Detecting Deterring Data Exfiltration Guide For Implementers

Detecting and Deterring
Data Exfiltration
Guide for Implementers
February 2014
MWR would like to acknowledge the help and
support of CPNI in researching this topic
and producing the accompanying products.
Data Exfiltration | Contents Guide for Implementers | February 2014
Contents
Introduction 4 Increasing Organisational

Resilience 15
Anatomy of a Typical Attack 5 Business Considerations 15
Current Exfiltration Tactics 6 Information Classification 16
Different Attackers, Different Tactics 6 Logging 20
Identification of Data 6 Segregation of Information 22
Aggregation and Preparation of Data 8 Segregation of Networks 23
Exfiltration Channels 8 Host Hardening 26
Movement of Data Internally 28

Future Exfiltration Tactics 10
Movement of Data at Perimeter 30
Changes to Data Aggregation
Honeypots 31
and Preparation 11
The Future is Cloudy 11 Adaptive Defence 32
Exfilatration by Popular Websites 12

Summary 35
Everything as a Service 13
Glossary 36
Mobile Devices and Remote Working 13
Covert Channels 14 Quick Wins 37

Out-of-Band Channels 14
A Day in the Life of an Attacker
and a Defender 38
Case Studies 39
Further Reading 40
References 41
mwrinfosecurity.com | CPNI.gov.uk 3/44

Data Exfiltration | Introduction Guide for Implementers | February 2014
Introduction
In today’s world, an organisation’s digital resources are likely
to be among its most sensitive and valuable assets. If a competitor
were to obtain details of research and development, financial
information, business processes, or intended developments and
acquisitions, it could prove commercially disastrous. Hence foreign
nations are investing huge amounts in state-supported cyber
attacks to obtain these assets for use by organisations within
their own countries.
The attacks are almost always successful. Modern organisations
are so large, diverse and complicated that they are frequently
unaware of what sensitive documents they possess, let alone how to
defend them appropriately. Furthermore, an organisation’s network
perimeters will be highly porous and susceptible to attack via a host
of new technologies, such as remote access, cloud services, home
working, partnerships, and so on. The internal networks of modern
organisations are also complex and interlinked, having grown from
principles of usability rather than security, which means that it can
prove extremely difficult to detect attackers once they are within
the network. This is partly because detection methods often focus
on spotting ‘bad’ patterns of behaviour, so that attackers can avoid
detection simply by restricting themselves to ‘good’ patterns –
such as accessing the CEO’s email from the CEO’s own laptop.
Data can have real value to attackers, However, organisations can significantly organisations the best chance of detecting
potentially in the region of millions or even increase the number of opportunities and deterring data exfiltration (section
billions of pounds where intellectual property they have to detect and repel attackers. ‘Increasing Organisational Resilience’), before
and negotiation positions are concerned. In so doing, they can escalate the cost and concluding with a summary. The appendices
Attacker motivation and resourcing, combined complexity for the attacker, reduce the contain a glossary of terms, recommended
with modern networks that are highly potential business impact on themselves, further reading, and a list of ‘quick wins’ that
complex and porous, mean that it is simply and even develop advanced strategies that can increase an organisation’s resilience while
not possible to guarantee the prevention will deter the attacker from targeting them a more comprehensive defence programme
of data exfiltration. If necessary, attackers in future. is being developed.
can spend years slowly mapping out an
This white paper gives a high-level overview The advice given in this document is not
organisation, observing legitimate behaviour
of a typical attack (see section on ‘Anatomy intended to be a complete and thorough guide
to avoid tripping defences and gradually
of a Typical Attack’) and then covers the to all the steps needed to build a defensive
working towards their objectives. If they
current tactics used by attackers to acquire programme, as each subsection of ‘Increasing
come up against defences, the attackers can
and exfiltrate data (section ‘Current Exfiltration Organisational Resilience’ is a broad topic in
either learn to bypass the controls directly,
Tactics’). Current business trends and attacker its own right. Instead, this document aims to
or compromise the company that produces
trends are then extrapolated to predict the highlight the areas that an organisation needs
a control in order to bypass it1.
likely future developments in exfiltration to consider, and some of the aspects to be
strategy (section ‘Future Exfiltration aware of when tying them together into a
Tactics’). The majority of the white paper, defensive programme.
however, focuses on the steps that will give

Data Exfiltration | Anatomy of a Typical Attack Guide for Implementers | February 2014
Timeline of notable events in state-sponsored hacking
Over 20 companies in energy sector compromised in ‘Operation Night Dragon’
2011 Over 70 companies compromised in ‘Operation Shady RAT’
Over 30 companies compromised in ‘Operation Aurora’
2010
‘Eligible Receiver’ exercise shows vulnerability of US government systems
1997
DARPA and Carnegie Mellon University form the first CERT
1988
Russia-sponsored hacker compromises US government & military computers
1986
Anatomy of a Typical Attack
Attacks typically break down into several have been compromised in this way, attackers This document covers the stages after initial
phases and some attackers are known to have will typically set up remote access / command compromise and the C&C has been set up.
entirely separate teams to deal with each and control malware (C&C) from which to As such, it covers a highly uncomfortable but
phase, before handing over to the next team. conduct the rest of the attack. altogether too common scenario, in which
In a typical attack, an organisation will first the attackers have already compromised
Now in the internal network, the attackers
be researched and investigated to identify the organisation’s perimeter and are now
will move horizontally or vertically through
specific individuals to target and the relevant obtaining the targeted information. In many
the network to gain access to the information
technologies in use. Those individuals will then cases, attackers will remain resident in an
they seek. Once they have accessed the
be targeted with client-side attacks that might organisation’s network for years, continually
data, attackers will frequently collate the
be delivered by spear phishing or watering acquiring and exfiltrating new data as it
information within the network before,
holes (where websites regularly visited by becomes available.
finally, they exfiltrate the full set of data.
targeted individuals are compromised –
and infected with malware for targets to
download). Once the targeted individuals
Phases of an attack that seeks to acquire data
Covered by this document
Reconnaissance Initial compromise Set up C&C Identify, acquire

(phishing) and aggregate data Exfiltrate data

Data Exfiltration | Current Exfiltration Tactics Guide for Implementers | February 2014
Current Exfiltration Tactics
Different Attackers, Different Tactics Identification of Data
A number of groups are known to exist that Once a network has been compromised and
will target UK industry and government bodies the C&C infrastructure set up, attackers will
in an attempt to obtain sensitive data. The need to seek out the data that is useful to
motivations and tactics of these groups can them. This is rarely data that relates solely to a
be varied: some are highly targeted and careful specific project, but will more usually be wider
to avoid detection for fear of political fallout, information relating to the organisation, its
while others are less wary and adopt noisy, structure, network topologies, connections to
low-skilled attacks but in a volume that makes the outside world – and its defences. CPNI has
them highly successful at acquiring terabytes produced comprehensive advice under the
of critical data. Although attributing attacks is title ‘Protecting Information About Networks,
generally difficult, the tactics can sometimes the Organisation and its Systems (PIANOS)’3.
be distinctive enough to make it possible
To identify information of interest, some
to identify the group behind the attack.
attackers will simply list the machines on
On occasion, experienced analysts are able to
the domain and then mount the file shares
identify not just the group, but the subgroup
of machines that sound relevant from their
or even the individual perpetrating the attack2.
hostname or description. Attackers then
The distinctive tactics will often depend browse the file shares for folders or
on the target under attack – for example, documents of potential interest.
whether it’s a specific company or an entire
More advanced attackers, or attackers who
industry sector. Differences in tactics can be
have no success with browsing files, will
observed in the nature of the first entry into
attempt more targeted identification of
the system, the C&C channel (common RAT
information using resources such as wikis
or custom-written) and, once in the network,
and SharePoints. Typically, a great deal of
the tools used to achieve the objectives.
information useful to an attacker is available
Another key distinguishing tactic is the type
with low privilege credentials, as details of
of data targeted: whether it is data related to
individuals and organisational structure are
a specific project or current negotiation, or
usually available to all employees on internal
whether the attacker’s net is cast wide in an
portals or document management systems.
attempt to gain information about the whole
Once the individuals with access to the
of an organisation’s key business.
required documents have been identified,
The level of expertise and resources can attackers will be able to focus on horizontal
vary as well. Some attackers have very little and vertical movement throughout the
skill and low resources but are able to call on network to obtain the remainder of the
more advanced groups when necessary1. information they seek. Attackers will use a
Other, more skilled groups are able to deploy variety of techniques to move through the
zero-day exploits (before a patch is available) network, including keylogging, privilege
and custom payloads. Due to this variability, escalation exploits and password dumping
defenders need to be flexible in their defences and cracking.
and, in general, they will benefit from focusing
on defending the assets rather than thwarting
specific attackers. However, if an organisation
is experiencing a heightened threat from a
particular group, it can be beneficial to adopt
a more threat-centric approach.

An attacker’s techniques will depend on the accessibility of the information and how stealthy the attacker wishes to be
Compromised Computer
1.
Attacker directly accesses files
2.
IDENTIFIED:
CEO - b.smith
Attacker identifies and impersonates

a legitimate user of files
Login: b. smith
3.
IDENTIFIED:
CEO - b.smith
CEO Attacker compromises
the computer of a
legitimate user of files
Login:
b. smith
Attackers often focus on the small subset hunt for documents of interest. Attackers will
of individuals that have access to the data search logically (for the location of all projects,
they need. In one compromise of a large for example), but they will also search for a
organisation with tens of thousands of number of keywords, which might include
employees, the attackers were found on only such terms as ‘restricted’ or ‘sensitive’.
five computers; however, these five computers
Attackers also tend to show considerable
allowed access to all information of interest
interest in defensive plans and hence will
to the attackers, as they belonged to the head
target the computers and mailboxes of senior
of networking, head of research, and so on.
security personnel, as well as attempting to
Once key individuals have been identified, identify details of logging, alerting and SIEM
common targets for attackers will be infrastructure. In addition, attackers are often
mailboxes, shared drives, SharePoint sites, and observed attempting to identify relationships
the contents of the hard drive or individual file with external bodies that might be advising on
storage of those key individuals. There is also defence – and to discover what advice those
evidence of attackers searching such locations bodies have given.
as the recycle bin or deleted emails in the

Aggregation and Preparation of Data Exfiltration Channels FTP/SFTP

The File Transfer Protocol (FTP) is another
A number of attacker groups also appear Controls currently used by most organisations
reliable method for transferring large files
to share a tactic of preparing files for do not prevent simple exfiltration channels
to remote hosts, and one that attackers
exfiltration. Although files will be obtained and hence attackers are relatively
frequently use to exfiltrate files to their own
from throughout the network, they will often unrestrained when it comes to their
infrastructure. Rather than attempting to find
be aggregated on a particular host, typically exfiltration method. Attackers therefore tend
an FTP server owned by the organisation,
either a system that is not interactively used to use simple, reliable, overt, high-bandwidth
and using that, they will often take advantage
(such as a printer server), or the host being methods, typically the protocols by which any
of a lack of firewall rules preventing outbound
used for the internal phase of the attack. technical user is likely to transfer a large file.
connections and simply connect to their
Files will be hidden there, often in directories
own FTP server to upload files. Windows and
that are unlikely to be inspected by anyone C&C Channel
Linux systems typically come with built-in
who happens to use the host – such as the
During a compromise, attackers will typically FTP functionality and so attackers do not
recycle bin, or Windows system, or temporary
install C&C malware from which to attack the need to risk using their own tools, which
folders. More advanced attackers might also
internal network. The malware communicates might be detected.
attempt to disguise the files, both during the
with the attacker’s supporting infrastructure,
aggregation and exfiltration stages. Tactics Some attackers use SSH services such as
allowing external control. Different C&C tools
seen here include changing the extensions SFTP (Secure FTP) and SCP (Secure Copy)
use different methods to communicate and
and magic numbers of files, or even packaging to transfer files. These utilities are likely to
attackers will often use the C&C channel to
files within other file types, such as Microsoft be found on Linux servers that the target
exfiltrate data, as they know the connection
Office documents or executable files. organisation might be using, or attackers
works and has not been prevented by the
can use their own tools. Such services are
Once the files have been collected, organisation’s defences. However, C&C
encrypted, meaning that investigators would
attackers often prepare them for transport by channels tend to be used only for small
not be able to tell from packet captures or
compressing and potentially encrypting them. volumes of files, as higher-bandwidth methods
network taps what was being exfiltrated.
The most common method of compressing are often available for large file archives.
the files involves built-in Windows functionality CPNI has produced separate guidance
Email
such as zip or cab files (which can be created regarding the detection of C&C channels4.
with a tool from Microsoft). Some attackers The vast majority of organisations allow
will use other compression tools or encryption HTTP/S email (SMTP traffic) to arbitrary addresses,
functionality, or occasionally custom-written even when other outbound connections are
A common method for uploading files is
tools. Compressing files into an archive is prevented, and so attackers will sometimes
transfer over HTTP or HTTPS5. This is a reliable
advantageous for the attacker for two reasons. exfiltrate files by this method. Exfiltration by
protocol that enables large file transfers
First, it means that only a single transfer is email does not typically require the attacker
and has the added benefit that it is probably
required, rather than one for each file; and to supply tools, as the majority of systems
allowed through a web proxy, even if direct
secondly, it can serve to hide the files on the that might be compromised will already
outbound connections are prohibited.
network and at the perimeter, particularly if have the necessary tools. However, many
Many C&C tools use HTTP and HTTPS as a
the files are also encrypted. organisations limit the size and nature of
communications channel; however, some
attachments, hence attackers will often send
have been observed that do not, and yet still
the data, obfuscated or encrypted, in many
use HTTP uploads to exfiltrate files. HTTPS
small chunks. Tools are likely to be required to
has the additional benefit (for the attacker)
prepare the data appropriately for exfiltration.
that unless organisations are using SSL
Alternatively, attackers can use third-party
interception (and the attacker’s tool accepts
cloud email services (see below) to bypass
the intercepting certificate), investigators
restrictions put in place by the organisation’s
will not be able to determine what was being
mail servers.
exfiltrated from network packet captures.

Cloud Services RDP

A rapidly emerging vector for exfiltration, and Microsoft’s Remote Desktop Protocol (RDP)
one which attackers are occasionally using for enables a user to log into a machine remotely
C&C as well as for exfiltration, is the increasing and control it exactly as if the remote user
array of cloud services. Many large and were sitting directly in front of the machine.
reputable companies offer free cloud storage Some prolific attacking groups use RDP as
or email with little or no verification of account a key mechanism for attacking a network
owners and so threat actors are readily able once credentials have been obtained.
to open accounts for use in exfiltration. As well as allowing control of a machine, the
The use of cloud storage has several RDP protocol also enables the remote transfer
benefits to an attacker: of files, either by mounting drives from the
attacker’s machine onto the remote machine
•
The traffic is often encrypted with SSL,
or through copy and paste operations.
meaning it is significantly more difficult
RDP connections are typically encrypted
for investigators to analyse.
and, although it is possible for investigators
•
The traffic will traverse an HTTP proxy, to decrypt the traffic, they will first need to
meaning a direct outbound connection obtain the keys from the server.
from a compromised machine is
not required. IRC
•
Employees are likely to use such cloud Although less common these days, Internet
offerings on a regular basis, making it Relay Chat (IRC) is still used for both C&C
difficult to detect a threat actor who is and exfiltration. The IRC protocol was designed
using the channel to exfiltrate data. to allow chatting online, and it supports
functionality such as file transfers. It remains
•
The use of a cloud service as a third party
popular as a C&C mechanism as it lends
will obscure the final destination of the
itself well to controlling multiple targets
exfiltrated data and make it harder to
simultaneously: in such cases, the C&C
design indicators of compromise.
malware of each target logs into a chat room,
Attackers now often bundle tools that can where the attacker can issue commands
upload data to cloud services, and there are to all infected machines at the same time.
increasing signs that they are using such Exfiltration of data can then be triggered
services as exfiltration vectors. using the Direct Client Connect (DCC) SEND
subprotocol of IRC. IRC can also be tunnelled
through SSL, thereby impeding investigators
attempting to identify what was exfiltrated
from packet captures or network taps.

Data Exfiltration | Future Exfiltration Tactics Guide for Implementers | February 2014
Future Exfiltration Tactics
Currently, attackers are not forced to attackers might instead use covert or
use particularly advanced techniques, out-of-band channels, which are very
as few organisations beyond government difficult to detect but typically have much
departments dealing with highly classified lower bandwidth than overt techniques.
material have controls in place that detect Hence they tend to be useful only for stealing
and deter even basic exfiltration. However, documents of particular interest, rather
as organisations become more security-aware, than entire data sets.
attackers will need to use more sophisticated
The controls described in the ‘Increasing
techniques to exfiltrate data.
Organisational Resilience’ section will help
Current trends suggest that attackers an organisation to detect or deter attackers
will increasingly utilise services via which regardless of the exfiltration methods used;
organisations allow (or even require) outbound however, some business trends, such as
traffic. In this way, attackers will attempt to increased storage of data in third-party
‘hide in the noise’ by using channels that are clouds and hosted services, can reduce the
also used legitimately, making it harder to effectiveness of those controls and that will
detect at the perimeter. Such services will need to be factored into risk decisions.
typically have a large bandwidth for data
exfiltration. For particularly hardened targets,
Traditional networks had defined perimeters and services contained within that perimeter.
Modern networks are complex and porous, with cloud services, mobile workers, smart phones, and so on.
VPN

Changes to Data Aggregation Attackers are likely to make increasing use

and Preparation of encryption, obfuscation and encoding.
This might take the form of encryption of
As defensive controls improve, attackers volumes prior to transport, or more advanced
are likely to change their tactics to evade techniques – such as steganography into
defensive measures. Organisations can images or videos.
expect to see greater abuse of legitimate
functionality, as well as greater care taken The Future is Cloudy
by attackers when using a targeted account
for certain behaviours, in an attempt to avoid The previous section described how attackers
detection due to inappropriate access. For are using public cloud services to exfiltrate
example, an attacker dumping the CEO’s email data. This is a trend that is likely to continue
to the CEO’s laptop will look less suspicious and develop. Cloud services make excellent
than if the mailbox were dumped to a normal exfiltration vectors as they are typically
workstation. Alternatively, attackers might hosted by reputable companies, employees
attempt to recover the mailbox from the consider them a part of their daily lives,
laptop itself, rather than from the mail server. and they increasingly use SSL to protect
communications, thus making interception
As many organisations move to service-
more difficult.
oriented architectures (SOA), where data
is exposed through web services, it may be Attackers can be expected to make more
that attackers start to use these interfaces use of cloud storage services such as Google
to gather the data, rather than via traditional Drive, SkyDrive, Dropbox and Amazon S3.
views such as websites or GUIs. It is important Blacklisting specific sites is unlikely to be an
that defenders do not anticipate a specific effective prevention, as there are a great many
method of accessing data, as attackers cloud storage services and new ones regularly
will then simply use other avenues to appear. Further use of cloud services such
avoid detection. as exfiltrating data by cloud email (Gmail,
Hotmail, Yahoo, etc.) is also likely to increase.
There are indications that attackers are already
In addition, cloud collaboration tools could well
starting to use forensics tools – for example,
be used, as they allow similar functionality in
file carving utilities – to recover deleted
uploading documents to a ‘trusted’ third-party
(but not securely erased) files. These earlier
location that the attacker can later access.
versions of files can be useful to attackers,
particularly if they contain data that was later This issue can be especially significant if
redacted or classified and deleted. Advanced cloud services are used by the organisation,
attackers have already been seen using as covered below (see subsection ‘Everything
forensics tools to hide data when aggregating as a Service’).
it prior to exfiltration. Attackers are likely
to use locations such as Volume Shadow
Copy, unused disk space and alternate
data streams (ADS), so that investigators
examining a machine that appears to be
aggregating do not locate the files being
prepared for exfiltration6.
Currently, attackers rarely go to great lengths
to prepare files for exfiltration beyond
compressing the files into manageable
volumes. It is likely that, in the future, greater
effort will be invested in preparing the files
for exfiltration, both to obscure exfiltration
and also to prevent or delay forensic analysis.

Exfiltration by Popular Websites

MWR chose a number of popular websites and assessed the potential for exfiltration by
There are many websites that now form a uploading and retrieving files. The only data-hiding technique used was to append a zip
regular part of people’s lives. There is therefore archive of data to the end of each file before uploading. The retrieval of the files – and
significant pressure, verging on demand, to the zip archives – was then attempted. This technique is not possible where websites
use those services at work. Many people use resize or re-encode images/videos, as the extra archive is lost. However, in such
social networks throughout the day and, if circumstances, more advanced data hiding can be used; for example, artefacts can be
staff are prevented from doing so, it could hidden in the image itself. Where more advanced data-hiding techniques are required,
cause problems. this has been marked as *.
However, many popular websites allow uploads

of files and text and hence provide a route
to exfiltrate data. In particular, where images
and videos can be uploaded, it is possible to WEBSITE HOW MUCH DATA CAN BE EXFILTRATED
exfiltrate far larger volumes of information –
via data encoded within an image file – than YouTube 20GB as a video
as raw text. Indeed, experiments conducted
on major social networks have demonstrated
Flickr 200MB as an image, up to 1TB
that it is possible to exfiltrate up to 20GB of
data in a single file in this way (see box-out).
Vimeo 5GB of videos per week; paid subscription
If attackers move to exfiltrating data through required to retain original file
popular websites, it will require a change
to controls at the perimeter, since it will be
Facebook 25MB raw file for groups, 1GB as video* if verified profile,
difficult to blacklist or even monitor volumes
text posts
of traffic when there are often legitimate
reasons for large data uploads (for example,
an employee uploading holiday photos to a LinkedIn 100MB Office documents
photo-sharing site). However, the remainder
of the controls described in the ‘Increasing DeviantArt 60MB as an image, up to 250MB
Organisational Resilience’ section provide
multiple opportunities to detect and deter Pinterest 10MB as an image
attackers before they can exfiltrate data
using such websites. Tumblr 10MB as an image, 150 photo posts allowed per day,
text posts

Everything as a Service Best practices for cloud and managed

services are outside the scope of this
Many organisations are switching to using document. However, it is recommended that
cloud services such as Software as a Service the increased risk of having valuable data in
(SaaS), Email as a Service (typically known as managed services is balanced against the
‘hosted email’), and even Infrastructure as a business advantage of doing so. Should a
Service (IaaS). These services offer financial decision then be made to use such services,
and flexibility benefits, including fixed costs it is important that the limitations of that
per user and guarantees of availability. decision are documented – so that usage of
Unfortunately, the use of these services can the service doesn’t ‘sprawl’ and expose the
leave organisations exposed, as their data is organisation to more risk than was intended
now outside their control. For example, in 2009 during the original risk management decision.
an employee of Twitter had the credentials
to their corporate Gmail (and therefore Mobile Devices and Remote Working
Google Docs) account compromised, giving
the attacker access to hundreds of Twitter’s The increasing use of mobile devices and
confidential documents7. remote working presents opportunities
for data exfiltration. A key issue is that
It is now common for large amounts of highly
potentially sensitive data can legitimately
sensitive data, such as customer relationships,
be accessed remotely when, in the past,
financial documents, emails, or even
it was probably only accessed from within
systems, to exist outside an organisation’s
the corporate network8.
control. There is also the increasing risk that
as these services become aggregators of Once attackers have gained access to the
critical data from a variety of organisations, corporate network (for example, by spear
they will become targets of nation state- phishing), they might well seek to understand
sponsored attackers – if they are not already. the mobile and remote working capabilities
Organisations are forced to trust that the of the organisation to provide relatively
service providers are taking all the desired unrestricted access to an organisation’s
precautions with their data. network, and hence conduct further attacks
or exfiltrate data. A further benefit to attackers
Unfortunately, it is impossible for organisations
is that employees might legitimately transfer
themselves to apply many of the critical
large volumes of files while working remotely,
controls to cloud/managed services, as the
making it more difficult to detect malicious
service operators typically allow only limited
activities. As with cloud services, the primary
control. For example, many of the controls
issue with mobile devices and remote working
recommended in the following ‘Increasing
generally is the expansion or dissolving of
Organisational Resilience’ section, such as
the perimeter, and the effect that has on
control of individual firewall rules, alerts on
security controls that assume a hardened
specific accesses or even extensive logs for
outer perimeter.
forensics purposes, simply aren’t available
for the majority of cloud and managed Mobile devices themselves can potentially
services. Another significant issue is that provide additional routes for both attack
there is no perimeter to defend if the data and exfiltration. There are indications that
is stored in a cloud service. Cloud services attackers are compromising mobile devices in
are typically accessible from everywhere, order to launch an attack once those devices
hence an attacker in a foreign nation who has are connected to corporate computers or
compromised an employee’s credentials is networks. It is also plausible that attackers
likely to be able to log in and exfiltrate all data. will seek to compromise devices with access
to secure areas and segregated networks, in
order to exfiltrate data onto the mobile device
for recovery at a later period.

Covert Channels
Graph showing the trade-off between covert methods and those with high data throughput.
Attackers targeting hardened organisations – Typically, the more covert a method the lower the bandwidth
or hardened networks within organisations
– might use covert channels. There is a
Timing-based
sizable body of literature surrounding covert
channels for exfiltration, covering such topics
as hiding data within common protocols
(DNS, for example) and even low-level
packet manipulation, such as hiding data DNS
by modifying TCP headers. Furthermore,
research has been done on exfiltrating data
through the timing of packets to locations,
Covertness
rather than the contents of the packets9. Steganography

Detecting exfiltration through these routes
tends to be very difficult; however, attackers
will be greatly limited by bandwidth, as these Via a third party
(cloud provider)
methods are typically highly inefficient
(although a notable exception is where
Direct method
attackers disguise their data as allowed (HTTP/FTP/IRC)
protocols: for example, by tunnelling over SSL).
Organisations stand the best chance of
detecting and deterring data exfiltration
Bandwidth / data
via covert channels by developing a
throughput
defence-in-depth approach. For example,
an attacker using such exfiltration channels
will require custom tools, which might be
more easily detectable.
Out-of-Band Channels These methods are relatively low bandwidth

and require a significant time investment
If defences are significantly increased, before they can be used in the field.
attackers might still find success by using Hence attackers are only likely to use such
out-of-band techniques to exfiltrate data, i.e. techniques when attempting to compromise
using channels other than via the traditional high-value targets that have significant
network. This aims to defeat controls such defences – such as air-gapped resources –
as segregated and air-gapped networks, or in place.
tightly controlled networks where much traffic
is monitored or restricted. As with covert
channels, there is a body of literature detailing
both hypothetical and actual methods by
which attackers could exfiltrate data without
going through the network’s perimeter.
Examples include the physical recovery of
printed documents, faxing, the use of mobile
devices, optical or audio transmission of data,
and setting up new wireless networks10 11.

Data Exfiltration | Increasing Organisational Resilience Guide for Implementers | February 2014
Increasing Organisational
Resilience
To stand the best chance of detecting or Honeypots, i.e. assets intended to be communicated as critical to the organisation’s
deterring data exfiltration, organisations need compromised, are a highly effective tool to continued position and growth. It is advisable
to have a defensive programme based on lure attackers into revealing their presence to align security objectives closely to business
defence in depth, as individual controls can (see ‘Honeypots’) and, finally, more advanced objectives, a level of vision that has to come
be circumvented. The programme should defensive strategies can be considered, to from the top of the business.
not focus on preventing data exfiltration, as detect and possibly deter advanced attackers
Furthermore, a top-level coordinator for
this must be considered impossible, but on (see ‘Adaptive Defence’).
defence and threats is recommended
making attacks more difficult while increasing
since, in a complex organisation, issues can
the number of opportunities to detect an
go unresolved due to ‘buck passing’ and
attacker’s activity.
Critical Security Controls complicated organisational territories.
A key aspect of such a defence is ensuring By having a single person who owns all
At the start of each of the following
a coherent, organisation-wide plan that defence and incidents, there will always be
subsections, reference is made to
benefits from an overview of assets and someone able to delegate an issue to the
the relevant Critical Security Controls
risk (see section ‘Business Considerations’). correct team in the event of confusion.
that can guide organisations in
This provides an environment for the
implementing both ‘quick wins’ and
defensive strategies to have the greatest Where Should Information Security Sit?
deeper protective measures.
chance of success. The first task the majority
For full details of these 20 controls, see: Often, the IS team will have emerged as a
of organisations will then face is assessing the
http://www.cpni.gov.uk/advice/cyber/ side function of the IT team and hence will be
sensitivity of information in their possession,
Critical-controls/ and http://www. organisationally within its remit. While this has
and how that information is used within the
counciloncybersecurity.org/practice- benefits – as the staff will be intermingled with
organisation (see ‘Information Classification’).
areas/technology the IT staff, helping to expedite some security
A control that underpins much of the defence functions – there are several additional
against data exfiltration and advanced attacks challenges from having IS as a subdivision of IT:
Business Considerations
in general is logging (see ‘Logging’). This
•
Budgetary: IS department budget will
allows forensic analysis of an attacker’s actions
come from within the main IT budget,
and achievements and also provides the
CRITICAL SECURITY CONTROLS 9, 18 hence there will be occasions where
framework for auditing and alerting, by which
IT has to choose, for example, between
organisations can aim to detect attackers.
new equipment and security expenditure.
Logging should be considered from a high Introduction
Staff might well prefer new tablets to
level and then built into all further stages.
Detecting advanced attackers who are the segregation of a network.
Once information has been classified and locating and exfiltrating data is a difficult
•
Authorisation: if IS is a subdivision of IT,
logging policies decided, organisations can challenge. To have a realistic chance of
it might lack the authority to force change
begin to restrict access to that information responding, organisations will typically need
when it’s needed.
(see section ‘Segregation of Information’) to implement many controls and changes to
and the systems that have access to that current processes. Only a well thought-out •
Vision: although insider knowledge
information (see ‘Segregation of Networks’). and robustly implemented defence-in-depth can be useful, being immersed in an
Hosts can be hardened to both impede approach will offer a chance of detecting environment can also prevent one from
attackers, and to force their behaviour advanced attackers, and there are several spotting its weaknesses.
down routes that allow for better protective high-level areas that organisations will want to
It is recommended that IS is placed
monitoring (see ‘Host Hardening’). consider when designing such an approach.
organisationally (and potentially
Communications on the internal network geographically) with departments that have
Driven From the Top
can be monitored to identify the data an overarching remit and are primarily tasked
acquisition and aggregation phases of an The nature of the controls and the changes with protecting the organisation as a whole.
attack (see ‘Movement of Data Internally’), to everyday business will be wide-ranging Examples of such departments are Legal, Risk,
and data monitored at the perimeter as a final and potentially disruptive, and staff therefore or Regulatory Compliance. The IS department
attempt – where all previous controls have need to know that the defensive programme will need a functional relationship with IT,
failed – to prevent the active exfiltration of is a core organisational strategy driven from hence seconded officers in both directions
data from the network (see ‘Movement of the highest levels. The importance of the should be considered and necessary steps
Data at Perimeter’). defensive programme and the efforts to detect taken to ensure that the relationship between
and deter advanced attackers need to be the departments is positive and constructive.

Funding It is recommended that organisations make Experience shows that the majority of private
security awareness a part of their culture, organisations, even the more security-aware,
Many of the organisational changes necessary
by introducing specific security sessions as classify little of their data and have either no
to detect and deter advanced attackers will
part of the induction process – as well as for protective markings or merely a ‘restricted’
prove costly. In many cases, the expenditure
existing staff – and by potentially factoring or ‘confidential’ marking for data such as
might be on-going and significant; for example,
security awareness into career paths. medical records or payment information.
the need for more staff. Organisations
Furthermore, some organisations base their
therefore need to ensure that this budget is Security training can be seen as dull and
classifications solely on the premise that the
understood and available, and signed off at the uninvolving by staff if not done correctly.
data might be leaked or otherwise made
highest levels, and it is not advisable to take This can serve to ‘switch off’ staff to security
publically available, and do not account for
the expenditure directly from IT budgets. issues, so organisations are encouraged to
the scenario whereby the data is acquired
This is because IT and IS have quite distinct ensure that security training is engaging
covertly by a knowledgeable adversary,
roles: whereas IT drives the organisation’s and interesting. Some organisations report
such as a competitor or nation state.
efficiency and enables new business successes with ‘gamification’ of security, such
By contrast, government organisations have
behaviours, IS is fundamentally protective. as introducing levels of award (e.g. a ‘black belt
a well-developed classification system that
Organisations frequently find it hard to justify in security’12), while experience shows that
is embedded in the mindsets of employees
IS expenditure, which is seen to be offsetting staff often respond well to live demonstrations
who work with highly sensitive data. In these
a potential risk, until the organisation has of the threats and attacker capability. As part
cases, the controls required to protect the
itself suffered an attack. of this, stories of successful and unsuccessful
information are typically well understood
attacks against the organisation can help
The following considerations can help to by those who work with the data13.
to make the threats real to employees.
justify the expenditure:
Organisations may benefit by bringing in
•
The cost of projects collapsing, where external partners, such as design agencies,
those projects are likely to be of interest where the skillset does not exist within the Government Classifications
to foreign nations; for example, projects organisation to communicate security
Although previously complex – with a
in foreign nations or in competition with training appropriately.
range of five classifications, each with
large organisations of a foreign nation.
different protective measures required
Information Classification
•
Potential fines or regulatory action as a – the revised classification system as
result of data loss. A robustly implemented of April 2014 has just three markings:
defensive programme can limit fines, as OFFICIAL, SECRET and TOP SECRET.
CRITICAL SECURITY CONTROL 15
demonstrating the true extent of a breach This is intended to allow the majority
will avoid the need to pay maximum fines of work to take place with ‘OFFICIAL’
Introduction
based on hypothetical loss. information and hence fewer protective
Modern networks are highly complex and controls, while focusing effort and time-
•
The contractual requirements of clients
often porous, meaning security departments sensitive or expensive controls on the
or partners.
are forced to accept that they will not be 5% of information that is either SECRET
•
The reputational and potential sales benefits able to prevent all data exfiltration attempts. or TOP SECRET.
of being able to demonstrate that security Instead, organisations should focus on
is a core part of the business. protecting the information that is critical to
them and direct the majority of their efforts to
Culture ensuring that such data does not fall into the
hands of motivated adversaries. However, an
To detect or deter advanced attackers
important issue is that many organisations do
from compromising data requires a level of
not fully know what critical data exists across
understanding and investment from all staff,
their organisation.
especially those who deal with sensitive data.
The necessary controls can be restrictive, and The first step is for an organisation to identify
can change how aspects of the organisation what is critical to them. Once the data has
function, so it is important for staff to grasp been classified in this way, the process of
the reasons for the changes. identifying the instances and locations of
critical information can begin.

How to Implement Workshop(s) to identify critical

information
Information classification across a large,
complex organisation can be daunting and Once the organisation has been broken down
difficult owing to the complexity of functions, into units, workshops can be held to identify
people and information. It is therefore the critical information. The organisation
recommended that individuals experienced might wish to hold a single, large workshop
in such assessments guide the classification. with all involved, or might prefer to hold
Classification is usually accomplished by separate workshops for the various units.
means of a business impact analysis (BIA), However, workshops should be attended by
derived from business continuity studies, key staff at different levels within the unit.
which seeks to identify critical functions.
The presence of senior staff is important,
A typical analysis will look at many types of as is the involvement of ‘ground-level’
risk facing the organisation and, while it might representatives. During the workshop, the
be thought desirable to conduct a full BIA, participants will work through the business-
for the purposes of managing loss through critical functions and identify the information
data exfiltration the focus is likely to be on assets that – if compromised – would have
the confidentiality of assets. The analysis will severe impact. It is advisable for this process to
identify the information relating to critical be driven by balance sheets / profit and loss,
functions and assign impact levels by creating to identify the areas that generate revenue.
an impact table. This gives details of each Staff should be encouraged to consider
impact level, and defines what qualifies specific scenarios, such as competing
information to be assigned to that level. organisations acquiring that information
Although often done by individuals, there during negotiations or regulatory impacts.
are tools and products available to support The output should be a list of critical assets,
the assessment. Crucially, however, no single as seen by the unit, with comments as to the
impact table or framework will be appropriate threats and criticality.
for every business. It needs to be a custom
exercise that is supported by the very highest
levels of management.
Break down the problem

The first step is to break the problem down
into manageable pieces. The nature of the
pieces will depend on the organisation.
It might, for example, be appropriate to break
an organisation down by business unit,
or perhaps by country and then business
unit – while large groups might find it
necessary to replicate the process across
their various companies.

Creation of an impact table Too many levels could confuse staff, increasing
protective efforts but gaining little against
An impact table can either be created prior
motivated and skilled attackers, while too few
to a workshop, and be used to guide the
might not allow effective classification in a
workshop, or it could instead follow on from
complex organisation.
the workshop once critical information has
been identified. Either way, the exercise is It is recommended, however, that impact
best conducted by board-level staff who have tables include a category at least as high
an overview of the business. Experience has as ‘ORG SECRET’ (where the organisation’s
found that departments often incorrectly name replaces ORG), as all organisations are
value their assets and overall importance to expected to have information that could
the organisation’s success and so a top-down prove crippling if it ended up in the hands
view is essential in appraising assets correctly. of a motivated adversary.
The assets that have been identified during
The exercise should seek to identify what
the workshop(s) can be studied and
characteristics would cause information
compared, in order to sort the information
to be classified at a particular level. Some
according to a high-level view of the
characteristics might be based on financial
organisation’s critical data.
loss, or loss of market share. Full BIA impact
The exercise should aim to decide on the tables will include other characteristics,
number of impact levels and corresponding such as the impact on employee motivation.
protective markings that works for the An example table is given below. Once
organisation. For some this will be a very again, the involvement of board-level staff
small number, while others will benefit from is critical as, in many instances, they are
more granular impact levels. There is no personally liable and should therefore
‘right number’ of levels, as it depends on have significant input to the risk tables.
the organisation’s appetite for complexity.
An example impact table
RISK AREA ORG RESTRICTED ORG SECRET ORG TOP SECRET
Legal impact Fines up to £500k Fines over £500k Criminal case
Media coverage Local complaints Negative national media Negative international

coverage media coverage
Effect on research projects Project delayed by up to Project delayed by up to Beaten to market by

key to future growth 6 months 1 year competitor
Loss of revenues from Up to £1 million Between £1m and £10m Over £10m
collapsed negotiation

Assign impact levels / label Considerations •

Organisations should ensure that staff
information assets know how to apply classifications
•
Top-down support from the highest levels
correctly. Over-classified information
Once impact levels and corresponding of an organisation is critical for several
becomes harder to use and will require
protective markings have been decided, reasons: the changes introduced are
costly and time-consuming controls.
assets should be compared with the table likely to impact people’s workflows, so
Under-classified information will not be
and protective markings assigned. This can staff need to recognise that the changes
adequately protected and hence the
be a difficult process. An initial challenge is have high-level support; top-level staff
confidentiality of that data could be
to decide what is being labelled – whether it are frequently personally responsible
at risk.
is a document, or the information itself. The for an organisation’s activities and
labelling process will need to be integrated into therefore need to be able to control the •
Companies that deal (or are ever likely
business processes or it will not be effective. risk; and only top-level staff are likely to to deal) with government-protected
Newly generated information can be easier have the overview necessary to ensure documents are advised to ensure that
to classify, as impact tables and instructions that classification is appropriate to the their markings are easily distinguishable
can be distributed to the individuals who will organisation’s assets and needs. from government markings. For example,
be involved in the creation of sensitive data, using ‘ORG SECRET’ (where ORG is
•
Organisations are advised to adopt an
enabling them to classify information correctly replaced by the name of the organisation)
information-focused approach. Details of
as it is created. However, the classification is recommended over ‘SECRET’.
where the information is stored or how it
scheme should be rolled out through the
is used should not be considered during •
Large, multinational organisations might
organisation at the earliest opportunity.
this phase; instead, attention is more require more complex classifications to
Classifying historical data can be more usefully focused on the data itself. take local laws into account, for example
difficult, as it’s likely to exist across the entire when it comes to the movement of
•
There can be a period of increased risk
organisation and it will be necessary to personal information outside the country.
to assets once they have been classified
calculate whether the information remains In such cases, instead of simply an ‘ORG
but before protective controls have been
sensitive. In some cases, older information SECRET’ marking, it might be necessary
applied. This is because attackers can
will no longer be critical; for example, bids for to implement an ‘ORG GB SECRET’
simply search for ‘ORG SECRET’ or other
projects that were completed several months classification, for example. Similar issues
highly classified documents. Hence the
previously are probably of little use. However, can exist where individual companies
details of the classification process and
if a bid contains information detailing the within a group need to be firewalled
the documents identified as being highly
organisation’s unique approach, or supporting from each other.
sensitive should be thoroughly protected
R&D work, it might remain sensitive in relation
(i.e. kept on a dedicated computer that is
to future projects.
not on the network) until the controls can
be put in place to protect the documents
correctly. Organisations might even wish
to work on paper, rather than digitally, for
particularly sensitive parts of the process.

Logging will be required to enable analysts to perform

both monitoring and investigation functions. Commonly Useful Log Sources:
Logging can then be developed to achieve · Firewall
CRITICAL SECURITY CONTROLS specific goals, e.g. to ‘log all successful and
5, 14, 16 failed domain logins’. · HTTP proxy
The budget for an extensive logging · DHCP leases

Introduction
programme can be significant – and can · DNS requests
A large number of organisations become grow as further log sources are added – and
aware of a breach not through their own will therefore need to be agreed for the · Domain authentications
defensive efforts but by third-party breach programme, phased over a number of years · Antivirus alerts
notifications. Once aware of an attack, an as the scheme builds. An effective logging
organisation can begin to hunt for signs of programme is likely to require people to · Internal NetFlow data
what was done, and whether the attacker still implement and analyse, hardware for storage, · File access
has a foothold in the network. However, this and analysis and SIEM software to aid in
requires detailed historical logs that allow analysis and alerting. · Binaries not typically used
investigators to track an attacker’s activity. (net.exe, ipconfig, route, etc.)
These logs must capture the correct pieces What to log
of information, avoid having their integrity
In complex environments, there will be a
compromised by an attacker, and be retained
multitude of data sources that can be logged. Tiered storage policies are strongly
so that past attacks can be analysed. Many
Organisations are encouraged to log as many recommended. For example, while full
organisations lack such measures, and so a
events as possible, for as long as possible, but packet captures should be kept for as long
key aspect of a defensive programme is to
complete coverage is rarely realistic. Logging as practically possible, packet header data
ensure that reliable and effective logging
should therefore be threat- and impact-driven, can perhaps be kept for far longer, to give
is implemented.
or asset-driven. investigators as much of a history and
Once a suitable logging programme is in place, timeline as possible15.
For example, organisations are advised to
organisations can look to building on that
identify sensitive information and segregate
programme proactively. By having analysts
it. The segregated networks should then be
periodically reviewing the logs, it might be
heavily monitored, ideally with full packet
possible to identify recent attacks and then to
capture, and that data stored for as long as
set up systems to monitor for particular events
possible. Hosts that store sensitive information
– and generate alerts when they take place –
should also be thoroughly monitored. Major
thereby detecting current attacks. However,
network ingresses, egresses and branch
an effective logging scheme is the foundation
points (such as domain controllers, as they
for these more advanced activities14.
will contact the majority of hosts on the
Logging should be considered from a high- network) are also worth logging as thoroughly
level, asset- and threat-centric approach – as possible. Logs that contain fewer events
and then built on, to increase an organisation’s but are of greater use to investigators should
resilience strategically. similarly be prioritised: for example, alerts
generated by host-based antivirus. A list of
How to Implement recommended log sources is given in the
Commencing a logging programme accompanying box-out.
Organisations will need to design a tiered,
organisation-wide logging policy, which
includes the degree to which different classes
of system will be logged. This process should
involve both network and risk staff. Where
organisations do not already have one, a
centralised logging system or systems will
need to be built and configured to handle both
current and expected logging load; plus tools

How to log request to the DHCP server. This pattern Considerations

would represent a user plugging in a machine
An important aspect of logging is to ensure •
The validity of network monitoring
and, if one of those events were to happen in
that a centralised time source is used by all logs can be difficult to prove in
isolation, it might be a cause for suspicion. It
systems that provide logs, so that events can court16. Best efforts should be taken
will be necessary for analysts to communicate
be correlated. Where possible, the time source to preserve the evidence potential
with system owners to identify ‘normal’
should be verified and protected so that an of log information and hence it’s
patterns of behaviour and hence what
attacker cannot trick or influence it. recommended that an organisation’s
deviates from the norm. Also, it is desirable
legal counsel is involved in the
Advanced attackers will sometimes attempt for analysts to hunt proactively for potential
process of designing the corporate
to delete or modify logs to hide their activities compromise, rather than just review logs, as
logging strategy.
and to frustrate investigators. Hence logs for looking at the same logs every day can often
important systems or important compromise cause analysts to become blind to what is •
Defenders need to assume that
indicators such as antivirus are best stored occurring. Automated review should be used attackers will be attempting to
centrally, i.e. on a separate hardened host. where possible in these situations. identify or disrupt defensive plans;
For less critical systems, it can be acceptable hence alert thresholds are best
It is recommended that organisations ensure
to store logs on the system itself; however, stored and calculated on hardened
that investigatory teams are not overwhelmed
organisations should select specific low- aggregation hosts, rather than the
by a great number of alerts. An effective way
volume events for which to export logs (such hosts themselves, so that attackers
to manage this is to have ratings, so that a
as successful or failed logins). Access to log can’t establish what will generate an
‘critical’ alert will be responded to very rapidly,
aggregation systems should be restricted to alert. Defenders can also assume
while a lower-rated alert will be addressed
a subset of employees, and organisations that attackers are likely to attempt to
within a longer agreed time frame.
should consider managing the systems compromise the log aggregation and
separately from the domain and network. Organisations are likely to find that some monitoring servers.
This will both preserve the evidence value events generate a large number of alerts that
•
E xperience shows that different log
of the logs and prevent attackers from are almost entirely false positives. In this case,
collection and monitoring tools can
frustrating investigatory efforts. it is recommended that such events are simply
produce different results. Therefore,
logged and not raised as alerts, while regular
Where cost and other resources allow, it is where it is possible and feasible,
reviews of alert ratings should be conducted
advisable to back up and archive logs offline organisations should not be averse
in collaboration with analysts who might be
on a regular basis, so that historical data is to having multiple tools that do
able to suggest new events that should trigger
preserved where possible. similar jobs.
an alert. Organisations might also consider
generating, for example, a ‘medium’ alert if a •
Where time and resources allow,
What to do with logs
significantly increased number of low-rated organisations can benefit from
The primary purpose of logs is to aid alerts is seen to occur. periodically having their forensic team
investigations. However, once the data is or third-party provider ‘wargame’. Hosts
collected, organisations can turn the raw log can be picked that are ‘compromised’
data into information and then into insight. and investigators then check whether
This can be used to drive auditing or ‘hunting’ the correct logging is in place that
for signs of past compromise, or for setting up would have let them identify that host
alerts for current compromise. Analysts will from a third-party breach notification.
need to identify the characteristic signs of an Furthermore, all real investigations
attack and then set up views of logs to help should conclude with an ‘After Action
draw out that information. Review’ to determine any new logging
that should be implemented to better
An example might be failed logins across
aid a similar investigation in future.
domain administrator accounts indicating
online brute-forcing. Meanwhile, tying logs
together to identify patterns can prove
extremely useful; for example, a ‘switchport
up’ event from a switch would normally be
followed by an 802.1X authorisation from
the RADIUS server and then a DHCP lease

Segregation of Information organisation-wide authentication and Segregation of understanding

authorisation systems, as much access
Organisations might consider segregating
to individual systems or information will
understanding, as well as information itself.
CRITICAL SECURITY CONTROLS come from domain permissions17. Access to
This means that lower-level employees will
12, 15, 16 individual documents and information stores
only have visibility of things that fall under
such as wikis, file shares and SharePoints18
their professional purview. To implement this
(that will have been identified as part of the
Introduction approach, an organisation will need to take
information classification phase) should also
the critical and sensitive information that has
Once critical information has been identified be controlled. Many of these technologies
been identified, and understand the different
and classified, it can be segregated based on are able to offer robust and granular access
members of staff who are involved in the
the principle of ‘need to know’. This process control, which can be used to restrict the
production and consumption of that data.
is also known as compartmentalisation. files that individual users are able to access,
Some members of staff might only require
Compartmentalising information is although this might require recent versions
access to subsets of the data, or indeed views
traditionally seen as a way to mitigate insider of the product.
or extrapolations of the data.
threat, as few individuals can see all the
A common problem is administrative access
information and hence a compromised
as, by their very nature, administrators will
individual is limited in the information they
have access to everything. Organisations are
can expose. However, compartmentalisation A ‘View of the Data’
therefore advised to reduce the number of
also has significant benefits when considering
actions that require an administrative account, This is where a presentation of sensitive
remote attackers as, should an attacker
by creating accounts with permission to information is prepared that allows the
compromise an individual’s access to data,
perform specific activities. Administrative user to obtain the information they
they will be limited in the scope of information
accounts can then be subjected to very high need, without revealing the entire data
they can access. If the attacker seeks
levels of auditing and alerting. set. One example might be an executive
more than compartmentalised fragments
who needs to see sales trends, rather
of information they will either need to Organisations might also choose to have
than details of the sales themselves.
compromise the access of multiple, lower-level separate information stores or domains for
employees, or compromise someone with a logically different units – for example, separate
higher level of access. Both activities present domains and file stores for each country Take the example of an analyst, who is working
opportunities for the defensive team to operation or even business unit. This helps to on a set of figures but doesn’t need to know
detect the attacker. Furthermore, segregating segregate information and access more fully what project those figures relate to. In this
information has benefits when segregating as, for example, in a global organisation, an case, an attacker would need to compromise
network resources, as clusters of information administrative account in country A will not more than just the analyst’s access in order to
and access requirements will already have have access to sensitive files in country B. have a contextual view of the data.
been identified.
By restricting access, organisations can
focus their logging on the accounts that have
How to Implement
access to sensitive documents, whether as
Hardening access control
administrators or users. Logging can also focus
When protecting information, organisations on attempts to gain access to those accounts,
will often focus on preventing access to that such as failed logins, or logins outside normal
information. However, sensitive information business hours.
will be needed in the course of business and so
attackers will typically compromise someone
who has legitimate access to documents and
then abuse this access.
Access control throughout the organisation
should therefore be locked down as tightly
as possible to reduce the number of people
with access, and this applies to multiple
technologies. An important stage is
to harden the domain or other

Considerations Segregation of Networks To increase the difficulty for the attacker, and
also increase the number of opportunities to
•
If information and understanding have
detect malicious activities, internal networks
been segregated, forensic events will
CRITICAL SECURITY CONTROLS need to be segregated and hardened. Access
need to be supported by staff that
10, 11, 13, 19 to both networks and information is best
can identify the relevance of any
based on the principle of ‘need to know’ and
compromised data – as it might not
‘least privilege’, whereby users are only allowed
be obvious to investigators. Introduction
access to information (and indeed the servers
•
Where sensitive information is purged Once information has been classified and the where the information is stored) if they need
from systems where it doesn’t need to critical information identified, organisations that access for their job. This philosophy will
exist, secure erasure software should will want to ensure that they are preventing help to prevent a trusted user’s compromised
to be used to ensure attackers can’t inappropriate access to that information. credentials being used to access widespread
simply recover the ‘deleted’ A common issue with many organisations is information and can also help combat insider
files forensically. a lack of effective segregation of networks. threats (which are not directly dealt with in
This means that once an attacker has a this document).
•
Organisations will want to ensure that
toehold in the organisation, their movements
segregation of understanding doesn’t Organisations will want to decide on an
are likely to be poorly restrained (see section ‘A
negatively affect how employees treat appropriate level of segregation, along
Day in the Life of an Attacker and a Defender’).
the data. There can be a risk that if with controls that prevent trivial access to
employees do not understand the In fact, many organisations have an entirely flat inappropriate data but still allow the business
context of what they are working network where even business units in different to function effectively. This can be guided
on, they will not treat it with the countries have full network access to the full by the results of the information classification
required sensitivity. resources of a UK business. As well as a lack phase, with sensitive documents protected
of effective network segregation, it is rare to by hardened networks and resources, while
•
Where views of data are created,
find organisations with effective information less restrictive protections are placed on the
organisations should be aware that
segregation, as organisations will typically main business network.
the views might still be highly sensitive,
have large repositories of information (such
as information that is of use to their
as file shares, SharePoint or wikis) with few
own analysts will be of similar – or
access restrictions. The outcome is that
greater – use to competitor or nation
attackers have few boundaries to overcome
state analysts.
in locating, accessing and aggregating
•
Highly sensitive data often needs to information that will be of use to them.
be shared with external entities, such
The core issue here is that networks were
as auditors or companies as part of
often initially designed for convenience,
a merger. Such sharing will require
based on the premise that the internal
extreme care, as these third parties
network is trusted – as are the staff. Much of
are unlikely to protect the data to
an organisation’s security efforts will therefore
the organisation’s own standards.
have been focused on keeping attackers
Cases exist where attackers have
from breaching the network perimeter. This
compromised law firms and other
approach, however, is insufficient in dealing
supporting third parties to gain
with advanced threats, such as from nation
access to their targeted data. It is
states. In a complex organisation, it is highly
recommended that where possible,
likely that an advanced attacker will be able
less sensitive views of the data are
to gain access to the internal network via
prepared and shared and, where it is
client-side exploits, phishing campaigns or
necessary to share the sensitive data
by exploiting a weak service. Organisations
itself, the third party should be provided
are now forced to assume that a sufficiently
with a hardened laptop containing the
funded and motivated adversary will be able
data – with measures to prevent data
to gain access to the internal network.
being removed. A technical member
of staff will be required to facilitate
any necessary sharing.

How to Implement Once broad VLANs have been applied, means for movement, such as via USB drives.
General network segregation organisations can progressively tighten For example, instead of being able to move
the restrictions and granularity of ACLs, directly from a compromised helpdesk user’s
Ideally, the business network should be
implementing firewalls at key junctions to desktop to the CEO’s desktop, they will need
divided up into VLANs or physically separate
support these ACLs. The aim is to reach a point to move through the domain controller that is
networks. Although this is a significant
where, for example, a desktop machine can able to talk to both. If this action is limited by
project to implement fully, quick wins can
only talk to the relevant ports on the required ports, the attacker will only be able to use RPC
be obtained by segregating the significant
servers it needs, and nothing else. Individual and SMB services and will not be able to access
units. For example, in many organisations the
servers should also be locked down, so that the domain controller via RDP. This increases
majority of desktops only require access to a
they can only communicate with the hosts the effort for the attacker and also increases
small number of services: Active Directory,
and ports they require. the number of detection opportunities for
file shares, proxies, etc. Once requirements are
the defensive team. To gain the most benefit
understood, these can be placed into VLANs. Network segregation will make the attacker’s
from network segregation, the junction points
It is therefore advisable for organisations work significantly more difficult, as it will
between VLANS and networks, i.e. hosts that
to start by understanding what needs impede movement around the network.
can be used to communicate with other hosts,
to communicate with what, and this can Unless the attacker is willing to restrict their
should be identified and monitored thoroughly
potentially be achieved by parsing log data movement to the allowed routes, they will be
for signs of compromise or abuse.
or NetFlow data as well as by talking to the forced either to compromise the switching
people involved. and routing equipment or to seek another
Example segregation of logical resources into VLANs and a high-value network
SERVER VLAN ACTIVE DIRECTORY VLAN
USER VLAN HIGH-VALUE SEGREGATED NETWORK
ADMIN VLAN DEFENCE VLAN

High-value resources and networks Considerations

An output from the classification phase will be •
Foreign intelligence organisations
information identified as highly sensitive and have highly advanced tools and
even critical to the organisation’s successful methodologies that can defeat many
functioning. The information thus identified controls, and their capabilities should
is expected to be significant to the point not be underestimated when building
where loss of confidentiality could destroy secure networks. For example, there
deals critical to the company’s future plans, is evidence of malware that can cross
or it might constitute key elements of the air gaps using USB keys, and there are
company’s major products, hence it is worth informal reports of malware that can steal
putting substantial effort into protecting data from the secure network by using
these assets. The process is likely to incur audio exfiltration. All that is needed is for
significant cost and effort to implement and an infected ‘secure’ laptop to be in the
maintain; however, only if done correctly will same room as an infected ‘normal’ laptop.
the organisation have a chance of protecting Social attacks should also be considered,
its most valuable information from nation such as using a compromised senior
state actors. staff member’s corporate email account
to contact a user of the secure network,
It is recommended that such assets are placed
demanding to be emailed a file from the
on entirely separate, air-gapped networks and
secure network.
resources. This is to prevent attackers from
compromising critical assets even in cases •
To be effective, the secure network(s)
where they have completely compromised will require many behavioural changes
the primary network. by users, who will therefore need to be
inducted into the controls, the risks and
For the highest level of assets, entirely
the value of the assets with which they
separate laptops and even network
are working. Giving employees real-world
infrastructure are recommended. VLAN
examples of attacks by nation states
segregation will not suffice, as a remote
can be useful in helping employees to
attacker might compromise switches, and
understand the capability and level of
then remap the ports to gain access to the
risk, confronting the all-too-common “but
desired VLAN. For the purpose of transferring
who would actually do that?” attitude.
information (such as software updates) to
the secure network, organisations can look to •
Users of the secure network are likely
using either read-only media, or data diodes, to discover that controls occasionally
which allow updates into a network but do prevent them from undertaking activities
not allow data to leave. The complexity of the that are important for their jobs. If their
secure network will depend on the number of issues are not quickly resolved, they
staff who require access. A separate domain might be unable to perform appropriately
might be needed or, if only a small number of – or they might attempt to bypass the
individuals will have access to the information, controls themselves. Hence a dedicated
local administration may suffice. Network helpline or contact could be required –
and host controls (which are covered in more one that is quickly able to address such
detail in a later section) should be based on issues in a secure manner.
assured products, such as those found on the
•
Some organisations find that their
CESG CPA19. Where remote access is essential,
network cannot readily be segregated.
it is strongly recommended that this should
This is often the case where a network
only be provided by assured VPN solutions.
has simply grown with the organisation
However, organisations are advised to avoid
and there is no longer oversight of the
arbitrary VPN connectivity if at all possible, and
whole network. Where this is the case,
instead use only dedicated site-to-site VPNs.
preliminary work on the network might
be necessary. The NSA’s ‘Manageable
Network Plan’ can aid organisations in
these preliminary steps20.

Host Hardening Following approval of the build, it can be Authorised software and application
rolled out through the organisation in phases. whitelisting
New systems should be based on the highest
Organisations are advised to decide on a
CRITICAL SECURITY CONTROLS security build possible for normal business
list of authorised software and permitted
2, 3, 17 activity and older systems gradually hardened
configurations (such as disabling features that
or replaced. Any decision to ‘weaken’ the build
increase the attack surface) for that software.
to allow a specific function should be carefully
Introduction Software known to be commonly exploited,
considered and documented.
such as Java, is best omitted from the approved
Modern, advanced threat actors are highly
software list.
capable when it comes to gaining access to Antivirus
machines through activities such as spear Software that is typically overlooked as part of
Builds should include antivirus / endpoint
phishing and obtaining valid credentials. the standard build is secure erasure software.
protection software to guard against common
Despite the fact that organisations need to As attackers are known to be using forensic
malware and tools that could be used post-
assume an attacker with sufficient skill and tools to recover ‘deleted’ files, providing the
exploitation. Many threat actors are known to
motivation will be able to succeed in these workforce with the ability to securely delete
use common hacking tools, which are often
endeavours, host hardening is nevertheless a files can help prevent data being exposed
detectable using AV. Organisations might wish
useful tactic, as it will make it far more difficult to attackers. Organisations might wish to
to consider using a range of anti-malware
for the attacker to locate critical data or to consider software that ensures that any
products in their business, to increase
penetrate further into the network. deletion activity triggers a secure erasure;
the diversity of detection and ensure that
however, it’s worth bearing in mind that this
A number of hardening measures can be attackers can’t simply learn to bypass a single
can prove problematic for internal forensics
applied to standard desktops and servers AV. Where possible, AV is best configured to
investigations – and might even be used by
that will impede attackers without a negative the maximum level of heuristic detection.
the attackers themselves.
effect on normal business activities. Although this will produce more alerts, each
Meanwhile, more restrictive measures are of which will need responding to, it provides Once software has been approved, application
recommended for machines that will be greater information for reactive incident whitelisting can help protect against malware
used for the storage of highly sensitive data. analysis. AV should also be configured to and post-compromise activities by allowing
log remotely, in order to prevent attackers only specific programs to run. Although
How to Implement from modifying logs on local machines this will not protect against exploitations of
Verified build following compromise. software vulnerabilities, it can prevent users
and attackers from running applications not
Security teams are advised to design a
OS kernel hardening on the approved list, forcing other behaviours.
standard build of the major operating systems
Effective whitelisting is possible in recent
used in the organisation. These should be To make software exploitation more difficult
versions of Windows by using AppLocker24,
locked down and hardened to the highest and to prevent certain post-exploitation
and less effectively in older versions with
level that permits core business to function. behaviours, it is recommended that kernel
Software Restriction Policies.
Various guides exist for advice on the hardening is included in standard builds of
configuration, such as Microsoft’s Security operating systems. This is possible in Linux
DLP
Compliance Manager (SCM) and the NSA’s with enhancements such as SELinux and
operating system hardening guides21, and it is grsecurity22. In Windows, this can be achieved Data loss prevention tools can help prevent
recommended that the areas detailed below with the Enhanced Mitigation Experience data exfiltration. However, organisations
should be considered for the build. Separate Toolkit (EMET)23. should be aware that they are not single
high-security builds can then be created solutions to the problem, as it is typically
Kernel hardening can mean increased
from the baseline by further hardening and possible to bypass or otherwise evade
deployment efforts, as some software
restricting non-essential functionality. DLP solutions given enough time and
packages require configuration of the
effort. They are nevertheless useful in
Once a build has been created and the hardening to work properly.
preventing accidental leakage of data,
software typically used in the organisation
which is beneficial in that it will help to avoid
installed, it will need to be assessed by an
accidental movement of data from a secure
attacking team. The team will seek to identify
compartment to a less secure compartment,
areas that could be exploited by advanced
thereby exposing it to the attacker. It will also
attackers, along with further hardening
increase the effort needed by the attacker to
opportunities.
extract information.

To be effective, DLP solutions can require to devices such as USBs or CDs is suitably High-security machines should have all
a significant investment of effort in tagging encrypted. This is to prevent an attacker who connectivity disabled unless explicitly
and tracking data. However, much of this transfers data to such devices from recovering required. It is unlikely that such machines will
effort will already have been expended in the data once the storage device has left need Wi-Fi or Bluetooth and hence it should
the earlier stages of data classification. DLP the secured area. be disabled at the OS and BIOS levels. It will
solutions can be found as third-party products, probably be desirable to prevent USB drives
High-security machines can benefit from
some of which integrate into other endpoint entirely, or to allow only certain devices, and
having encrypted software containers as
protections, or are included as features it is recommended that – where possible –
well as full disk encryption. Sensitive data
in modern versions of Windows and those devices are accessed through a write
can then be stored in the encrypted container,
related packages. blocker. This will prevent malware from writing
which can be unlocked when the data is
data to the USB drive, which an attacker might
required. Ideally, the container would be
Logging use to exfiltrate the data from a secure to a less
decrypted using a smart card or similar
secure environment. CDs can be used where it
Logging is covered in a separate section; token-based system to prevent simple capture
is necessary to transfer data out of the secure
however, it is important that minimum of the password. This will impede an attacker
environment, although this process should be
levels of logging are established and that who has gained remote access to a secure
monitored and recorded.
standard builds are configured to log correctly. machine, by increasing the effort needed to
Logging should allow investigators to have the access the files within the container.
necessary data at their disposal to investigate
an incident, with the logging data aggregated Media restriction
on a separate host to prevent attackers from
It is recommended that organisations restrict
locally destroying or modifying logs.
the devices that can be connected to hosts.
High-security builds will require a significantly This is to prevent movement of malware and
higher level of logging, with the logging data documents within an organisation, thereby
securely stored for a longer period of time. breaking compartmentalisation. Devices
that are unlikely to be required at all should
Encryption be restricted at the OS and BIOS levels,
including FireWire, ExpressCard, and Bluetooth
Organisations are advised to decide on
connections. Wi-Fi should be locked down to
a level of encryption for mobile devices,
prevent connection to arbitrary networks, and
such as laptops, to help prevent data loss
the ability to host wireless or ad-hoc networks
from a stolen device. This should include
is best prevented entirely. Organisations
robustly implemented full disk encryption.
might wish to restrict USB devices and the
Organisations might also wish to investigate
movement of data by CD/DVD using either
controls to ensure that any data transferred
group policy or third-party products.
Bluetooth: Attacker can Wi-Fi: Attacker can cause connection

exfiltrate data to nearby or creation of networks to exfiltrate
devices under their control data, bypassing any firewalls or proxies
3G (built-in or dongle): Attacker Speaker / microphone: Highly advanced

can make connections that will attackers can exfiltrate data to nearby
bypass internal security controls devices

Two-factor authentication Movement of Data Internally share will fluctuate as people require different
documents, but a large data exfiltration from a
A common strategy used by attackers for
file share is perhaps less common – and hence
horizontal and vertical movement is to obtain
CRITICAL SECURITY CONTROL 17 noteworthy, regardless of the destination.
credentials. This can be achieved by dumping
and cracking hashes, extracting them from Organisations are advised to consider
memory when users are logged in, or via Introduction monitoring volumes of data transfers from
keyloggers. Organisations can increase either sensitive hosts (such as mail stores or
When attempting to detect data exfiltration
the difficulty level by requiring two-factor file shares) or sensitive VLANs. It might also
by network monitoring, many organisations
authentication wherever possible. The second be worth monitoring data transfer from other
will focus on the external perimeter.
factor should not be simply a PIN or secondary groups of hosts, such as desktop to desktop, as
However, monitoring at this stage is often
password, but something separate from transfer volumes here are expected to be low.
too late and, owing to the nature of a modern
password authentication. Examples include
business, it can be hard to detect the actual NetFlow or IP flow data can be useful in
token generators, smart cards, USB dongles
exfiltration events. Instead, dedicating effort obtaining metrics on data volumes25. An alert
or services using secondary devices,
to monitoring the internal network can generated by excessive data transfer can
such as mobile phones.
be a useful way to detect the information then be investigated as a mid-level alert.
acquisition and aggregation stages of an
advanced attack. Furthermore, the internal Endpoints
Considerations
network can often lend itself better
Organisations might also want to monitor the
•
Host-based restrictions can occasionally to monitoring.
nature of hosts that are communicating with
prevent certain legitimate functions.
each other. Once the network has been fully
Hence there needs to be a team How to Implement
understood, it should be possible to derive
nominated to handle issues where Volumes of data
assumptions and rules for network behaviour.
restrictions are preventing such
A useful indicator to monitor is the volume of For example, ‘a desktop should not need to
functionality. Staff should be made
data transfer between network compartments connect to a desktop’ or ‘only the domain
aware of the team and the escalation
or even hosts. An internal network is likely controller need initiate a connection to senior
process so that they don’t engage
to have certain patterns of network traffic, management laptops’. These rules should be
in dangerous practices to bypass
despite fluctuating with changing projects, enforced with firewall rules and router ACLs.
restrictions. If hardening prevents
etc. For example, data transferred from a file
legitimate use, and issues are not
responded to rapidly, the scheme
will quickly lose buy-in. Examples of normal and potentially malicious traffic
•
Organisations will occasionally need to
PRINT SERVER EMAIL SERVER
update builds as vendors release new
security features. It is recommended
that named staff members are given
ownership of the project to ensure
builds are maintained.
DOMAIN CONTROLLER
KEY
Potentially malicious traffic

Sales CEO
Normal traffic

Other rules will emerge that are more variable, IDS

such as ‘servers will rarely need to contact
Network IDS can be used to detect attacker
servers’ or ‘desktops in one business unit will
activity on the internal network. However,
rarely need to contact servers in another unit’.
for an IDS to be useful, it needs a well-updated
It might be decided to implement firewall rules
and maintained rule set. Furthermore, it is
in such cases or, instead, NetFlow and IP flow
likely to detect only lower-skilled attackers,
could be used to alert on events where these
as more advanced threat actors will be well
rules are broken. Such alerts can then be
versed at IDS avoidance and will ensure their
investigated as low- or mid-level alerts.
behaviour appears as normal activity. Hence
Organisations are also advised to use network an organisation should not rely on an IDS,
monitoring to trigger alerts for any instances but might wish to consider one as part of its
where rules that are protected by firewall defences. IDS-generated alerts should be
rules are broken. This is in case attackers have considered as mid- to low-level alerts.
reconfigured the firewall rules – and alerts
of this sort should be categorised as
high-level alerts. Considerations
•
Organisations need to be aware that
Traffic types
attackers are likely to attempt to
Organisations are likely to find that certain understand the defensive monitoring
types of traffic are common on the internal in place. Hence organisations should
network, while others are either uncommon protect the alert-generating servers to
or unseen. For example, files might regularly ensure that attackers are not able to
be zipped using the Windows zip utility, identify the criteria that trigger an alert.
whereas other zipping algorithms, such as This can be achieved by exporting raw
gzip, are perhaps seen only rarely. Data that data from endpoints to a dedicated
is encrypted – or encrypted using particular monitoring host, and then having
systems – might be uncommon except alerts generated on that host, which
through particular protocols. can be hardened and monitored.
Deep packet inspection tools can be used to •
Defensive hosts, particularly AV and
identify the encryption/compression types DLP, can themselves become sensitive
used and hence to alert on any deviance if rule bases are specific. For example,
from the organisation’s normal pattern of if organisations are monitoring for
behaviour (these alerts would be categorised certain words or phrases in documents,
as medium- or low-level alerts). However, deep the nature of those words or phrases
packet inspection can be difficult and costly, could be highly sensitive. Hosts
so organisations are advised to focus efforts therefore need to be adequately
on key systems or networks. protected and monitored.
•
Internal monitoring can produce
DLP / AV
information overload. Organisations
Network-level DLP and AV solutions can are advised to aim for generating as
be used to identify either accidental transfer many alerts as they are reasonably
of sensitive data or less advanced attackers. able to investigate, and simply store
In lieu of a DLP solution, a degree of success details of other events for either
can be had with a network-level AV system periodic review, or after-the-fact
that has been given the organisation’s investigation.
protective markings as virus definitions.
For example, an alert might be generated
if a document containing ‘ORG SECRET’ is
detected on the network. These should
be viewed as mid-level alerts.

Movement of Data at Perimeter below). Importantly, staff will also have an Monitor traffic
expectation of privacy when using HTTPS.
After traffic has been directed through a
In addition, there are technical challenges
proxy, it is possible to analyse it for signs of
when considering how to respond to
CRITICAL SECURITY CONTROL 17 compromise. This can include an analysis of
invalid certificates.
the volume of data to identify large exfiltration
If organisations choose to intercept encrypted events regardless of the destination address:
Introduction traffic, they are advised to ensure that staff a useful indicator that does not require
are made fully aware of this fact. It might SSL interception. Organisations can also
The final opportunity to detect or prevent an
be desirable to consult staff beforehand, monitor for communications with suspicious
exfiltration event is at the perimeter, as the
and have signed agreements in place, or to endpoints, such as those identified in
data is leaving. This can be difficult as modern
consider injecting a banner or consent screen. private and public lists of known attacker
organisations will have a large number of
Responses should be prepared: for example, hosts and, again, this does not require SSL
communications with the internet and a
if the certificate of the target site is invalid, interception. If there is to be SSL interception,
significant proportion of it will be encrypted
how will users be informed? however, organisations can consider deep
(HTTPS). A key defence in detecting and
packet inspection, analysing the content
deterring data exfiltration is to ensure that Meanwhile, if an organisation chooses to
of data leaving the network for indicators
hosts are not able to connect to the internet intercept SSL connections selectively, it is
of exfiltration. Examples of such indicators
directly, but only through a proxy. advised to compile a whitelist of sites that
include the use of non-interceptable
are not intercepted – although many sites
encryption, non-standard compression
How to Implement that users will hope to access without
algorithms, or even plaintext sensitive
Restrict traffic interception could potentially be used as
documents.
exfiltration vectors. However, a whitelist is
By configuring perimeter and internal firewalls
greatly preferable to a blacklist (of sites that
to ensure all outbound traffic must go through Considerations
are intercepted), since in this latter instance
a proxy, it is possible to restrict traffic to
an attacker could simply create their own site. •
Organisations are advised to see
those protocols that are business-critical.
outbound restrictions merely as a
This will force attackers to use protocols of
Fail open or fail closed? measure to increase the effort required
the defender’s choice and prevent simple
from an attacker, forcing them down
exfiltration. It also becomes possible to log An important decision to consider when
routes that can be more easily monitored.
and analyse all outbound traffic. Companies intercepting any traffic is under what
are likely to find that a very small number conditions the proxy will fail open, and under •
Care should be taken with the
of protocols are genuinely required, such what conditions it will fail closed. Failing open configuration of proxy servers. Experience
as HTTP/S and SMTP. Hosts that require will allow an attacker to cause the proxy to hit with exfiltration has shown that even
additional protocols can be identified and that condition (for example, by overwhelming subtle misconfigurations of proxy servers
the proxy or firewall configured to allow it with requests), and then exfiltrate their data can allow easy exfiltration. Meanwhile,
just those hosts to communicate on the while the proxy is inoperable. Conversely, assumptions regarding supposedly ‘safe’
necessary protocols. while failing closed will prevent exfiltration protocols should be avoided, as even
of this sort, it could also prevent legitimate protocols such as DNS can be abused to
SSL / encrypted traffic business function – something that could exfiltrate data.
prove highly costly and damaging.
A common issue with enforced proxies is •
Compiling a whitelist of approved
how to handle encrypted traffic. If encrypted A potential compromise is to configure destination IP addresses can prevent
traffic such as HTTPS is allowed without systems to fail open, yet ensure that such an trivial exfiltration, but even many
interception, attackers can simply use that to event generates a high- or critical-level alert whitelisted sites can still be used for
exfiltrate data. However, intercepting comes that is immediately investigated by response this purpose.
with significant cost, bandwidth and privacy staff. Such an event is likely to be caused
•
Advanced threat actors might directly
implications, as well as technical challenges. by a current exfiltration or an overload of
attack either firewalls or the proxy to allow
To intercept all HTTPS connections is possible, resources, both of which will require an
their communications. Organisations are
but will require expensive proxies owing to the immediate response.
advised to ensure that such devices are
computational power that is needed. Unless
suitably hardened and monitored.
budgets are significant, proxies are likely to be
overwhelmed by even a reasonable number
of connections (see ‘Fail open or fail closed’,

Honeypots The mailbox can initially be populated with Credentials

real emails, or it could simply be a clone of a
There are likely to be many administrators or
Introduction similar high-level employee’s mailbox. The
privileged accounts within an organisation.
address can then be added to related groups,
Monitoring the access or use of sensitive Attackers will often seek to compromise one
so that new emails flow into the account and
resources can prove difficult, because of of these accounts to allow easy access to
an attacker identifying individuals through
the legitimate use of the same resources aggregated information such as file shares.
their membership of groups will find the
throughout the working day. Hence staff It is by compromising highly privileged
honeypotted account. Organisations might
involved in monitoring can find themselves accounts that attackers aim to defeat
wish to develop the project by ensuring the
spending large amounts of time sorting compartmentalisation.
fake individual appears in locations such as
legitimate from illegitimate access. This often
SharePoint, the organisational chart, and other Organisations could therefore decide to
results in attempts to identify specific patterns
places an attacker might look to identify a create privileged credentials and monitor
representing ‘bad access’, as opposed to ‘good
suitable individual. domain controllers for any attempted use of
access’, and alerting on the former. However,
those credentials. They might even wish to go
an attacker then needs only to remain within Mail servers or networking equipment can
further by making the password for some such
a ‘good’ pattern to escape detection. be set up to trigger an alert at any attempt to
accounts deliberately vulnerable to offline
access the honeypotted mailbox. This should
Honeypots avoid this problem by creating cracking, so that attackers compromise the
then be treated as an active breach, as other
resources that appear to be sensitive but in intended credentials before other accounts.
executive mailboxes are likely to be attacked
fact have no legitimate use. This addresses This defensive activity can be supported by
at the same time.
the problem of monitoring, as any attempt attempts within the organisation to crack its
to access the resource is highly likely to be own passwords, helping to ensure there are
Files
an indicator of compromise. no valid accounts with weaker passwords.
Once file stores and other repositories of
Different definitions of ‘honeypot’ exist,
sensitive information have been identified, Machines / network resources
including a full computer, or a file on a
organisations might choose to place files
computer, but for the purposes of this Honeypotted machines, networks and
within them that would appear tempting to
document it will be assumed that honeypots network resources are other options open to
an attacker. These files could contain terms
can be created within any resource that the defending organisation. For example, a
related to projects, organisational plans,
an organisation might wish to monitor. machine named ‘backup file share’ could be
defensive strategies or other keywords likely to
However, some resources lend themselves tempting to an attacker, and could contain
be sought by an attacker. A range of honeypot
particularly well to honeypotting. apparently useful data, while the approach
files can be created to cover differing ranges
can be reinforced by including the machine
of words that attackers might seek.
How to Implement in network diagrams, as well as in the Active
Emails Files should be placed in locations where Directory and similar plausible locations.
attackers are likely to find them. An example
The mailboxes of senior members of staff The machines themselves, and potentially
is where project updates for executives are
are common targets for attackers, since even the network infrastructure (such as
stored; a ‘strategic project plan’ or similarly
they will typically contain highly actionable switches/routers), should be configured to
enticing file can be added to the same store.
information, from attachments incorporating trigger an alert if there are any attempts to
The same principle can be applied to database
sensitive data to informal reports of project connect to them.
records, with records that need not be
status or defensive plans. Organisations might
accessed during normal business functions Another approach is that of monitoring for
therefore wish to consider creating an email
placed within sensitive data sets. connections to non-existent IP addresses
account for a fictional high-level employee.
in the range of legitimate target machines.
Considerations will include the extent to The hosting file system or server can then
For example, if file-sharing servers are within
which the fictional employee is publicised; be configured, potentially at the OS level, to
a particular subnet, attempts to scan that
for example, adding them to public webpages alert when the file is accessed. An alert should
subnet would ideally trigger an alert, as they
might cause legal difficulties, particularly in likewise be triggered by an attacker who
could represent an attacker attempting to
the case of executives, and yet their absence copies the entire data set.
find more targets.
could alert attackers to the honeypot.

Considerations Adaptive Defence adverse political and media coverage.

Other attacking groups will instead penetrate
•
For the defence to be successful,
further into the organisation and obtain
an attacker needs to be lured into
information periodically over a number
accessing or interacting with the CRITICAL SECURITY CONTROL 20
of years. The latter group can be better
honeypot. As such, it needs to be
countered by the defences described in this
well implemented, i.e. tempting
paper, as the longer they are in the network,
and locatable. This can be achieved Introduction
the greater the chance of detection.
by identifying where a legitimate
There are many defensive strategies that can
document or machine is referenced Finally, some organisations will be
be adopted to provide general defence and
within the organisation – and concerned about the threat of non-nation-
raise the bar for attackers. However, once an
referencing the honeypot there sponsored attacks, such as by hacktivists
effective defence-in-depth programme has
as well. Knowledge of common or cybercriminals. It is important that
been implemented, defence that is aware of
attacker targets (see section ‘Adaptive organisations with these concerns understand
specific threats can provide an enhanced
Defence’) can aid in determining the tactics used by such groups, and ensure
level of protection.
suitable resources. their defences would prevent the better-
To ensure that defences are appropriately known tactics. For example, cybercrime
•
Advanced attackers are known to study
threat-driven requires an understanding of actors will often attempt to extract financial
the defensive tactics of an organisation,
the specific threats that face the organisation. records from the database to obtain data such
hence the nature and even mere
Once threats and the associated tactics are as credit card numbers. Attacks of this sort
existence of honeypots must be
understood, organisations can seek strategies frequently make use of vulnerabilities in the
treated with the highest possible level
that offer significant defensive successes for public websites that connect to the databases.
of secrecy. Organisations might even
minimal cost and risk. This tactic of exploiting a web app vulnerability
choose to keep all related discussions
to extract credit card data is rarely something
and documentation off computer
How to Implement that would be attempted by a nation state
resources entirely.
Threat actors actor, hence the data set might be classified
•
Organisations should not be averse to at too low a level if the specific threats are
Different threat actors will have subtly or
using real information for the honeypot, not considered.
even wildly different techniques and goals,
even though the information might
the nature of which will depend on the target
therefore be at a higher risk. Attackers Covert defence
organisation – and which will probably change
are highly likely to gain access to the
over time. Many organisations are targeted by Many advanced and nation state level
confidential information regardless
nation states as a result of becoming involved attackers are observed attempting to identify
of its location, and so learning of the
in that country, or competing with one of the defensive plans of an organisation, as
attack via a triggered honeypot will at
the foreign nation’s own organisations. In part of their initial information-gathering
least allow the organisation to be aware
such cases, the attacker’s primary objective activity after penetrating a network. This often
of, and to respond to, the attack.
is often to acquire information relating to includes identifying the logging and alerting in
•
An alert from a honeypot needs to the current situation (e.g. negotiations, place; any relevant third parties who might be
be treated as a highly critical alert. projects, acquisitions, etc.). This idea can guide aiding the organisation; rule sets for firewalls,
To be effective, particularly where defensive plans by ensuring that defenders proxies, etc.; and key defensive individuals
honeypotted credentials or files are are aware of the currently sensitive projects, whose mailboxes can then be targeted.
used, staff will need to respond rapidly or those most likely to attract hostile attention, Organisations are therefore advised to
and a mechanism should be designed and focusing greater resources on the key ensure that any attempt to identify defensive
to allow this to happen. If curious staff information while the projects are at a critical information alerts the defensive team.
are triggering too many alerts, the stage. This could be achieved by classifying
It is also recommended that organisations
honeypot might need to be redesigned, information relating to those projects at a
ensure their defensive plans and, where
or staff in appropriate roles verbally higher level than would otherwise be the case,
possible, resources are ‘off the grid’, so that
instructed as to the exercise. until the critical period has passed, after which
a network-based attacker can’t compromise
it can be reclassified to a lower marking.
them. This might require paper and verbal
Once the key information has been obtained, communication for the most crucial aspects
some nation state-sponsored attackers tend of plans, or machines that are managed from
to remove themselves from the network to entirely air-gapped networks and are not on
reduce the risk of discovery and the associated the corporate domain.

Organisations would also be wise to ensure Action Review’, where the defensive teams Delaying or deterring further attacks
that the majority of their defensive thresholds try to identify the lessons to be learnt26.
If an organisation has managed to locate
and capabilities are hidden from attackers. These should include the controls that would
an attack, it is important not to remove the
For example, in his talk ‘Attack-Driven Defense’, have prevented the attack, alerting that would
attacker immediately (by changing passwords,
Zane Lackey of Etsy explored the idea of both have detected the attacker, and logging that
for example) unless there are significant
defensive rootkits (i.e. hidden host agents) and could have made investigation easier. It is
business reasons for doing so. By taking time
network devices that do not alert, but rather recommended that organisations have a
to understand the true extent of the breach,
send mass data reports to logging systems defined process for rolling these lessons
and how the attacker has gained entry and
(see Further Reading). The actual alerting back into the security plan.
persistence, a more effective response can
can then be done by aggregation systems,
If there are no on-going breach investigations, be prepared.
so that attackers are unable to identify alert
defensive staff can ‘wargame’. This can be a
thresholds by compromising network devices. Organisations are advised to push an attacker
hypothetical exercise, whereby an attacker is
To understand the behaviours that would as far back along the intrusion as they can.
imagined and the teams see whether defences
generate an alert, an attacker would need As an example, if an attacker is caught
would thwart them, or allow for their detection
to compromise the log aggregation system, accessing a file and the organisation blocks
after the fact. Alternatively, security staff or
which would offer an extra chance for the access to that file, then the attacker is
external providers can conduct real-world
defence team to detect the attack. still acting on objectives. If, however, the
attacks, either from an external perspective
command and control infrastructure and
or by setting up an internal C&C and then
Wargaming and learning lessons initial points of entry can be identified and
compromising documents – while seeing how
successfully remedied, the attacker might
Experience in dealing with advanced long it takes defenders to locate them once
be pushed back to the initial reconnaissance
attackers is an extremely useful asset for an they are told of the attack. This process can
phase and forced to identify a new route
organisation. It can take the form of either also be used to generate understanding of
in. This will increase the time and cost to
experienced staff, who can be hired, consulted the routes currently open to an attacker, and
the attacker and, although it might not
or contracted, or organisational experience hence allowing these routes to be closed
necessarily prevent a future attack, it could
– which must be learnt. All investigations of or honeypotted.
buy the defensive team time to conduct
breaches should include a period of ‘After
further analysis and to better understand their
weaknesses – as well as the attacker’s likely
future tactics.
By carefully planning the response to an attack, the threat actor can be pushed further back along the attack path
Reconnaissance Initial compromise Set up C&C Identify, acquire

(phishing) and aggregate data Exfiltrate data
Stop exfiltration
by blacklisting IPs
Change
passwords of
compromised
accounts
Identify and
remove C&C

One of the few tactics that can successfully Considerations

deter future attacks is misinformation.
•
While there can be great benefit in
If attackers invest time and resources in
ensuring defences are designed for
compromising an organisation, only to obtain
specific threats, organisations need
information that later proves to be useless or
to be careful to ensure both a good
misleading, they are less likely to attack again.
general level of defence and that their
There are two distinct approaches to take understanding of specific threats
with misinformation. Tactical misinformation is accurate. If threat assessment is
is where organisations have data, typically inaccurate, it can lead to excellent
related to a current bid or project, that they defences against one specific threat,
believe will be exfiltrated, hence they plant while leaving the organisation vulnerable
misinformation to prevent threat actors from to another, equally real, threat.
benefiting from the attack. Examples could
•
Although it is sometimes highly effective,
include multiple versions of a negotiating
misinformation can be a risky strategy.
position that the organisation suspects will
A key risk is that staff and partners
be stolen, with only one containing the correct
believe the misinformation is real and
figures. Actors stealing the data will not know
make strategic decisions accordingly.
which is the correct set of figures and so
The time and cost to implement and
cannot rely on the information they
maintain a successful misinformation
have acquired.
scheme can also be significant, if not
Meanwhile, strategic misinformation is well managed, and there is an additional
more complex and involves planting false challenge in that an analyst working for
information over a longer term, causing the a competitor might be able to determine
adversary to pursue a false line of thinking if which of the planted data sets is most
the data is stolen and acted upon. If that line of likely to be accurate.
thinking causes the adversary to expend time
•
Organisations should consider
and effort before discovering the data is false,
partnerships with other organisations
they might be dissuaded from stealing further
that face advanced persistent
information as there is a risk they will again
attacks. These partnerships can
waste effort. A successful misinformation
help organisations to share threat
campaign can be difficult to achieve,
intelligence, experience, solutions,
however, as it requires an understanding of
tools and indicators of compromise.
the attacker’s objectives to be successful.
The Cyber Security Information Sharing
Some organisations combine misinformation
Partnership (www.cisp.org.uk) is an
with honeypots (see section ‘Honeypots’)
organisation that allows government
in an attempt to thwart attackers.
and industry to share such information.

Data Exfiltration | Summary Guide for Implementers | February 2014
Summary
Modern organisations are highly complex and have valuable

digital assets that they need to use in day-to-day business rather
than simply store securely. Modern attackers are motivated and
well resourced by groups that understand the value of the assets
they hope to compromise. This combination means that complete
prevention of data compromise and exfiltration by advanced
attackers simply isn’t possible. Instead, organisations must
focus on detecting and deterring such attacks, which is still
a significant challenge.
With no ‘magic bullets’ available, an organisation’s best option for
detecting and deterring data exfiltration by advanced attackers is
a comprehensive defence-in-depth strategy. The strategy will not
only need to be implemented but also maintained, and must be able
to adapt to new business behaviours and changing threats. Such a
strategy will require significant resource and is likely to touch much
of an organisation’s functioning. It therefore needs to be driven from
the highest levels of the business.
A defensive programme can be expensive and, in order to justify
the cost, an organisation needs to understand what might be
lost without it. It also does no harm for senior personnel to remind
themselves of this threat occasionally – if only to ensure that
on-going defensive measures are not the first thing to be cut
when the squeeze comes.
However, if well implemented, such a strategy will be able to push
up the cost to the attacker while simultaneously decreasing the
business impact on the organisation. A coherent strategy can work
to flip the defender’s dilemma (the idea that an attacker only needs
to be successful once) into the attacker’s dilemma (where a single
detection can alert the defender to their presence)27.

Data Exfiltration | Glossary Guide for Implementers | February 2014
Glossary
ACL Access Control List IRC

Internet Relay Chat – A system to allow a number of people
to chat online in a virtual chat room
AV Antivirus
IS Information Security
BIA Business Impact Analysis
OS Operating System
BIOS
Basic Input / Output System – The software that directly
interfaces with hardware in a computer RAT
Remote Access Tool – Malware to allow remote control of
a computer
CERT
Computer Emergency Response Team – Developed by
Carnegie Mellon University RDP
Remote Desktop Protocol – Microsoft’s system for allowing
remote usage of a Windows machine
CESG The Information Security arm of GCHQ
RPC
Remote Procedure Call – System for allowing programs to
CPA
Commercial Product Assurance – A certification scheme trigger actions on remote computers
by CESG
SCP Secure Copy – Allows encrypted transfer of files
DHCP
D ynamic Host Configuration Protocol – A protocol used by
servers to allocate IP addresses to computers SELinux
A version of Linux with additional functionality to
prevent exploitation
DLP
Data Loss Prevention – Software to detect data loss at either
computer or network level SFTP Secure FTP
DNS
Domain Name Service – System by which human-readable SIEM
Security Incident and Event Management – Software to
URLs (www.site.com) are linked to IP addresses allow correlation and investigation of alerts
EMET
E xploit Mitigation Experience Toolkit – Advanced exploit SMB
Server Message Block – System for accessing resources on
preventions for Windows remote computers, including files and RPC
FTP
F ile Transfer Protocol – An older but regularly used system SMTP Simple Mail Transfer Protocol – Protocol underpinning email
for transferring files. Typically unencrypted
SSH ecure Shell – Remote and encrypted command line access
S
GUI
Graphical User Interface – The visual interface of a program to systems
as opposed to the command line interface
SSL ecure Sockets Layer – Unencrypted protocols can be
S
gzip A tool for compressing data tunnelled through SSL to provide encryption
HTTP/S
Hypertext Transfer Protocol / Secure – The underlying TCP T ransmission Control Protocol – A protocol used in sending
protocol by which web pages are delivered data in the form of message units
IDS
Intrusion Detection System – Software working at either VLAN irtual Local Area Network – Allows logically distinct
V
computer or network level to detect signs of compromise. networks to share the same physical hardware
Typically compares activity to a list of known ‘bad’ activities
VPN irtual Private Network – Allows physically distinct networks
V
IP flow A system to show packet flows between hosts and not the to communicate securely, as if physically connected
actual content of packets

Data Exfiltration | Quick Wins Guide for Implementers | February 2014
Quick Wins
A comprehensive defensive programme • Audit domain accounts • Make the most of current tools
such as that described in this paper is IS staff are advised to conduct audits for Experience shows that many organisations
time-consuming to define and agree, let suspicious behaviour of domain accounts. have a number of security and usability tools
alone to implement. However, while this This can include multiple failed logins or the that they are not fully utilising. By auditing
process is being undertaken, there are creation of new administrative accounts. the tools in place, an organisation can begin
several steps that IS staff can take to achieve IS staff could also audit for weaknesses, to gain maximum value from them.
a rapid improvement in resilience against such as active accounts for departed
• Honeypots
data exfiltration. staff, or accounts not used for one month.
Implementing honeypots (see section
The password strength of accounts can
The ‘quick wins’ described below are designed ‘Honeypots’) can be an effective quick
be audited by attempting to crack the
to help increase an organisation’s overall win, and many types of honeypot do not
passwords – and informing users if their
defence against data exfiltration. In most require significant time or resources to
password proved to be susceptible.
cases, they assume the attackers are already implement. For example, intentionally
in the network or soon will be, and hence they • Separate network into VLANs weak domain credentials or sensitive-
are generally designed to aid investigation In some networks, broad VLAN segregation sounding documents can be quick to create
following a third-party breach notification. can be achieved without impacting services without impacting the rest of the business
The quick wins should be considered as or requiring new hardware. As time and – and hence might not require top-level
temporary measures, while a full programme budget allow, segregation can become authorisation.
is in its early stages. All are likely to be more granular and restrictive. Adding
circumventable by an advanced attacker, yet network segregation can provide critical
they could prove effective if the organisation new opportunities to log an attacker’s
is compromised by a less advanced attacker. horizontal and vertical network movements.
• Ensure the network is manageable • Use network-based AV or IDS as
A defensive programme or incident crude DLP
response will require accurate and updated Many organisations have network-level
network maps, and details of hosts and antivirus or a computer that can be used
devices on the networks. IS and IT staff as such. By adding sensitive keywords as
should ensure such maps are available. The virus definitions, the AV will generate alerts
Manageable Network Plan can be used that help the IS team to see and understand
to guide this process20. CPNI advice on the flow of sensitive documents in their
Protecting Information About Networks, organisation. Bear in mind, however, that if
the Organisation and Staff (PIANOS) attackers compromise the AV host, they will
can be consulted to help protect the gain access to the words and the alerts –
information adequately. which could prove useful to them.
• Logging throughout the organisation • Basic host hardening
To aid an investigation, IS staff are advised to Quick wins can often be achieved by
ensure that as much log file data as possible hardening hosts through group policy,
is available for investigators. A cheap – but hence requiring no additional software.
easily compromised – option is to have Staff are advised to investigate technologies
devices log data locally, monitoring such such as EMET, and application whitelisting
activities as the use of programs that are through AppLocker. An example of a quick
potentially useful to attackers: net.exe and win is that AppLocker can be configured
ipconfig, for example. Where budget or to allow only software signed by specific
surplus equipment is available, key devices companies to run (although the use of
should be set up to log data centrally, some third-party software can then prove
even if the logs aren’t used for alerting. problematic). By allowing only Microsoft and
the manufacturers of approved software,
attackers can be deterred from using their
own tools. The hardening of operating
systems, and third-party software, can
be introduced gradually, as time and
resources allow.

Data Exfiltration | A Day in the Life of an Attacker and a Defender Guide for Implementers | February 2014
A Day in the Life of an We got into the network through phishing emails with a link to a malicious webpage. We were targeting
staff at a specific location, as we believed that proxy filtering was in place, so the malicious payload
Attacker and a Defender caused the infected laptops to connect to a Wi-Fi network that had been set up outside the building. We
considered using DNS tunnelling for the initial payload as we then wouldn’t need to be near the building,
but decided it would be slow – and we only had limited time. We probed one of the systems connecting
MWR conducts penetration testing for to us and used an unpatched Windows vulnerability to escalate privileges to local administrator. We then
clients to validate defences and identify packed all our tools using a custom encryptor to avoid AV, but used built-in Windows tools where we could.
routes that attackers might use. The
following is hybridised from interviews with
MWR consultants and client defence staff,
We have a number of alerts on a typical day, rarely anything serious and normally
describing two network penetrations. In the
the standard drive-by, download-style attacks. We are alerted to phishing emails by
individual cases, only particular controls staff, although the AV catches a lot of them first. No alerts came in that morning.
needed to be overcome and by combining
the tactics used, it is believed the majority
of organisations would be susceptible.
Consultants were careful to avoid any We used the browser of the machines to download benign files that were designed
logging and alerting in place, although it was to be detected by the antivirus, and we waited until a domain administrator remotely
logged into the machine to inspect the source of the alerts. At that point, we used the
later established that neither organisation
domain administrator’s security token to add ourselves to the domain as administrators.
had effective alerting – hence steps have Evidence of the C&C was then cleaned up with a script, so that the investigating
been left out for succinctness. Despite being administrator would only see that the browser had accessed some odd files.
security-aware organisations, neither target
had an effective defence strategy for more
advanced attackers, meaning no zero-day
We had a number of malware alerts from a particular host and so one of our team
exploits were required and no covert actions logged in to check it. He looked at the AV logs and running executables and didn’t
were detected by the targets. find anything suspicious. The files weren’t malicious, but things like EICAR to test
AVs with. He started a deep AV scan just to be safe and logged off.
e then accessed one of the other machines that had connected to the Wi-Fi network as a result of the spear phishing.
W
Settings were inspected to determine details of the web proxy, and the domain administrator credentials were used to
log into the proxy and view the rule set. We found a mistake in a rule that meant outbound traffic would be allowed to any
address as long as it contained a particular string. We registered the relevant domain, and reconfigured the compromised
hosts to communicate back to us using the new domain, meaning we could leave the vicinity of the building.
We are replacing one of the firewalls at the moment, as it has reached end of life, and so much
of the morning was taken up with testing the build and making sure the old options will map
over to the new OS – as there have been some changes between versions.
We used the local user’s credentials to access the central SharePoint and identify the individuals who would have access
to the targets specified by the clients. Security staff were also identified, and we used domain admin credentials to
connect directly to the security staff’s laptops and browse documents to establish the alerting and monitoring in place
in the organisation. Domain admin credentials were then used to log into workstations of the individuals who were
believed to have access to the target documents. In many cases, the target files required by the clients were found in the
local hard drives of the targeted individuals’ computers. However, for some documents this was not the case, and so we
extracted plaintext passwords from the machines of the individuals. These passwords were then used to log into email
accounts to search for evidence of the documents required.
We review logs daily, based on what our filters have pulled out. One of our web apps had hit the
threshold of 5xx error codes so we had a look at its logs – but it didn’t seem to be malicious.
Access to a specific system was required as evidence, so we installed screen-capturing software on a user of the system, and watched their
access to determine how to use the system and navigate it appropriately. Once convinced that the system could safely be used without
tripping any alerts, we connected using the compromised credentials and extracted the information. Data was collated on the C&C host
and then zipped into an archive. The archive was then exfiltrated using HTTPS through the proxy to the domain that had been set up.

Data Exfiltration | Case Studies Guide for Implementers | February 2014
Case Studies
Misunderstanding the Threat No Magic Bullets
An organisation in the corporate services Many products exist that claim to prevent
sector managed its risk based on the advanced attacks and hence organisations
perceived primary threat of competitors can place too much reliance on a particular
hoping to gain an advantage, or other insight product, rather than implementing a robust
into their client relationships. As such, the defence-in-depth approach. An example is the
organisation believed its primary assets ‘Hidden Lynx’ hacking campaign reported by
were its financial data and client contacts. Symantec. A military contractor in the U.S. was
using an application whitelisting tool by Bit9.
An investigation found that it had been
This was preventing attackers from running
compromised by at least one attacker
their own tools, so the attackers simply shifted
thought to be funded by a nation state – and
their focus to Bit9 itself – stealing the Bit9
that the attacker was compromising not the
code-signing certificates, which enabled
organisation’s own data but its clients’ data.
the attackers to sign their tools with Bit9’s
In other words, by holding intimate details of
certificate. Hence they were readily able to run
its clients’ businesses, the organisation had
their own tools on systems protected by Bit9.
become a target itself.
Exfiltration Can be Easy
Attackers do not always need to exfiltrate

data through advanced methods. One
organisation was compromised by attackers
who were primarily after email content.
An investigation found that attackers had
compromised credentials for the email
accounts of senior members of staff, and
then set up email forwarding rules so that a
copy of every email received was sent to an
account at a cloud provider. This traversed
the outbound proxy and was found to have
been active for several months.
Exfiltration Can be Advanced
Attackers tend to take the easiest routes

available to them, to avoid exposing their more
advanced capabilities. However, should it be
required, attacker groups have shown that
they can call on advanced methods. Examples
of this include attackers that have assessed
segregated environments for protocols that
are permitted to cross the network boundary
– and then rewritten their tools to use those
protocols. There are also examples where
attackers have successfully crossed air gaps,
using such techniques as compromising the
USB media that the organisation’s staff were
using to transfer data into an environment.
Researchers have also demonstrated proof
of concepts that use ultrasound via a device’s
built-in speakers and microphone to cross
an air gap28.

Data Exfiltration | Further Reading Guide for Implementers | February 2014
Further Reading
Hidden Lynx – Professional Hackers for Hire (Symantec) and Global Energy
Cyberattacks: ‘Night Dragon’ (McAfee)
Two detailed reports of attacks that are believed to be nation state-sponsored
http://www.symantec.com/content/en/us/enterprise/media/security_response/
whitepapers/hidden_lynx.pdf
http://www.mcafee.com/uk/resources/white-papers/wp-global-energy
-cyberattacks-night-dragon.pdf
CESG’s Good Practice Guides (GPGs)

A number of guides to relevant aspects of security, available from CESG
GPG No.13 – Protective Monitoring for HMG ICT Systems
GPG No.18 – Forensic Readiness
GPG No.24 – Security Incident Management
GPG No.35 – Protecting an Internal ICT Network
Digital Evidence, Digital Investigations and E-Disclosure (IAAC)

A guide for organisations on ensuring forensic readiness
http://www.iaac.org.uk/itemfiles/DigitalInvestigations2013.pdf
Sexy Defense: Maximizing the home-field advantage (Iftach Ian Amit)

Guidance on effective defence
http://www.iamit.org/docs/sexydefense.pdf
Wirewatcher Blog – Blog on network security

http://wirewatcher.wordpress.com/
Attack-Driven Defense (Zane Lackey)

A recommended talk by Zane Lackey of Etsy on defending like an attacker
http://www.youtube.com/watch?v=_4vSurKPl6I
or
http://mwr.to/zane
Burn it Down! Rebuilding an INFOSEC Program

A talk by Dave Kennedy of TrustedSec that gives a good overview of why a robust
defensive programme is needed to beat advanced attackers
http://www.youtube.com/watch?v=bojVsGlda50
http://mwr.to/kennedy
Lockheed Martin’s Cyber Kill Chain®

A defence process that maps cyber attacks onto a military ‘Kill Chain’ model
http://www.lockheedmartin.co.uk/us/what-we-do/information-technology/cyber-security/
cyber-kill-chain.html
HMG IA Standard No. 1 (CESG)

Government guidance on technical risk assessment
www.cesg.gov.uk/publications/Documents/is1_risk_assessment.pdf
Information Hiding Techniques: A Tutorial Review (Sabu M Thampi)

An overview of some information-hiding techniques by Sabu M Thampi of the LBS
College of Engineering, Kasaragod
http://arxiv.org/ftp/arxiv/papers/0802/0802.3746.pdf

Data Exfiltration | References Guide for Implementers | February 2014
References
1
‘Meet Hidden Lynx: The most elite 12
‘ Gamifying Security Awareness’ 19
‘CPA certified products’ by CESG
hacker crew you’ve never heard of’ blog by Ispitzner on SANS Securing http://www.cesg.gov.uk/servicecatalogue/
by Dan Goodin on arstechnica the Human website CPA/Pages/CPA-certified-products.aspx
http://arstechnica.com/security/2013/09/ http://www.securingthehuman.org/ 20
‘ Manageable Network Plan’ from NSA
meet-hidden-lynx-the-most-elite-hacker- blog/2012/01/17/gamifying-security-
http://www.nsa.gov/ia/_files/vtechrep/
crew-youve-never-heard-of/ awareness
ManageableNetworkPlan.pdf
2
andiant Intelligence Center Report
M 13
xtract from HMG IA Standard No.1 –
E 21
‘Operating Systems’ by NSA
‘APT1: Exposing One of China’s Cyber Business Impact Level Tables
http://www.nsa.gov/ia/mitigation_
Espionage Units’ www.cesg.gov.uk/publications/
guidance/security_configuration_guides/
http://intelreport.mandiant.com/ Documents/business_impact_tables.pdf
operating_systems.shtml
HMG Security Policy Framework
3
uidance on Protecting Information
G
https://www.gov.uk/government/uploads/ 22
‘SELinux and grsecurity: A Side-by-
About Networks, the Organisation
system/uploads/attachment_data/ Side Comparison of Mandatory Access
and its Systems (CPNI)
file/200552/HMG_Security_Policy_ Control and Access Control List
http://mwr.to/pianos
Framework_v10_0_Apr-2013.pdf Implementations’ by Fox, Giordano,
4
uidance on C&C channels (CPNI)
G Government Security Classifications Stotler, Thomas
http://mwr.to/c2 April 2014 http://www.cs.virginia.edu/~jcg8f/
https://www.gov.uk/government/uploads/ SELinux%20grsecurity%20paper.pdf
5
‘ Exfiltration techniques: an examination
system/uploads/attachment_data/
and emulation’ by Ryan Van Antwerp 23
The Enhanced Mitigation Experience
file/251480/Government-Security-
http://udspace.udel.edu/ Toolkit (EMET)
Classifications-April-2014.pdf
handle/19716/10145 http://support.microsoft.com/kb/2458544
14
‘ I love it when a plan comes together’
6
‘Anti-Forensics: Techniques, 24
Windows AppLocker
by Alec Waters on Wirewatcher
Detection and Countermeasures’ http://technet.microsoft.com/en-us/
http://wirewatcher.wordpress.com/
by Simson Garfinkel library/dd759117.aspx
2014/01/09/i-love-it-when-a-
http://citeseerx.ist.psu.edu/viewdoc/downlo
plancomes-together/ 25
‘Log anomaly detection tools’ blog
ad?doi=10.1.1.109.5063&rep=rep1&type=pdf
by Antti Ajanki on Futurice
15
‘ When it comes to troubleshooting and
7
‘ Twitter calls lawyer over hacking’ – BBC http://blog.futurice.com/tech-pick-of-the-
threat detection, NetFlow AND packet
News 16 July 2009 week-log-anomaly-detection-tools
capture trump all’ by Jay Botelho for
http://news.bbc.co.uk/1/hi/8153122.stm
Network World 26
‘Private Investigations’ by Alec Waters
8
uidance on Mobile Devices (CPNI)
G http://www.networkworld.com/news/ on Wirewatcher
http://www.cpni.gov.uk/advice/cyber/ tech/2013/102813-packet-capture- http://wirewatcher.wordpress.
mobile-devices/ complements-netflow-275434.html?page=1 com/2010/05/25/private-investigations/
9
‘ IP Covert Channel Detection’ by Cabuk, 16
‘Si(EM)lent Witness’ by Alec Waters 27
‘ Defender’s Dilemma vs. Intruder’s
Brodley and Shields on Wirewatcher Dilemma’ blog by Richard Bejtlich on
http://www.cs.tufts.edu/research/ml/docs/ https://wirewatcher.wordpress. TaoSecurity
cabuk-covert-channels-tissec.pdf com/2010/06/23/siemlent-witness/ http://taosecurity.blogspot.co.uk/2009/05/
defenders-dilemma-and-intruders-dilemma.
10
‘Advanced Data Exfiltration’ by Iftach 17
‘ Best Practices for Securing Active
html
Ian Amit Directory’ – Microsoft
http://www.iamit.org/blog/2012/01/ http://www.microsoft.com/en-gb/ 28
‘ Ultrasound data transmission via a
advanced-data-exfiltration/ download/details.aspx?id=38785 laptop’ on Anfractuosity
http://www.anfractuosity.com/projects/
11
‘ Hacking Exposed Wireless’ by Cache, 18
harePoint – Microsoft
S
ultrasound-via-a-laptop/
Wright and Liu http://office.microsoft.com/en-us/
Book on wireless security secrets sharepoint-server-help/introduction-
and solutions control-user-access-with-permissions-
HA101794487.aspx

Data Exfiltration | Contributors Guide for Implementers | February 2014
Contributors:
David Chismon
Martyn Ruks
Matteo Michelini
Alec Waters - Dataline Software

MWR InfoSecurity (Head Office)
Matrix House, Basing View
Basingstoke RG21 4DZ
T: +44 (0)1256 300920
F: +44 (0)1256 323575
MWR InfoSecurity (London)

77 Weston Street
London SE1 3RS
MWR InfoSecurity (Manchester)

113-115 Portland Street
Manchester M1 6DW
MWR InfoSecurity (South Africa)

11 Autumn Street, Rivonia
Gauteng, 2128, South Africa
T: +27 (0)10 100 3157
F: +27 (0)10 100 3160
www.mwrinfosecurity.com
labs.mwrinfosecurity.com
Follow us on Twitter:
@mwrinfosecurity
@mwrlabs
© MWR InfoSecurity Ltd 2014.

All Rights Reserved.
This Briefing Paper is provided for general information purposes only and
should not be interpreted as consultancy or professional advice about any
of the areas discussed within it.

Detecting Deterring Data Exfiltration Guide For Implementers

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Detecting Deterring Data Exfiltration Guide For Implementers

Uploaded by

Copyright:

Available Formats

Detecting and Deterring

Introduction 4 Increasing Organisational

Current Exfiltration Tactics 6 Information Classification 16

Different Attackers, Different Tactics 6 Logging 20

Identification of Data 6 Segregation of Information 22

Aggregation and Preparation of Data 8 Segregation of Networks 23

Exfiltration Channels 8 Host Hardening 26

Movement of Data Internally 28

The Future is Cloudy 11 Adaptive Defence 32

Exfilatration by Popular Websites 12

Covert Channels 14 Quick Wins 37

mwrinfosecurity.com | CPNI.gov.uk 3/44

mwrinfosecurity.com | CPNI.gov.uk 4/44

Timeline of notable events in state-sponsored hacking

Over 20 companies in energy sector compromised in ‘Operation Night Dragon’

2011 Over 70 companies compromised in ‘Operation Shady RAT’

Over 30 companies compromised in ‘Operation Aurora’

Anatomy of a Typical Attack

Phases of an attack that seeks to acquire data

Covered by this document

Reconnaissance Initial compromise Set up C&C Identify, acquire

mwrinfosecurity.com | CPNI.gov.uk 5/44

Current Exfiltration Tactics

Different Attackers, Different Tactics Identification of Data

mwrinfosecurity.com | CPNI.gov.uk 6/44

Attacker directly accesses ﬁles

Attacker identiﬁes and impersonates

mwrinfosecurity.com | CPNI.gov.uk 7/44

Aggregation and Preparation of Data Exfiltration Channels FTP/SFTP

mwrinfosecurity.com | CPNI.gov.uk 8/44

Cloud Services RDP

mwrinfosecurity.com | CPNI.gov.uk 9/44

Future Exfiltration Tactics

mwrinfosecurity.com | CPNI.gov.uk 10/44

Changes to Data Aggregation Attackers are likely to make increasing use

mwrinfosecurity.com | CPNI.gov.uk 11/44

Exfiltration by Popular Websites

However, many popular websites allow uploads

mwrinfosecurity.com | CPNI.gov.uk 12/44

Everything as a Service Best practices for cloud and managed

mwrinfosecurity.com | CPNI.gov.uk 13/44

rather than the contents of the packets9. Steganography

Out-of-Band Channels These methods are relatively low bandwidth

mwrinfosecurity.com | CPNI.gov.uk 14/44

mwrinfosecurity.com | CPNI.gov.uk 15/44

mwrinfosecurity.com | CPNI.gov.uk 16/44

How to Implement Workshop(s) to identify critical

Break down the problem

mwrinfosecurity.com | CPNI.gov.uk 17/44

An example impact table

RISK AREA ORG RESTRICTED ORG SECRET ORG TOP SECRET

Legal impact Fines up to £500k Fines over £500k Criminal case

Media coverage Local complaints Negative national media Negative international

Eﬀect on research projects Project delayed by up to Project delayed by up to Beaten to market by

mwrinfosecurity.com | CPNI.gov.uk 18/44

Assign impact levels / label Considerations • 

mwrinfosecurity.com | CPNI.gov.uk 19/44

Logging will be required to enable analysts to perform

The budget for an extensive logging · DHCP leases

mwrinfosecurity.com | CPNI.gov.uk 20/44

How to log request to the DHCP server. This pattern Considerations

mwrinfosecurity.com | CPNI.gov.uk 21/44

Segregation of Information organisation-wide authentication and Segregation of understanding

Assign impact levels / label Considerations •

ACL Access Control List IRC