entropy
Mark Baggett’s way!
• Zeus Gameover, Skybot, Styx Exploit Kit and many others leverage Domain Generation
Algorithms to create random looking hostnames for their C&C servers
• They are challenging to ‘detect’ in an automated fashion
• Quickwin:
• Extract all DNS queries with BRO or from DNS Server’s logs
• Use linux’s comand “ent” to score the degree of entropy
– $ head –c 1000000 /dev/urandom | ent
 Entropy = 7.999982 bits per byte
– $ python –c “print ‘A’ * 1000000” | ent
 Entropy = 0.000021 bits per byte
• ISC Handler Mark Baggett has provided a Python script to measure badness using ‘ent’
and frequency tables: https://github.com/MarkBaggett/MarkBaggett/tree/master/freq
https://isc.sans.edu/diary/Detecting+Random+-+Finding+Algorithmically+chosen+DNS+names+(DGA)/19893
25
Intel Security Public - @aboutsecurity
Bring in the heavy artillery!
Intel Security Public - @aboutsecurity
Stage 2 malware
Easy to catch if you have a defensible network
• After successfully connecting to the
C&C servers, malware typically
downloads a Stage 2 binary:
• Used for collecting, encrypting and
sending out the data
• Can create additional services,
autorun entries, etc.
• And connect to a C&C infrastructure
again to receive further requests
• Quickwin:
• Identifying where your binaries come
from:
– C:\dir /R /s | find “Zone.Identifier”
Intel Security Public - @aboutsecurity
Action 7: Define a clear & secure flow for EXEs
Do all your users need to download EXE? Really?
• Do desktops download their own patches? Do
servers download binaries directly?
• Hopefully not!
• Beware of the ‘Cowboy’ domain admin!
• Then why do you allow any desktop to download
any arbitrary binary from the Internet?
• Quickwin:
• Get your proxy logs and examine what binaries are users
downloading
• Identify downloads from ‘naked IP addresses’
• Can you implement an ‘Enterprise App Store’ using
SSCM or similar
• Alert on EXE transfers from workstation to workstation
28
Intel Security Public - @aboutsecurity
Action 8: Implement Whitelisting with Applocker
Not a panacea (nothing is) but a must have to increase attacker’s cost
• Old paradigm: blacklisting vs whitelisting
• Typically painful to implement (specially with old Software Restriction Policies)
• There is no reason why you should not implement whitelisting, with the new Applocker
(integrated since Windows 7)
• Free!!
• Doesn’t require additional infrastructure
• Can initially be deployed in Audit Only mode
• Anything that could have been blocked will generate an event
• Use it to tune your ruleset before going on blocking mode
• A must-have for critical servers (including DC’s) and POS
• Great tips on SEC505 from @JasonFossen
29
Intel Security Public - @aboutsecurity
Grab the data and run!
Intel Security Public - @aboutsecurity
They know you are not looking
And they have fireworks too!
• Remember, 7 months in average to detect an intrusion
• With 70% of incidents detected by a third party
• In most cases, this it’s all caused by the
‘shiny object syndrome’
• Sending logs to the SIEM just for the sake of it
• Adding more consoles to ignore
• Throwing more noise with ‘glorified blacklists’ (threat feeds)
• And attackers love noise!
• DDoS attacks are being used as smokescreen for
data exfiltration attempts too:
• Designed to leave enough bandwidth for attackers only
• Consuming logs, resources.. and the attention of the SOC
guys too!
31
Intel Security Public - @aboutsecurity
Overt Channels
The simple approach is usually the most effective
• Exfiltration via outbound FTP or HTTP/HTTPS connections is most common
• More than 50% of recent data breaches
• Specially where speed is prioritized over stealth
• It blends in with normal network traffic and is hard to distinguish from legitimate activity of
users
• Usually using the same channels as C&C (in-band) exfiltration
• Internal staging servers where the collected data is aggregated are used
• TARGET: Nov. 27 – Dec. 15, 2013 – POS malware began transmitting card data from
POS devices back to exfil server. Exfil server FTP’d collected card data to external drop
servers off network in various locations (Miami, Brazil, etc…)
• Malware was coded to exfiltrate card data between the hours of 10 AM and 6 PM.
http://www.dafthack.com/blog/targetabreakdownofwhathappened
32
Intel Security Public - @aboutsecurity
Covert Channels
Less bandwidth, more covertness
• Attackers will try to evade monitoring attempts using:
• Encryption (HTTPS, SCP, SFTP, or even asymmetric encryption)
• Steganography
• Timing channels
• Wireless networks
• Protocol tunneling is probably one of the most effective ones
• Highly effective at evading blocked ports and allowing untrusted applications to evade outbound
filtering
• DNS tunneling is a well known attacker technique (110 KB/s)
• ‘A’, AAAA, KEY, TXT, CNAME records could be used to hold covert data
• BernhardPOS malware used this technique in a massive credit card exfil (July 2015)
http://morphick.com/blog/2015/7/14/bernhardpos-new-pos-malware-discovered-by-morphick
33
Intel Security Public - @aboutsecurity
Meet DNSCAT2
Because attacker’s like ‘cats’ right?
• Ron Bowe’s tool https://github.com/iagox86
• Great write-up by SANS Instructor Lenny Zeltser https://zeltser.com/c2-dns-tunneling/
• All the attacker needs is a controlled system running dnscat2 server piece
• The attacker can:
• execute arbitrary commands on a victim running the ‘client’ piece
• also download/upload any additional files to the victim
• client can be invoked via Powershell too
34
Intel Security Public - @aboutsecurity
Action 9: Leveraging Proxies and Flow data
You can hide, but you can’t run!
• However, the theft of data can never be completely invisible
• Best strategy consists on monitoring ALL inbound and outbound traffic for context,
content and data
• Proxies are awesome devices! – a single point to assess, detect and inspect traffic data
• What about flow data?
• Useful for metrics or statistics on network usage
• Chances are your network team already collect it
• But are you using for security monitoring purposes?
• Quickwin:
• Identify top hosts in your network by volume of outgoing traffic
• Set alerts on abnormal volume of data leaving the organization
• Use full packet captures to complement flow information
35
Intel Security Public - @aboutsecurity
Action 10: The Ultimate CCTV - Full Packet Captures
PCAPs or didn’t happen!
• Storing netflow data is not enough
• Detecting most attacks require verifying the contents
of the packets
• They are extremely value to do:
• IDS verification
• Post exploitation analysis
• Exfiltration analysis
• Network forensics
• Disk storage is cheap!
• Security Onion can automate this process for you:
http://blog.securityonion.net/
http://www.netresec.com/?page=Blog&month=201405&post=PCAP-or-it-didn%27t-happen
36
Intel Security Public - @aboutsecurity
Unleashing the dogs! (or how to Hunt with ‘gusto’)
Intel Security Public - @aboutsecurity
Rastrea2r on GitHub
Hunting for iOC’s with ‘gusto’ and style
• Rastrea2r (pronounced rastreador):
• https://github.com/aboutsecurity/rastrea2r
• Multiplatform (win32/64, linux and osx)
• Uses a RESTful API to report yara scans
• Can run sysinternal, system command and other 3rd party tools remotely on endpoints
• Easy to integrate with McAfee ePO
• Built in python (compiled binaries available) and Open Source!
• Current functionality in v0.5:
• yara-disk: Yara scan for file/directory objects on disk
• yara-mem: Yara scan for running processes in memory
• memdump: Acquires a memory dump from the endpoint ** Win only
• triage: Collects triage information from the endpoint ** Win only
38
Intel Security Public - @aboutsecurity
Remember…
It’s all about people
• We are not fighting binaries, we are fighting
people
• EFFECTIVE Cyber defense requires highly
trained, multi-disciplinary skills
• Pentesters get training, Forensic analysts get
training, but what about Cyberdefenders?
• Defending is more difficult than attacking
• Always have to be RIGHT, no mistakes
• I’ve heard there is a great curriculum at SANS.. ;)
39
Intel Security Public - @aboutsecurity
Further References
Links, links, links!
• A Thief’s Perspective, the five attack methods that made up the majority of the almost 55
million attacks in Q1 2015
• http://www.mcafee.com/us/resources/reports/rp-dissecting-top-5-network-methods-thiefsperspective.pdf
• 10 Biggest Mistakes in Implementing Continuous Monitoring
• https://files.sans.org/summit/SOC_Summit_2015/PDFs/10-Biggest-Mistakes-in-ImplementingContinuous-Monitoring-Ismael-Valenzuela.pdf
• On Network Security Monitoring and Malware detection techniques
• https://digital-forensics.sans.org/summitarchives/Prague_Summit/Catching_Bayas_on_the_wire_Ismael_Valenzuela.pdf
40
Intel Security Public - @aboutsecurity
Gracias!
@aboutsecurity
http://blog.ismaelvalenzuela.com
[email protected]
Learn More at:
http://www.intelsecurity.com
http://www.foundstone.com
http://blog.opensecurityresearch.com
Connect with us:
@intelsecurity - @foundstone
41
Intel Security Public - @aboutsecurity
Thought Leadership
Contributing authors to all
editions of Hacking Exposed
Competition Judges/Mentors
Professors and Lecturers
blog.opensecurityresearch.com
Foundstone.com
Free Tools and Whitepapers!
Intel Security Public - @aboutsecurity
42

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz