Word of the Day: Exfiltrate

Multiple choice: Exfiltrate is . . .

1. What’s left over after your filter removes harmful substances. “Harry, I think you better change the water filter. The exfiltrate looks cloudy.”
2. Removal of a layer of carbon atoms. “Professor, was it hard for those Nobel Prize winners to exfiltrate the graphite to get graphene?”
3. To leave a locale to escape prosecution. “Rocky, me and the boys gotta exfiltrate ‘cause things are heating up here.”
4. Someone wanted for crimes in another country. “Canadian officials arrested three exfiltrates and returned them to the United States.”
5. To observe from the outside. “We couldn’t infiltrate the organization, but with modern surveillance equipment we can exfiltrate them.”
6. To obscure classified information. “We finally got a letter from Johnny, but it was so heavily exfiltrated that there weren’t any complete sentences.”

If you selected (1) through (6), you’re just guessing. Although there are other definitions of exfiltrate—some similar to the foils above—the one we’re interested in today is “(7) to take sensitive data out of a victim’s environment.”

Here’s the way Symantec describes it in their white paper, Anatomy of a Data Breach: Why Breaches Happen and What to Do About It:

“Exfiltration. Confidential data is sent back to the hacker team either in the clear (by Web mail, for example), wrapped in encrypted packets or zipped files with password protection.”

Exfiltration can be done at the hands of an insider—perhaps a dishonest employee or a well-meaning but poorly trained worker tricked into sending data that should remain confidential—but for this blog I’d like to concentrate on exfiltration resulting from outside attacks.

Well-organized criminal enterprises stage large amounts of captured data on exfiltration servers, where it is picked up later by retrieval agents. These servers could be systems outside the targeted enterprise, accumulating the smaller packets, or they could be compromised servers within the victim’s enterprise. The data could be escaping disguised as email, PDF files, .doc, .xls, CAD, graphics files or other common types with hidden payloads.

How does this happen?

It starts with attackers getting into a company’s systems. Stolen login credentials and spyware such as keystroke loggers are two of the most common incursion methods.

The attacker or software operating on his behalf next sniffs around electronically to locate valuable confidential data. The typical next step is copying the information to exfiltration servers, and the final step is retrieval of the information by the attackers, who are now poised to sell it to the highest bidder or use it themselves.

What can you do about it?

Start by taking steps to prevent the initial incursion. For example,

• Establish and enforce policies for secure storage and handling of confidential data.
• Train your staff on basic security procedures.
• Use ClearPath OS 2200’s hacker frustration features and other techniques that make it harder for an attacker to gain system access.
• Deploy malware prevention software on your Internet-facing systems.

Also make sure your important data is protected. For example,

• Use Guard Files (ClearPath MCP) and ACRs (ClearPath OS 2200) to restrict access to the data.
• Encrypt the data so that if it is exfiltrated without the encryption keys, the attackers will not be able to read it.

Then monitor for suspicious activity and be prepared to take quick action. For example,

• Monitor outbound traffic. You don’t have any clients in the Far East, but you see data periodically going there from your networks? Hmm.
• Identify suspicious data on your servers. What about those RAR files (an archive format developed in Russia and popular there) that appeared a couple of weeks ago and seem to be growing in size? Hmm, again.
• Identify suspicious system behavior. Network traffic peaked at 3:00 a.m., when nothing significant is running on the system? Hmm, once again.

Of course, if the attackers have gotten into your servers, you might figure that the game is up and you’ve lost all your proprietary information. But that’s not always the case. Sometimes attackers don’t immediately find and exfiltrate the data they want. Verizon’s 2012 Data Breach Investigations Report includes this somewhat encouraging statistic:

“In over 40% of incidents we investigated, it took attackers a day or more to locate and exfiltrate data . This gives some hope that reasonable time exists for more than one shot at detecting/stopping the incident before data is completely removed from a victim’s control.”

Furthermore, the types of attacks known as Advanced Persistent Threat involve malware agents that remain on your servers and continue to steal your data over a period of weeks, months, and longer. (See my September 14, 2012, blog post, Advanced Persistent Threat,  for more on this topic.)

So even though competitors halfway around the world might be looking over your plans for the Model One Outboard Turfenfoil today, you still can thwart their attempts to learn about the Model Two if you apply diligent security measures that prevent further exfiltration.

---