Professional Documents
Culture Documents
Data Exfiltration
Guide for Implementers
February 2014
MWR would like to acknowledge the help and
support of CPNI in researching this topic
and producing the accompanying products.
Data Exfiltration | Contents Guide for Implementers | February 2014
Contents
Case Studies 39
Further Reading 40
References 41
Introduction
In today’s world, an organisation’s digital resources are likely
to be among its most sensitive and valuable assets. If a competitor
were to obtain details of research and development, financial
information, business processes, or intended developments and
acquisitions, it could prove commercially disastrous. Hence foreign
nations are investing huge amounts in state-supported cyber
attacks to obtain these assets for use by organisations within
their own countries.
The attacks are almost always successful. Modern organisations
are so large, diverse and complicated that they are frequently
unaware of what sensitive documents they possess, let alone how to
defend them appropriately. Furthermore, an organisation’s network
perimeters will be highly porous and susceptible to attack via a host
of new technologies, such as remote access, cloud services, home
working, partnerships, and so on. The internal networks of modern
organisations are also complex and interlinked, having grown from
principles of usability rather than security, which means that it can
prove extremely difficult to detect attackers once they are within
the network. This is partly because detection methods often focus
on spotting ‘bad’ patterns of behaviour, so that attackers can avoid
detection simply by restricting themselves to ‘good’ patterns –
such as accessing the CEO’s email from the CEO’s own laptop.
Data can have real value to attackers, However, organisations can significantly organisations the best chance of detecting
potentially in the region of millions or even increase the number of opportunities and deterring data exfiltration (section
billions of pounds where intellectual property they have to detect and repel attackers. ‘Increasing Organisational Resilience’), before
and negotiation positions are concerned. In so doing, they can escalate the cost and concluding with a summary. The appendices
Attacker motivation and resourcing, combined complexity for the attacker, reduce the contain a glossary of terms, recommended
with modern networks that are highly potential business impact on themselves, further reading, and a list of ‘quick wins’ that
complex and porous, mean that it is simply and even develop advanced strategies that can increase an organisation’s resilience while
not possible to guarantee the prevention will deter the attacker from targeting them a more comprehensive defence programme
of data exfiltration. If necessary, attackers in future. is being developed.
can spend years slowly mapping out an
This white paper gives a high-level overview The advice given in this document is not
organisation, observing legitimate behaviour
of a typical attack (see section on ‘Anatomy intended to be a complete and thorough guide
to avoid tripping defences and gradually
of a Typical Attack’) and then covers the to all the steps needed to build a defensive
working towards their objectives. If they
current tactics used by attackers to acquire programme, as each subsection of ‘Increasing
come up against defences, the attackers can
and exfiltrate data (section ‘Current Exfiltration Organisational Resilience’ is a broad topic in
either learn to bypass the controls directly,
Tactics’). Current business trends and attacker its own right. Instead, this document aims to
or compromise the company that produces
trends are then extrapolated to predict the highlight the areas that an organisation needs
a control in order to bypass it1.
likely future developments in exfiltration to consider, and some of the aspects to be
strategy (section ‘Future Exfiltration aware of when tying them together into a
Tactics’). The majority of the white paper, defensive programme.
however, focuses on the steps that will give
2010
‘Eligible Receiver’ exercise shows vulnerability of US government systems
1997
DARPA and Carnegie Mellon University form the first CERT
1988
Russia-sponsored hacker compromises US government & military computers
1986
Attacks typically break down into several have been compromised in this way, attackers This document covers the stages after initial
phases and some attackers are known to have will typically set up remote access / command compromise and the C&C has been set up.
entirely separate teams to deal with each and control malware (C&C) from which to As such, it covers a highly uncomfortable but
phase, before handing over to the next team. conduct the rest of the attack. altogether too common scenario, in which
In a typical attack, an organisation will first the attackers have already compromised
Now in the internal network, the attackers
be researched and investigated to identify the organisation’s perimeter and are now
will move horizontally or vertically through
specific individuals to target and the relevant obtaining the targeted information. In many
the network to gain access to the information
technologies in use. Those individuals will then cases, attackers will remain resident in an
they seek. Once they have accessed the
be targeted with client-side attacks that might organisation’s network for years, continually
data, attackers will frequently collate the
be delivered by spear phishing or watering acquiring and exfiltrating new data as it
information within the network before,
holes (where websites regularly visited by becomes available.
finally, they exfiltrate the full set of data.
targeted individuals are compromised –
and infected with malware for targets to
download). Once the targeted individuals
A number of groups are known to exist that Once a network has been compromised and
will target UK industry and government bodies the C&C infrastructure set up, attackers will
in an attempt to obtain sensitive data. The need to seek out the data that is useful to
motivations and tactics of these groups can them. This is rarely data that relates solely to a
be varied: some are highly targeted and careful specific project, but will more usually be wider
to avoid detection for fear of political fallout, information relating to the organisation, its
while others are less wary and adopt noisy, structure, network topologies, connections to
low-skilled attacks but in a volume that makes the outside world – and its defences. CPNI has
them highly successful at acquiring terabytes produced comprehensive advice under the
of critical data. Although attributing attacks is title ‘Protecting Information About Networks,
generally difficult, the tactics can sometimes the Organisation and its Systems (PIANOS)’3.
be distinctive enough to make it possible
To identify information of interest, some
to identify the group behind the attack.
attackers will simply list the machines on
On occasion, experienced analysts are able to
the domain and then mount the file shares
identify not just the group, but the subgroup
of machines that sound relevant from their
or even the individual perpetrating the attack2.
hostname or description. Attackers then
The distinctive tactics will often depend browse the file shares for folders or
on the target under attack – for example, documents of potential interest.
whether it’s a specific company or an entire
More advanced attackers, or attackers who
industry sector. Differences in tactics can be
have no success with browsing files, will
observed in the nature of the first entry into
attempt more targeted identification of
the system, the C&C channel (common RAT
information using resources such as wikis
or custom-written) and, once in the network,
and SharePoints. Typically, a great deal of
the tools used to achieve the objectives.
information useful to an attacker is available
Another key distinguishing tactic is the type
with low privilege credentials, as details of
of data targeted: whether it is data related to
individuals and organisational structure are
a specific project or current negotiation, or
usually available to all employees on internal
whether the attacker’s net is cast wide in an
portals or document management systems.
attempt to gain information about the whole
Once the individuals with access to the
of an organisation’s key business.
required documents have been identified,
The level of expertise and resources can attackers will be able to focus on horizontal
vary as well. Some attackers have very little and vertical movement throughout the
skill and low resources but are able to call on network to obtain the remainder of the
more advanced groups when necessary1. information they seek. Attackers will use a
Other, more skilled groups are able to deploy variety of techniques to move through the
zero-day exploits (before a patch is available) network, including keylogging, privilege
and custom payloads. Due to this variability, escalation exploits and password dumping
defenders need to be flexible in their defences and cracking.
and, in general, they will benefit from focusing
on defending the assets rather than thwarting
specific attackers. However, if an organisation
is experiencing a heightened threat from a
particular group, it can be beneficial to adopt
a more threat-centric approach.
An attacker’s techniques will depend on the accessibility of the information and how stealthy the attacker wishes to be
Compromised Computer
1.
2.
IDENTIFIED:
CEO - b.smith
3.
IDENTIFIED:
CEO - b.smith
CEO Attacker compromises
the computer of a
legitimate user of files
Login:
b. smith
Attackers often focus on the small subset hunt for documents of interest. Attackers will
of individuals that have access to the data search logically (for the location of all projects,
they need. In one compromise of a large for example), but they will also search for a
organisation with tens of thousands of number of keywords, which might include
employees, the attackers were found on only such terms as ‘restricted’ or ‘sensitive’.
five computers; however, these five computers
Attackers also tend to show considerable
allowed access to all information of interest
interest in defensive plans and hence will
to the attackers, as they belonged to the head
target the computers and mailboxes of senior
of networking, head of research, and so on.
security personnel, as well as attempting to
Once key individuals have been identified, identify details of logging, alerting and SIEM
common targets for attackers will be infrastructure. In addition, attackers are often
mailboxes, shared drives, SharePoint sites, and observed attempting to identify relationships
the contents of the hard drive or individual file with external bodies that might be advising on
storage of those key individuals. There is also defence – and to discover what advice those
evidence of attackers searching such locations bodies have given.
as the recycle bin or deleted emails in the
Currently, attackers are not forced to attackers might instead use covert or
use particularly advanced techniques, out-of-band channels, which are very
as few organisations beyond government difficult to detect but typically have much
departments dealing with highly classified lower bandwidth than overt techniques.
material have controls in place that detect Hence they tend to be useful only for stealing
and deter even basic exfiltration. However, documents of particular interest, rather
as organisations become more security-aware, than entire data sets.
attackers will need to use more sophisticated
The controls described in the ‘Increasing
techniques to exfiltrate data.
Organisational Resilience’ section will help
Current trends suggest that attackers an organisation to detect or deter attackers
will increasingly utilise services via which regardless of the exfiltration methods used;
organisations allow (or even require) outbound however, some business trends, such as
traffic. In this way, attackers will attempt to increased storage of data in third-party
‘hide in the noise’ by using channels that are clouds and hosted services, can reduce the
also used legitimately, making it harder to effectiveness of those controls and that will
detect at the perimeter. Such services will need to be factored into risk decisions.
typically have a large bandwidth for data
exfiltration. For particularly hardened targets,
Traditional networks had defined perimeters and services contained within that perimeter.
Modern networks are complex and porous, with cloud services, mobile workers, smart phones, and so on.
VPN
Covert Channels
Graph showing the trade-off between covert methods and those with high data throughput.
Attackers targeting hardened organisations – Typically, the more covert a method the lower the bandwidth
or hardened networks within organisations
– might use covert channels. There is a
Timing-based
sizable body of literature surrounding covert
channels for exfiltration, covering such topics
as hiding data within common protocols
(DNS, for example) and even low-level
packet manipulation, such as hiding data DNS
by modifying TCP headers. Furthermore,
research has been done on exfiltrating data
through the timing of packets to locations,
Covertness
Increasing Organisational
Resilience
To stand the best chance of detecting or Honeypots, i.e. assets intended to be communicated as critical to the organisation’s
deterring data exfiltration, organisations need compromised, are a highly effective tool to continued position and growth. It is advisable
to have a defensive programme based on lure attackers into revealing their presence to align security objectives closely to business
defence in depth, as individual controls can (see ‘Honeypots’) and, finally, more advanced objectives, a level of vision that has to come
be circumvented. The programme should defensive strategies can be considered, to from the top of the business.
not focus on preventing data exfiltration, as detect and possibly deter advanced attackers
Furthermore, a top-level coordinator for
this must be considered impossible, but on (see ‘Adaptive Defence’).
defence and threats is recommended
making attacks more difficult while increasing
since, in a complex organisation, issues can
the number of opportunities to detect an
go unresolved due to ‘buck passing’ and
attacker’s activity.
Critical Security Controls complicated organisational territories.
A key aspect of such a defence is ensuring By having a single person who owns all
At the start of each of the following
a coherent, organisation-wide plan that defence and incidents, there will always be
subsections, reference is made to
benefits from an overview of assets and someone able to delegate an issue to the
the relevant Critical Security Controls
risk (see section ‘Business Considerations’). correct team in the event of confusion.
that can guide organisations in
This provides an environment for the
implementing both ‘quick wins’ and
defensive strategies to have the greatest Where Should Information Security Sit?
deeper protective measures.
chance of success. The first task the majority
For full details of these 20 controls, see: Often, the IS team will have emerged as a
of organisations will then face is assessing the
http://www.cpni.gov.uk/advice/cyber/ side function of the IT team and hence will be
sensitivity of information in their possession,
Critical-controls/ and http://www. organisationally within its remit. While this has
and how that information is used within the
counciloncybersecurity.org/practice- benefits – as the staff will be intermingled with
organisation (see ‘Information Classification’).
areas/technology the IT staff, helping to expedite some security
A control that underpins much of the defence functions – there are several additional
against data exfiltration and advanced attacks challenges from having IS as a subdivision of IT:
Business Considerations
in general is logging (see ‘Logging’). This
•
Budgetary: IS department budget will
allows forensic analysis of an attacker’s actions
come from within the main IT budget,
and achievements and also provides the
CRITICAL SECURITY CONTROLS 9, 18 hence there will be occasions where
framework for auditing and alerting, by which
IT has to choose, for example, between
organisations can aim to detect attackers.
new equipment and security expenditure.
Logging should be considered from a high Introduction
Staff might well prefer new tablets to
level and then built into all further stages.
Detecting advanced attackers who are the segregation of a network.
Once information has been classified and locating and exfiltrating data is a difficult
•
Authorisation: if IS is a subdivision of IT,
logging policies decided, organisations can challenge. To have a realistic chance of
it might lack the authority to force change
begin to restrict access to that information responding, organisations will typically need
when it’s needed.
(see section ‘Segregation of Information’) to implement many controls and changes to
and the systems that have access to that current processes. Only a well thought-out •
Vision: although insider knowledge
information (see ‘Segregation of Networks’). and robustly implemented defence-in-depth can be useful, being immersed in an
Hosts can be hardened to both impede approach will offer a chance of detecting environment can also prevent one from
attackers, and to force their behaviour advanced attackers, and there are several spotting its weaknesses.
down routes that allow for better protective high-level areas that organisations will want to
It is recommended that IS is placed
monitoring (see ‘Host Hardening’). consider when designing such an approach.
organisationally (and potentially
Communications on the internal network geographically) with departments that have
Driven From the Top
can be monitored to identify the data an overarching remit and are primarily tasked
acquisition and aggregation phases of an The nature of the controls and the changes with protecting the organisation as a whole.
attack (see ‘Movement of Data Internally’), to everyday business will be wide-ranging Examples of such departments are Legal, Risk,
and data monitored at the perimeter as a final and potentially disruptive, and staff therefore or Regulatory Compliance. The IS department
attempt – where all previous controls have need to know that the defensive programme will need a functional relationship with IT,
failed – to prevent the active exfiltration of is a core organisational strategy driven from hence seconded officers in both directions
data from the network (see ‘Movement of the highest levels. The importance of the should be considered and necessary steps
Data at Perimeter’). defensive programme and the efforts to detect taken to ensure that the relationship between
and deter advanced attackers need to be the departments is positive and constructive.
Funding It is recommended that organisations make Experience shows that the majority of private
security awareness a part of their culture, organisations, even the more security-aware,
Many of the organisational changes necessary
by introducing specific security sessions as classify little of their data and have either no
to detect and deter advanced attackers will
part of the induction process – as well as for protective markings or merely a ‘restricted’
prove costly. In many cases, the expenditure
existing staff – and by potentially factoring or ‘confidential’ marking for data such as
might be on-going and significant; for example,
security awareness into career paths. medical records or payment information.
the need for more staff. Organisations
Furthermore, some organisations base their
therefore need to ensure that this budget is Security training can be seen as dull and
classifications solely on the premise that the
understood and available, and signed off at the uninvolving by staff if not done correctly.
data might be leaked or otherwise made
highest levels, and it is not advisable to take This can serve to ‘switch off’ staff to security
publically available, and do not account for
the expenditure directly from IT budgets. issues, so organisations are encouraged to
the scenario whereby the data is acquired
This is because IT and IS have quite distinct ensure that security training is engaging
covertly by a knowledgeable adversary,
roles: whereas IT drives the organisation’s and interesting. Some organisations report
such as a competitor or nation state.
efficiency and enables new business successes with ‘gamification’ of security, such
By contrast, government organisations have
behaviours, IS is fundamentally protective. as introducing levels of award (e.g. a ‘black belt
a well-developed classification system that
Organisations frequently find it hard to justify in security’12), while experience shows that
is embedded in the mindsets of employees
IS expenditure, which is seen to be offsetting staff often respond well to live demonstrations
who work with highly sensitive data. In these
a potential risk, until the organisation has of the threats and attacker capability. As part
cases, the controls required to protect the
itself suffered an attack. of this, stories of successful and unsuccessful
information are typically well understood
attacks against the organisation can help
The following considerations can help to by those who work with the data13.
to make the threats real to employees.
justify the expenditure:
Organisations may benefit by bringing in
•
The cost of projects collapsing, where external partners, such as design agencies,
those projects are likely to be of interest where the skillset does not exist within the Government Classifications
to foreign nations; for example, projects organisation to communicate security
Although previously complex – with a
in foreign nations or in competition with training appropriately.
range of five classifications, each with
large organisations of a foreign nation.
different protective measures required
Information Classification
•
Potential fines or regulatory action as a – the revised classification system as
result of data loss. A robustly implemented of April 2014 has just three markings:
defensive programme can limit fines, as OFFICIAL, SECRET and TOP SECRET.
CRITICAL SECURITY CONTROL 15
demonstrating the true extent of a breach This is intended to allow the majority
will avoid the need to pay maximum fines of work to take place with ‘OFFICIAL’
Introduction
based on hypothetical loss. information and hence fewer protective
Modern networks are highly complex and controls, while focusing effort and time-
•
The contractual requirements of clients
often porous, meaning security departments sensitive or expensive controls on the
or partners.
are forced to accept that they will not be 5% of information that is either SECRET
•
The reputational and potential sales benefits able to prevent all data exfiltration attempts. or TOP SECRET.
of being able to demonstrate that security Instead, organisations should focus on
is a core part of the business. protecting the information that is critical to
them and direct the majority of their efforts to
Culture ensuring that such data does not fall into the
hands of motivated adversaries. However, an
To detect or deter advanced attackers
important issue is that many organisations do
from compromising data requires a level of
not fully know what critical data exists across
understanding and investment from all staff,
their organisation.
especially those who deal with sensitive data.
The necessary controls can be restrictive, and The first step is for an organisation to identify
can change how aspects of the organisation what is critical to them. Once the data has
function, so it is important for staff to grasp been classified in this way, the process of
the reasons for the changes. identifying the instances and locations of
critical information can begin.
Creation of an impact table Too many levels could confuse staff, increasing
protective efforts but gaining little against
An impact table can either be created prior
motivated and skilled attackers, while too few
to a workshop, and be used to guide the
might not allow effective classification in a
workshop, or it could instead follow on from
complex organisation.
the workshop once critical information has
been identified. Either way, the exercise is It is recommended, however, that impact
best conducted by board-level staff who have tables include a category at least as high
an overview of the business. Experience has as ‘ORG SECRET’ (where the organisation’s
found that departments often incorrectly name replaces ORG), as all organisations are
value their assets and overall importance to expected to have information that could
the organisation’s success and so a top-down prove crippling if it ended up in the hands
view is essential in appraising assets correctly. of a motivated adversary.
The assets that have been identified during
The exercise should seek to identify what
the workshop(s) can be studied and
characteristics would cause information
compared, in order to sort the information
to be classified at a particular level. Some
according to a high-level view of the
characteristics might be based on financial
organisation’s critical data.
loss, or loss of market share. Full BIA impact
The exercise should aim to decide on the tables will include other characteristics,
number of impact levels and corresponding such as the impact on employee motivation.
protective markings that works for the An example table is given below. Once
organisation. For some this will be a very again, the involvement of board-level staff
small number, while others will benefit from is critical as, in many instances, they are
more granular impact levels. There is no personally liable and should therefore
‘right number’ of levels, as it depends on have significant input to the risk tables.
the organisation’s appetite for complexity.
Loss of revenues from Up to £1 million Between £1m and £10m Over £10m
collapsed negotiation
Considerations Segregation of Networks To increase the difficulty for the attacker, and
also increase the number of opportunities to
•
If information and understanding have
detect malicious activities, internal networks
been segregated, forensic events will
CRITICAL SECURITY CONTROLS need to be segregated and hardened. Access
need to be supported by staff that
10, 11, 13, 19 to both networks and information is best
can identify the relevance of any
based on the principle of ‘need to know’ and
compromised data – as it might not
‘least privilege’, whereby users are only allowed
be obvious to investigators. Introduction
access to information (and indeed the servers
•
Where sensitive information is purged Once information has been classified and the where the information is stored) if they need
from systems where it doesn’t need to critical information identified, organisations that access for their job. This philosophy will
exist, secure erasure software should will want to ensure that they are preventing help to prevent a trusted user’s compromised
to be used to ensure attackers can’t inappropriate access to that information. credentials being used to access widespread
simply recover the ‘deleted’ A common issue with many organisations is information and can also help combat insider
files forensically. a lack of effective segregation of networks. threats (which are not directly dealt with in
This means that once an attacker has a this document).
•
Organisations will want to ensure that
toehold in the organisation, their movements
segregation of understanding doesn’t Organisations will want to decide on an
are likely to be poorly restrained (see section ‘A
negatively affect how employees treat appropriate level of segregation, along
Day in the Life of an Attacker and a Defender’).
the data. There can be a risk that if with controls that prevent trivial access to
employees do not understand the In fact, many organisations have an entirely flat inappropriate data but still allow the business
context of what they are working network where even business units in different to function effectively. This can be guided
on, they will not treat it with the countries have full network access to the full by the results of the information classification
required sensitivity. resources of a UK business. As well as a lack phase, with sensitive documents protected
of effective network segregation, it is rare to by hardened networks and resources, while
•
Where views of data are created,
find organisations with effective information less restrictive protections are placed on the
organisations should be aware that
segregation, as organisations will typically main business network.
the views might still be highly sensitive,
have large repositories of information (such
as information that is of use to their
as file shares, SharePoint or wikis) with few
own analysts will be of similar – or
access restrictions. The outcome is that
greater – use to competitor or nation
attackers have few boundaries to overcome
state analysts.
in locating, accessing and aggregating
•
Highly sensitive data often needs to information that will be of use to them.
be shared with external entities, such
The core issue here is that networks were
as auditors or companies as part of
often initially designed for convenience,
a merger. Such sharing will require
based on the premise that the internal
extreme care, as these third parties
network is trusted – as are the staff. Much of
are unlikely to protect the data to
an organisation’s security efforts will therefore
the organisation’s own standards.
have been focused on keeping attackers
Cases exist where attackers have
from breaching the network perimeter. This
compromised law firms and other
approach, however, is insufficient in dealing
supporting third parties to gain
with advanced threats, such as from nation
access to their targeted data. It is
states. In a complex organisation, it is highly
recommended that where possible,
likely that an advanced attacker will be able
less sensitive views of the data are
to gain access to the internal network via
prepared and shared and, where it is
client-side exploits, phishing campaigns or
necessary to share the sensitive data
by exploiting a weak service. Organisations
itself, the third party should be provided
are now forced to assume that a sufficiently
with a hardened laptop containing the
funded and motivated adversary will be able
data – with measures to prevent data
to gain access to the internal network.
being removed. A technical member
of staff will be required to facilitate
any necessary sharing.
How to Implement Once broad VLANs have been applied, means for movement, such as via USB drives.
General network segregation organisations can progressively tighten For example, instead of being able to move
the restrictions and granularity of ACLs, directly from a compromised helpdesk user’s
Ideally, the business network should be
implementing firewalls at key junctions to desktop to the CEO’s desktop, they will need
divided up into VLANs or physically separate
support these ACLs. The aim is to reach a point to move through the domain controller that is
networks. Although this is a significant
where, for example, a desktop machine can able to talk to both. If this action is limited by
project to implement fully, quick wins can
only talk to the relevant ports on the required ports, the attacker will only be able to use RPC
be obtained by segregating the significant
servers it needs, and nothing else. Individual and SMB services and will not be able to access
units. For example, in many organisations the
servers should also be locked down, so that the domain controller via RDP. This increases
majority of desktops only require access to a
they can only communicate with the hosts the effort for the attacker and also increases
small number of services: Active Directory,
and ports they require. the number of detection opportunities for
file shares, proxies, etc. Once requirements are
the defensive team. To gain the most benefit
understood, these can be placed into VLANs. Network segregation will make the attacker’s
from network segregation, the junction points
It is therefore advisable for organisations work significantly more difficult, as it will
between VLANS and networks, i.e. hosts that
to start by understanding what needs impede movement around the network.
can be used to communicate with other hosts,
to communicate with what, and this can Unless the attacker is willing to restrict their
should be identified and monitored thoroughly
potentially be achieved by parsing log data movement to the allowed routes, they will be
for signs of compromise or abuse.
or NetFlow data as well as by talking to the forced either to compromise the switching
people involved. and routing equipment or to seek another
Host Hardening Following approval of the build, it can be Authorised software and application
rolled out through the organisation in phases. whitelisting
New systems should be based on the highest
Organisations are advised to decide on a
CRITICAL SECURITY CONTROLS security build possible for normal business
list of authorised software and permitted
2, 3, 17 activity and older systems gradually hardened
configurations (such as disabling features that
or replaced. Any decision to ‘weaken’ the build
increase the attack surface) for that software.
to allow a specific function should be carefully
Introduction Software known to be commonly exploited,
considered and documented.
such as Java, is best omitted from the approved
Modern, advanced threat actors are highly
software list.
capable when it comes to gaining access to Antivirus
machines through activities such as spear Software that is typically overlooked as part of
Builds should include antivirus / endpoint
phishing and obtaining valid credentials. the standard build is secure erasure software.
protection software to guard against common
Despite the fact that organisations need to As attackers are known to be using forensic
malware and tools that could be used post-
assume an attacker with sufficient skill and tools to recover ‘deleted’ files, providing the
exploitation. Many threat actors are known to
motivation will be able to succeed in these workforce with the ability to securely delete
use common hacking tools, which are often
endeavours, host hardening is nevertheless a files can help prevent data being exposed
detectable using AV. Organisations might wish
useful tactic, as it will make it far more difficult to attackers. Organisations might wish to
to consider using a range of anti-malware
for the attacker to locate critical data or to consider software that ensures that any
products in their business, to increase
penetrate further into the network. deletion activity triggers a secure erasure;
the diversity of detection and ensure that
however, it’s worth bearing in mind that this
A number of hardening measures can be attackers can’t simply learn to bypass a single
can prove problematic for internal forensics
applied to standard desktops and servers AV. Where possible, AV is best configured to
investigations – and might even be used by
that will impede attackers without a negative the maximum level of heuristic detection.
the attackers themselves.
effect on normal business activities. Although this will produce more alerts, each
Meanwhile, more restrictive measures are of which will need responding to, it provides Once software has been approved, application
recommended for machines that will be greater information for reactive incident whitelisting can help protect against malware
used for the storage of highly sensitive data. analysis. AV should also be configured to and post-compromise activities by allowing
log remotely, in order to prevent attackers only specific programs to run. Although
How to Implement from modifying logs on local machines this will not protect against exploitations of
Verified build following compromise. software vulnerabilities, it can prevent users
and attackers from running applications not
Security teams are advised to design a
OS kernel hardening on the approved list, forcing other behaviours.
standard build of the major operating systems
Effective whitelisting is possible in recent
used in the organisation. These should be To make software exploitation more difficult
versions of Windows by using AppLocker24,
locked down and hardened to the highest and to prevent certain post-exploitation
and less effectively in older versions with
level that permits core business to function. behaviours, it is recommended that kernel
Software Restriction Policies.
Various guides exist for advice on the hardening is included in standard builds of
configuration, such as Microsoft’s Security operating systems. This is possible in Linux
DLP
Compliance Manager (SCM) and the NSA’s with enhancements such as SELinux and
operating system hardening guides21, and it is grsecurity22. In Windows, this can be achieved Data loss prevention tools can help prevent
recommended that the areas detailed below with the Enhanced Mitigation Experience data exfiltration. However, organisations
should be considered for the build. Separate Toolkit (EMET)23. should be aware that they are not single
high-security builds can then be created solutions to the problem, as it is typically
Kernel hardening can mean increased
from the baseline by further hardening and possible to bypass or otherwise evade
deployment efforts, as some software
restricting non-essential functionality. DLP solutions given enough time and
packages require configuration of the
effort. They are nevertheless useful in
Once a build has been created and the hardening to work properly.
preventing accidental leakage of data,
software typically used in the organisation
which is beneficial in that it will help to avoid
installed, it will need to be assessed by an
accidental movement of data from a secure
attacking team. The team will seek to identify
compartment to a less secure compartment,
areas that could be exploited by advanced
thereby exposing it to the attacker. It will also
attackers, along with further hardening
increase the effort needed by the attacker to
opportunities.
extract information.
To be effective, DLP solutions can require to devices such as USBs or CDs is suitably High-security machines should have all
a significant investment of effort in tagging encrypted. This is to prevent an attacker who connectivity disabled unless explicitly
and tracking data. However, much of this transfers data to such devices from recovering required. It is unlikely that such machines will
effort will already have been expended in the data once the storage device has left need Wi-Fi or Bluetooth and hence it should
the earlier stages of data classification. DLP the secured area. be disabled at the OS and BIOS levels. It will
solutions can be found as third-party products, probably be desirable to prevent USB drives
High-security machines can benefit from
some of which integrate into other endpoint entirely, or to allow only certain devices, and
having encrypted software containers as
protections, or are included as features it is recommended that – where possible –
well as full disk encryption. Sensitive data
in modern versions of Windows and those devices are accessed through a write
can then be stored in the encrypted container,
related packages. blocker. This will prevent malware from writing
which can be unlocked when the data is
data to the USB drive, which an attacker might
required. Ideally, the container would be
Logging use to exfiltrate the data from a secure to a less
decrypted using a smart card or similar
secure environment. CDs can be used where it
Logging is covered in a separate section; token-based system to prevent simple capture
is necessary to transfer data out of the secure
however, it is important that minimum of the password. This will impede an attacker
environment, although this process should be
levels of logging are established and that who has gained remote access to a secure
monitored and recorded.
standard builds are configured to log correctly. machine, by increasing the effort needed to
Logging should allow investigators to have the access the files within the container.
necessary data at their disposal to investigate
an incident, with the logging data aggregated Media restriction
on a separate host to prevent attackers from
It is recommended that organisations restrict
locally destroying or modifying logs.
the devices that can be connected to hosts.
High-security builds will require a significantly This is to prevent movement of malware and
higher level of logging, with the logging data documents within an organisation, thereby
securely stored for a longer period of time. breaking compartmentalisation. Devices
that are unlikely to be required at all should
Encryption be restricted at the OS and BIOS levels,
including FireWire, ExpressCard, and Bluetooth
Organisations are advised to decide on
connections. Wi-Fi should be locked down to
a level of encryption for mobile devices,
prevent connection to arbitrary networks, and
such as laptops, to help prevent data loss
the ability to host wireless or ad-hoc networks
from a stolen device. This should include
is best prevented entirely. Organisations
robustly implemented full disk encryption.
might wish to restrict USB devices and the
Organisations might also wish to investigate
movement of data by CD/DVD using either
controls to ensure that any data transferred
group policy or third-party products.
Two-factor authentication Movement of Data Internally share will fluctuate as people require different
documents, but a large data exfiltration from a
A common strategy used by attackers for
file share is perhaps less common – and hence
horizontal and vertical movement is to obtain
CRITICAL SECURITY CONTROL 17 noteworthy, regardless of the destination.
credentials. This can be achieved by dumping
and cracking hashes, extracting them from Organisations are advised to consider
memory when users are logged in, or via Introduction monitoring volumes of data transfers from
keyloggers. Organisations can increase either sensitive hosts (such as mail stores or
When attempting to detect data exfiltration
the difficulty level by requiring two-factor file shares) or sensitive VLANs. It might also
by network monitoring, many organisations
authentication wherever possible. The second be worth monitoring data transfer from other
will focus on the external perimeter.
factor should not be simply a PIN or secondary groups of hosts, such as desktop to desktop, as
However, monitoring at this stage is often
password, but something separate from transfer volumes here are expected to be low.
too late and, owing to the nature of a modern
password authentication. Examples include
business, it can be hard to detect the actual NetFlow or IP flow data can be useful in
token generators, smart cards, USB dongles
exfiltration events. Instead, dedicating effort obtaining metrics on data volumes25. An alert
or services using secondary devices,
to monitoring the internal network can generated by excessive data transfer can
such as mobile phones.
be a useful way to detect the information then be investigated as a mid-level alert.
acquisition and aggregation stages of an
advanced attack. Furthermore, the internal Endpoints
Considerations
network can often lend itself better
Organisations might also want to monitor the
•
Host-based restrictions can occasionally to monitoring.
nature of hosts that are communicating with
prevent certain legitimate functions.
each other. Once the network has been fully
Hence there needs to be a team How to Implement
understood, it should be possible to derive
nominated to handle issues where Volumes of data
assumptions and rules for network behaviour.
restrictions are preventing such
A useful indicator to monitor is the volume of For example, ‘a desktop should not need to
functionality. Staff should be made
data transfer between network compartments connect to a desktop’ or ‘only the domain
aware of the team and the escalation
or even hosts. An internal network is likely controller need initiate a connection to senior
process so that they don’t engage
to have certain patterns of network traffic, management laptops’. These rules should be
in dangerous practices to bypass
despite fluctuating with changing projects, enforced with firewall rules and router ACLs.
restrictions. If hardening prevents
etc. For example, data transferred from a file
legitimate use, and issues are not
responded to rapidly, the scheme
will quickly lose buy-in. Examples of normal and potentially malicious traffic
•
Organisations will occasionally need to
PRINT SERVER EMAIL SERVER
update builds as vendors release new
security features. It is recommended
that named staff members are given
ownership of the project to ensure
builds are maintained.
DOMAIN CONTROLLER
KEY
Movement of Data at Perimeter below). Importantly, staff will also have an Monitor traffic
expectation of privacy when using HTTPS.
After traffic has been directed through a
In addition, there are technical challenges
proxy, it is possible to analyse it for signs of
when considering how to respond to
CRITICAL SECURITY CONTROL 17 compromise. This can include an analysis of
invalid certificates.
the volume of data to identify large exfiltration
If organisations choose to intercept encrypted events regardless of the destination address:
Introduction traffic, they are advised to ensure that staff a useful indicator that does not require
are made fully aware of this fact. It might SSL interception. Organisations can also
The final opportunity to detect or prevent an
be desirable to consult staff beforehand, monitor for communications with suspicious
exfiltration event is at the perimeter, as the
and have signed agreements in place, or to endpoints, such as those identified in
data is leaving. This can be difficult as modern
consider injecting a banner or consent screen. private and public lists of known attacker
organisations will have a large number of
Responses should be prepared: for example, hosts and, again, this does not require SSL
communications with the internet and a
if the certificate of the target site is invalid, interception. If there is to be SSL interception,
significant proportion of it will be encrypted
how will users be informed? however, organisations can consider deep
(HTTPS). A key defence in detecting and
packet inspection, analysing the content
deterring data exfiltration is to ensure that Meanwhile, if an organisation chooses to
of data leaving the network for indicators
hosts are not able to connect to the internet intercept SSL connections selectively, it is
of exfiltration. Examples of such indicators
directly, but only through a proxy. advised to compile a whitelist of sites that
include the use of non-interceptable
are not intercepted – although many sites
encryption, non-standard compression
How to Implement that users will hope to access without
algorithms, or even plaintext sensitive
Restrict traffic interception could potentially be used as
documents.
exfiltration vectors. However, a whitelist is
By configuring perimeter and internal firewalls
greatly preferable to a blacklist (of sites that
to ensure all outbound traffic must go through Considerations
are intercepted), since in this latter instance
a proxy, it is possible to restrict traffic to
an attacker could simply create their own site. •
Organisations are advised to see
those protocols that are business-critical.
outbound restrictions merely as a
This will force attackers to use protocols of
Fail open or fail closed? measure to increase the effort required
the defender’s choice and prevent simple
from an attacker, forcing them down
exfiltration. It also becomes possible to log An important decision to consider when
routes that can be more easily monitored.
and analyse all outbound traffic. Companies intercepting any traffic is under what
are likely to find that a very small number conditions the proxy will fail open, and under •
Care should be taken with the
of protocols are genuinely required, such what conditions it will fail closed. Failing open configuration of proxy servers. Experience
as HTTP/S and SMTP. Hosts that require will allow an attacker to cause the proxy to hit with exfiltration has shown that even
additional protocols can be identified and that condition (for example, by overwhelming subtle misconfigurations of proxy servers
the proxy or firewall configured to allow it with requests), and then exfiltrate their data can allow easy exfiltration. Meanwhile,
just those hosts to communicate on the while the proxy is inoperable. Conversely, assumptions regarding supposedly ‘safe’
necessary protocols. while failing closed will prevent exfiltration protocols should be avoided, as even
of this sort, it could also prevent legitimate protocols such as DNS can be abused to
SSL / encrypted traffic business function – something that could exfiltrate data.
prove highly costly and damaging.
A common issue with enforced proxies is •
Compiling a whitelist of approved
how to handle encrypted traffic. If encrypted A potential compromise is to configure destination IP addresses can prevent
traffic such as HTTPS is allowed without systems to fail open, yet ensure that such an trivial exfiltration, but even many
interception, attackers can simply use that to event generates a high- or critical-level alert whitelisted sites can still be used for
exfiltrate data. However, intercepting comes that is immediately investigated by response this purpose.
with significant cost, bandwidth and privacy staff. Such an event is likely to be caused
•
Advanced threat actors might directly
implications, as well as technical challenges. by a current exfiltration or an overload of
attack either firewalls or the proxy to allow
To intercept all HTTPS connections is possible, resources, both of which will require an
their communications. Organisations are
but will require expensive proxies owing to the immediate response.
advised to ensure that such devices are
computational power that is needed. Unless
suitably hardened and monitored.
budgets are significant, proxies are likely to be
overwhelmed by even a reasonable number
of connections (see ‘Fail open or fail closed’,
Organisations would also be wise to ensure Action Review’, where the defensive teams Delaying or deterring further attacks
that the majority of their defensive thresholds try to identify the lessons to be learnt26.
If an organisation has managed to locate
and capabilities are hidden from attackers. These should include the controls that would
an attack, it is important not to remove the
For example, in his talk ‘Attack-Driven Defense’, have prevented the attack, alerting that would
attacker immediately (by changing passwords,
Zane Lackey of Etsy explored the idea of both have detected the attacker, and logging that
for example) unless there are significant
defensive rootkits (i.e. hidden host agents) and could have made investigation easier. It is
business reasons for doing so. By taking time
network devices that do not alert, but rather recommended that organisations have a
to understand the true extent of the breach,
send mass data reports to logging systems defined process for rolling these lessons
and how the attacker has gained entry and
(see Further Reading). The actual alerting back into the security plan.
persistence, a more effective response can
can then be done by aggregation systems,
If there are no on-going breach investigations, be prepared.
so that attackers are unable to identify alert
defensive staff can ‘wargame’. This can be a
thresholds by compromising network devices. Organisations are advised to push an attacker
hypothetical exercise, whereby an attacker is
To understand the behaviours that would as far back along the intrusion as they can.
imagined and the teams see whether defences
generate an alert, an attacker would need As an example, if an attacker is caught
would thwart them, or allow for their detection
to compromise the log aggregation system, accessing a file and the organisation blocks
after the fact. Alternatively, security staff or
which would offer an extra chance for the access to that file, then the attacker is
external providers can conduct real-world
defence team to detect the attack. still acting on objectives. If, however, the
attacks, either from an external perspective
command and control infrastructure and
or by setting up an internal C&C and then
Wargaming and learning lessons initial points of entry can be identified and
compromising documents – while seeing how
successfully remedied, the attacker might
Experience in dealing with advanced long it takes defenders to locate them once
be pushed back to the initial reconnaissance
attackers is an extremely useful asset for an they are told of the attack. This process can
phase and forced to identify a new route
organisation. It can take the form of either also be used to generate understanding of
in. This will increase the time and cost to
experienced staff, who can be hired, consulted the routes currently open to an attacker, and
the attacker and, although it might not
or contracted, or organisational experience hence allowing these routes to be closed
necessarily prevent a future attack, it could
– which must be learnt. All investigations of or honeypotted.
buy the defensive team time to conduct
breaches should include a period of ‘After
further analysis and to better understand their
weaknesses – as well as the attacker’s likely
future tactics.
By carefully planning the response to an attack, the threat actor can be pushed further back along the attack path
Stop exfiltration
by blacklisting IPs
Change
passwords of
compromised
accounts
Identify and
remove C&C
Summary
Glossary
DNS
Domain Name Service – System by which human-readable SIEM
Security Incident and Event Management – Software to
URLs (www.site.com) are linked to IP addresses allow correlation and investigation of alerts
EMET
E xploit Mitigation Experience Toolkit – Advanced exploit SMB
Server Message Block – System for accessing resources on
preventions for Windows remote computers, including files and RPC
FTP
F ile Transfer Protocol – An older but regularly used system SMTP Simple Mail Transfer Protocol – Protocol underpinning email
for transferring files. Typically unencrypted
SSH ecure Shell – Remote and encrypted command line access
S
GUI
Graphical User Interface – The visual interface of a program to systems
as opposed to the command line interface
SSL ecure Sockets Layer – Unencrypted protocols can be
S
gzip A tool for compressing data tunnelled through SSL to provide encryption
HTTP/S
Hypertext Transfer Protocol / Secure – The underlying TCP T ransmission Control Protocol – A protocol used in sending
protocol by which web pages are delivered data in the form of message units
IDS
Intrusion Detection System – Software working at either VLAN irtual Local Area Network – Allows logically distinct
V
computer or network level to detect signs of compromise. networks to share the same physical hardware
Typically compares activity to a list of known ‘bad’ activities
VPN irtual Private Network – Allows physically distinct networks
V
IP flow A system to show packet flows between hosts and not the to communicate securely, as if physically connected
actual content of packets
Quick Wins
A comprehensive defensive programme • Audit domain accounts • Make the most of current tools
such as that described in this paper is IS staff are advised to conduct audits for Experience shows that many organisations
time-consuming to define and agree, let suspicious behaviour of domain accounts. have a number of security and usability tools
alone to implement. However, while this This can include multiple failed logins or the that they are not fully utilising. By auditing
process is being undertaken, there are creation of new administrative accounts. the tools in place, an organisation can begin
several steps that IS staff can take to achieve IS staff could also audit for weaknesses, to gain maximum value from them.
a rapid improvement in resilience against such as active accounts for departed
• Honeypots
data exfiltration. staff, or accounts not used for one month.
Implementing honeypots (see section
The password strength of accounts can
The ‘quick wins’ described below are designed ‘Honeypots’) can be an effective quick
be audited by attempting to crack the
to help increase an organisation’s overall win, and many types of honeypot do not
passwords – and informing users if their
defence against data exfiltration. In most require significant time or resources to
password proved to be susceptible.
cases, they assume the attackers are already implement. For example, intentionally
in the network or soon will be, and hence they • Separate network into VLANs weak domain credentials or sensitive-
are generally designed to aid investigation In some networks, broad VLAN segregation sounding documents can be quick to create
following a third-party breach notification. can be achieved without impacting services without impacting the rest of the business
The quick wins should be considered as or requiring new hardware. As time and – and hence might not require top-level
temporary measures, while a full programme budget allow, segregation can become authorisation.
is in its early stages. All are likely to be more granular and restrictive. Adding
circumventable by an advanced attacker, yet network segregation can provide critical
they could prove effective if the organisation new opportunities to log an attacker’s
is compromised by a less advanced attacker. horizontal and vertical network movements.
• Ensure the network is manageable • Use network-based AV or IDS as
A defensive programme or incident crude DLP
response will require accurate and updated Many organisations have network-level
network maps, and details of hosts and antivirus or a computer that can be used
devices on the networks. IS and IT staff as such. By adding sensitive keywords as
should ensure such maps are available. The virus definitions, the AV will generate alerts
Manageable Network Plan can be used that help the IS team to see and understand
to guide this process20. CPNI advice on the flow of sensitive documents in their
Protecting Information About Networks, organisation. Bear in mind, however, that if
the Organisation and Staff (PIANOS) attackers compromise the AV host, they will
can be consulted to help protect the gain access to the words and the alerts –
information adequately. which could prove useful to them.
• Logging throughout the organisation • Basic host hardening
To aid an investigation, IS staff are advised to Quick wins can often be achieved by
ensure that as much log file data as possible hardening hosts through group policy,
is available for investigators. A cheap – but hence requiring no additional software.
easily compromised – option is to have Staff are advised to investigate technologies
devices log data locally, monitoring such such as EMET, and application whitelisting
activities as the use of programs that are through AppLocker. An example of a quick
potentially useful to attackers: net.exe and win is that AppLocker can be configured
ipconfig, for example. Where budget or to allow only software signed by specific
surplus equipment is available, key devices companies to run (although the use of
should be set up to log data centrally, some third-party software can then prove
even if the logs aren’t used for alerting. problematic). By allowing only Microsoft and
the manufacturers of approved software,
attackers can be deterred from using their
own tools. The hardening of operating
systems, and third-party software, can
be introduced gradually, as time and
resources allow.
A Day in the Life of an We got into the network through phishing emails with a link to a malicious webpage. We were targeting
staff at a specific location, as we believed that proxy filtering was in place, so the malicious payload
Attacker and a Defender caused the infected laptops to connect to a Wi-Fi network that had been set up outside the building. We
considered using DNS tunnelling for the initial payload as we then wouldn’t need to be near the building,
but decided it would be slow – and we only had limited time. We probed one of the systems connecting
MWR conducts penetration testing for to us and used an unpatched Windows vulnerability to escalate privileges to local administrator. We then
clients to validate defences and identify packed all our tools using a custom encryptor to avoid AV, but used built-in Windows tools where we could.
routes that attackers might use. The
following is hybridised from interviews with
MWR consultants and client defence staff,
We have a number of alerts on a typical day, rarely anything serious and normally
describing two network penetrations. In the
the standard drive-by, download-style attacks. We are alerted to phishing emails by
individual cases, only particular controls staff, although the AV catches a lot of them first. No alerts came in that morning.
needed to be overcome and by combining
the tactics used, it is believed the majority
of organisations would be susceptible.
Consultants were careful to avoid any We used the browser of the machines to download benign files that were designed
logging and alerting in place, although it was to be detected by the antivirus, and we waited until a domain administrator remotely
logged into the machine to inspect the source of the alerts. At that point, we used the
later established that neither organisation
domain administrator’s security token to add ourselves to the domain as administrators.
had effective alerting – hence steps have Evidence of the C&C was then cleaned up with a script, so that the investigating
been left out for succinctness. Despite being administrator would only see that the browser had accessed some odd files.
security-aware organisations, neither target
had an effective defence strategy for more
advanced attackers, meaning no zero-day
We had a number of malware alerts from a particular host and so one of our team
exploits were required and no covert actions logged in to check it. He looked at the AV logs and running executables and didn’t
were detected by the targets. find anything suspicious. The files weren’t malicious, but things like EICAR to test
AVs with. He started a deep AV scan just to be safe and logged off.
e then accessed one of the other machines that had connected to the Wi-Fi network as a result of the spear phishing.
W
Settings were inspected to determine details of the web proxy, and the domain administrator credentials were used to
log into the proxy and view the rule set. We found a mistake in a rule that meant outbound traffic would be allowed to any
address as long as it contained a particular string. We registered the relevant domain, and reconfigured the compromised
hosts to communicate back to us using the new domain, meaning we could leave the vicinity of the building.
We are replacing one of the firewalls at the moment, as it has reached end of life, and so much
of the morning was taken up with testing the build and making sure the old options will map
over to the new OS – as there have been some changes between versions.
We used the local user’s credentials to access the central SharePoint and identify the individuals who would have access
to the targets specified by the clients. Security staff were also identified, and we used domain admin credentials to
connect directly to the security staff’s laptops and browse documents to establish the alerting and monitoring in place
in the organisation. Domain admin credentials were then used to log into workstations of the individuals who were
believed to have access to the target documents. In many cases, the target files required by the clients were found in the
local hard drives of the targeted individuals’ computers. However, for some documents this was not the case, and so we
extracted plaintext passwords from the machines of the individuals. These passwords were then used to log into email
accounts to search for evidence of the documents required.
We review logs daily, based on what our filters have pulled out. One of our web apps had hit the
threshold of 5xx error codes so we had a look at its logs – but it didn’t seem to be malicious.
Access to a specific system was required as evidence, so we installed screen-capturing software on a user of the system, and watched their
access to determine how to use the system and navigate it appropriately. Once convinced that the system could safely be used without
tripping any alerts, we connected using the compromised credentials and extracted the information. Data was collated on the C&C host
and then zipped into an archive. The archive was then exfiltrated using HTTPS through the proxy to the domain that had been set up.
Case Studies
An organisation in the corporate services Many products exist that claim to prevent
sector managed its risk based on the advanced attacks and hence organisations
perceived primary threat of competitors can place too much reliance on a particular
hoping to gain an advantage, or other insight product, rather than implementing a robust
into their client relationships. As such, the defence-in-depth approach. An example is the
organisation believed its primary assets ‘Hidden Lynx’ hacking campaign reported by
were its financial data and client contacts. Symantec. A military contractor in the U.S. was
using an application whitelisting tool by Bit9.
An investigation found that it had been
This was preventing attackers from running
compromised by at least one attacker
their own tools, so the attackers simply shifted
thought to be funded by a nation state – and
their focus to Bit9 itself – stealing the Bit9
that the attacker was compromising not the
code-signing certificates, which enabled
organisation’s own data but its clients’ data.
the attackers to sign their tools with Bit9’s
In other words, by holding intimate details of
certificate. Hence they were readily able to run
its clients’ businesses, the organisation had
their own tools on systems protected by Bit9.
become a target itself.
Further Reading
Hidden Lynx – Professional Hackers for Hire (Symantec) and Global Energy
Cyberattacks: ‘Night Dragon’ (McAfee)
Two detailed reports of attacks that are believed to be nation state-sponsored
http://www.symantec.com/content/en/us/enterprise/media/security_response/
whitepapers/hidden_lynx.pdf
http://www.mcafee.com/uk/resources/white-papers/wp-global-energy
-cyberattacks-night-dragon.pdf
References
1
‘Meet Hidden Lynx: The most elite 12
‘ Gamifying Security Awareness’ 19
‘CPA certified products’ by CESG
hacker crew you’ve never heard of’ blog by Ispitzner on SANS Securing http://www.cesg.gov.uk/servicecatalogue/
by Dan Goodin on arstechnica the Human website CPA/Pages/CPA-certified-products.aspx
http://arstechnica.com/security/2013/09/ http://www.securingthehuman.org/ 20
‘ Manageable Network Plan’ from NSA
meet-hidden-lynx-the-most-elite-hacker- blog/2012/01/17/gamifying-security-
http://www.nsa.gov/ia/_files/vtechrep/
crew-youve-never-heard-of/ awareness
ManageableNetworkPlan.pdf
2
andiant Intelligence Center Report
M 13
xtract from HMG IA Standard No.1 –
E 21
‘Operating Systems’ by NSA
‘APT1: Exposing One of China’s Cyber Business Impact Level Tables
http://www.nsa.gov/ia/mitigation_
Espionage Units’ www.cesg.gov.uk/publications/
guidance/security_configuration_guides/
http://intelreport.mandiant.com/ Documents/business_impact_tables.pdf
operating_systems.shtml
HMG Security Policy Framework
3
uidance on Protecting Information
G
https://www.gov.uk/government/uploads/ 22
‘SELinux and grsecurity: A Side-by-
About Networks, the Organisation
system/uploads/attachment_data/ Side Comparison of Mandatory Access
and its Systems (CPNI)
file/200552/HMG_Security_Policy_ Control and Access Control List
http://mwr.to/pianos
Framework_v10_0_Apr-2013.pdf Implementations’ by Fox, Giordano,
4
uidance on C&C channels (CPNI)
G Government Security Classifications Stotler, Thomas
http://mwr.to/c2 April 2014 http://www.cs.virginia.edu/~jcg8f/
https://www.gov.uk/government/uploads/ SELinux%20grsecurity%20paper.pdf
5
‘ Exfiltration techniques: an examination
system/uploads/attachment_data/
and emulation’ by Ryan Van Antwerp 23
The Enhanced Mitigation Experience
file/251480/Government-Security-
http://udspace.udel.edu/ Toolkit (EMET)
Classifications-April-2014.pdf
handle/19716/10145 http://support.microsoft.com/kb/2458544
14
‘ I love it when a plan comes together’
6
‘Anti-Forensics: Techniques, 24
Windows AppLocker
by Alec Waters on Wirewatcher
Detection and Countermeasures’ http://technet.microsoft.com/en-us/
http://wirewatcher.wordpress.com/
by Simson Garfinkel library/dd759117.aspx
2014/01/09/i-love-it-when-a-
http://citeseerx.ist.psu.edu/viewdoc/downlo
plancomes-together/ 25
‘Log anomaly detection tools’ blog
ad?doi=10.1.1.109.5063&rep=rep1&type=pdf
by Antti Ajanki on Futurice
15
‘ When it comes to troubleshooting and
7
‘ Twitter calls lawyer over hacking’ – BBC http://blog.futurice.com/tech-pick-of-the-
threat detection, NetFlow AND packet
News 16 July 2009 week-log-anomaly-detection-tools
capture trump all’ by Jay Botelho for
http://news.bbc.co.uk/1/hi/8153122.stm
Network World 26
‘Private Investigations’ by Alec Waters
8
uidance on Mobile Devices (CPNI)
G http://www.networkworld.com/news/ on Wirewatcher
http://www.cpni.gov.uk/advice/cyber/ tech/2013/102813-packet-capture- http://wirewatcher.wordpress.
mobile-devices/ complements-netflow-275434.html?page=1 com/2010/05/25/private-investigations/
9
‘ IP Covert Channel Detection’ by Cabuk, 16
‘Si(EM)lent Witness’ by Alec Waters 27
‘ Defender’s Dilemma vs. Intruder’s
Brodley and Shields on Wirewatcher Dilemma’ blog by Richard Bejtlich on
http://www.cs.tufts.edu/research/ml/docs/ https://wirewatcher.wordpress. TaoSecurity
cabuk-covert-channels-tissec.pdf com/2010/06/23/siemlent-witness/ http://taosecurity.blogspot.co.uk/2009/05/
defenders-dilemma-and-intruders-dilemma.
10
‘Advanced Data Exfiltration’ by Iftach 17
‘ Best Practices for Securing Active
html
Ian Amit Directory’ – Microsoft
http://www.iamit.org/blog/2012/01/ http://www.microsoft.com/en-gb/ 28
‘ Ultrasound data transmission via a
advanced-data-exfiltration/ download/details.aspx?id=38785 laptop’ on Anfractuosity
http://www.anfractuosity.com/projects/
11
‘ Hacking Exposed Wireless’ by Cache, 18
harePoint – Microsoft
S
ultrasound-via-a-laptop/
Wright and Liu http://office.microsoft.com/en-us/
Book on wireless security secrets sharepoint-server-help/introduction-
and solutions control-user-access-with-permissions-
HA101794487.aspx
Contributors:
David Chismon
Martyn Ruks
Matteo Michelini
www.mwrinfosecurity.com
labs.mwrinfosecurity.com
Follow us on Twitter:
@mwrinfosecurity
@mwrlabs
This Briefing Paper is provided for general information purposes only and
should not be interpreted as consultancy or professional advice about any
of the areas discussed within it.