If a highly-sophisticated and motivated adversary wants into your network, then they will find a way. Proactive protection and a defense-in-depth approach to cybersecurity are imperative, but we must never forget the mantra, “assume compromise.”

Pragmatically, this ideal is most often put into practice through authentication, authorization and network segmentation. However, detecting data exfiltration is one of many anomalies that can be identified when looking through the lens of assumed compromise.

There are so many vectors for cyberattacks that it would be an exercise in futility to try to list them all. That is why it is so unbelievable when a cybersecurity solution claims to be the last line of defense. Cyberattacks will always focus on the weakest link. Once an initial compromise occurs, there are a variety of tactics, techniques and procedures (TTPs) that cyberattacks use to establish persistence, elevate privileges and move laterally across the network.

There are nearly as many motives for a cyberattack as there are modes of operating, but we’re seeing more and more of them culminate in some sort of data exfiltration — techniques that adversaries may use to steal data from your network. Even ransomware attacks are now stealing away data before encrypting systems on the networks.

Once an adversary collects the data they want, they often package it to avoid detection while removing it. This includes compression and encryption. The techniques for exfiltrating data out of a compromised network include transferring it through a command and control (C2) channel to a server they control out on the internet. Sophisticated attackers know to limit the size of their transmission, so they may break it into several smaller packages.

Data exfiltration also leverages backdoors to bypass authentication and encryption controls. Backdoors have built-in upload and download functionality similar to Remote Access Trojans (RATs). They often use ports such as 80 and 443 (for HTTP or HTTPS) to obfuscate their traffic, effectively bypassing the connection restriction every time they use HTTP to transmit data.

Network Monitoring Detects Data Exfiltration

A working knowledge of the techniques described above is required to identify data exfiltration. Here is one example of how a security operations center (SOC), incident response (IR) or threat hunting team could discover data exfiltration through the use of network monitoring.

As a prerequisite to the investigation, one must first establish a network baseline to ensure that the analysis understands the context of the operational environment. This baseline should include items like IP ranges, ports, protocols and services, traffic volume, remote access permissions and any specialized software.

Network monitoring can establish this baseline by gaining visibility into every connected device, device behaviors, connections and communications patterns. Recording this typical behavior becomes the baseline. Next, set rules and policies in place that will monitor for deviations from the baseline.

Once a baseline is established, a network traffic sensor should be deployed to monitor and capture live network telemetry. That telemetry should then be ingested by a monitoring solution or SIEM to look for anomalous behavior that deviates from the baseline.

For example, a review of outbound ports could reveal the use of a port (e.g., port 8888) that was not identified as being associated with a legitimate use during baselining. Upon detection of the anomalous traffic, a rule can be created to generate an alert that more quickly identifies this type of anomalous behavior. 

Introducing automated enforcement action, such as disconnecting the system performing the exfiltration, significantly reduces the risk posed by human error or unnecessary delays in taking action. In turn, the risks associated with data exfiltration can be minimized. The following steps provide an overview of how to introduce and properly leverage automation:

• Establish baselines for normal network behavior via network monitoring.
• Define when enforcement actions (i.e., alert, isolation, remediation) are triggered.
• Implement network access control to isolate devices on demand.
• Integrate with SOAR solutions to orchestrate actions based on a condition matching or an event.
• Monitor for abnormal traffic deviations and automate mitigation actions to the greatest extent feasible.

Essentially, automation enables the creation of real-time if-then decision trees, which are logically executed to perform the requisite actions to mitigate these risks.

Automation shouldn’t be viewed as a panacea but as a critical component of the approach that achieves the larger objective — getting to the bottom of potential data exfiltration in a shorter period of time and freeing up a team’s ability to tackle the countless other assignments and areas that need evaluating to improve the enterprise’s security posture.