At the recent ShmooCon security conference, hackers from all over gathered to learn from one another during the "snowmageddon" snowstorm affecting the northeastern U.S. The topics included hardware hacking, Bluetooth sniffing, and exploiting multifunction print devices. One theme that surfaced in several presentations was data exfiltration -- and techniques used by attackers and penetration testers.
The first presentation touching on data exfiltration was "Gone in 60 Minutes: Stealing Sensitive Data from Thousands of Systems Simultaneously with OpenDLP" (video) by Andrew Gavin. He looked at finding and gathering data from a penetration tester's viewpoint. Gavin uses OpenDLP, a tool he wrote himself, in pen-testing engagements after he gains Active Directory domain administrator credentials.
With OpenDLP, an agent gets deployed to all the Windows systems. It scavenges their hard drives looking for data matching certain patterns, like credit cards and SSNs, then pulls the data back to the OpenDLP controller. With this tool, Gavin can walk out with the controller and the data is his.
The OpenDLP approach is powerful and effective, but noisy. An astute network or systems administrator might catch the traffic or agent installation if they're monitoring their systems diligently. A network behavioral anomaly detection system like Lancope's StealthWatch could detect the sudden uptick in traffic from the hosts sending data to the controller. Controls that monitor for new Windows services and software installations may sound an alarm when the agent is pushed to the victim's workstations.
Detection is unlikely, though, according to Sean Coyne's presentation and whitepaper, "The Getaway: Methods and Defenses for Data Exfiltration." Coyne, a consultant for Mandiant, wrote, "Not nearly enough emphasis is placed on internal network traffic monitoring -- especially lateral movement from workstations to workstations, and workstations to servers." Most security pros know how true this statement is.
Another interesting exfiltration technique was covered in the "Printers Gone Wild" presentation at Shmoocon. Ben Smith explored using printers for temporary storage of data that could later be transferred to an attacker's or pen tester's system. He has created a soon-to-be-released tool called printFS that uses printers for covert storage. Since printer security is often overlooked, exploiting the storage on a printer could easily go unnoticed. Good thing your printers are locked down, right?
The presentation, "The Getaway," held some interesting and inventive techniques for advanced data exfiltration. The case studies presented were from actual investigations performed by Mandiant consultants. The first case involved a compromised system where data was transferred via copy/paste in a Windows Remote Desktop (RDP) session. The files were saved as .EML files in Outlook Express and then copied over the RDP session.
How does one monitor for traffic across an RDP session? There may be an increase in traffic, but it's likely to be indistinguishable from normal RDP traffic. Instead, RDP connections to unusual hosts can indicate an issue or host-based monitoring for abnormal behavior.
In the preceding case study, Outlook Express had never been run until the attack. A system like El Jefe, a free, centralized process logging system from Immunity Inc., could have flagged the first run of an application, as well as something unlikely to be run on a server (i.e., Outlook Express).
The last case study presented in "The Getaway" involved a client who experienced an intrusion following the cleanup from a previous compromise. The attackers took advantage of an unused installation of a Microsoft Internet Information Services (IIS) Web server to host the data to be exfiltrated. Using a network tunnel back to a system controlled by the attacker, the data was transferred from the IIS Web server through the tunnel to the attacker's system.
The latter case provides a good example of why unused services should be removed, but it also gives a look into just how far an attacker will go to get data out. Instead of attempting to transfer data via the usual FTP or HTTP methods, the attacker attempted to download 144 GB of data via tunneled HTTP using malware on the compromised system -- most likely to get around firewall rules preventing inbound connections to the IIS server.
Attackers looking to get data out of your organization will go to great lengths, but every action on the network and systems leaves a trail. The key is to be monitoring the network, servers, and workstations so that the trail can be picked up before it is too late.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.