ARLINGTON, VA–Pulling valuable data out of corporate networks is the end goal of many, if not most, attacks these days and the tactics that attackers use to get into their targets are fairly well understood and publicized. But it’s not often that you get a look at the way that the data is actually removed from the victims’ networks.
Two security consultants from Mandiant presented a fascinating view at Black Hat DC here this week of the methods that attackers are using to exfiltrate the data that they steal from their targets. Many of the methods are what one would expect, but in the case studies that Ryan Kazanciyan and Sean Coyne discussed in their talk, there often was a simple twist that make the operation more effective.
The general scenario that the pair outlined for long-term data-stealing operations was a familiar, logical one. The attacker finds a way into the network, often through a highly targeted spear phishing email containing a PDF or Word document with an exploit in it, and gets a foothold on a client machine. He then uses another exploit to escalate his privileges and move to another machine, looking for a PC with valuable data in the form of documents, spreadsheets, financial information or whatever else is available. That data is then moved to a staging area on the network until the attacker packages it up and sends it out.
In one instance, Coyne and Kazanciyan said an attacker had removed 170 GB of data from a victim’s network, mainly in the form of documents.
Coyne and Kazanciyan said that in most cases, attackers will stage the stolen data on a workstation rather than a server in order to avoid detection. Most normal users don’t pay much attention to the amount of storage that’s being used on their machines on a daily basis, whereas the admins in charge of the servers hopefully are being somewhat more vigilant, they said. And while some attackers will pull all of the stolen data off a machine in one fell swoop, it’s more common for them to do it bit by bit, they said.
“If you take the data out from the staging area all at once, it’s harder to detect and stop, as opposed to numerous smaller ones over a period of time that might trip an alarm and get noticed,” Coyne said.
In one case study the pair discussed, the client’s network had been compromised for some time and once the penetration was discovered, they noticed that the attackers were pulling data out in RAR file archives. The company’s IT staff set up a custom DLP rule that prevented RAR files from leaving the network. After the attacker failed a couple of times in attempts to exfiltrate data in RARs after that rule was in place, he simply stopped naming them RAR files and proceeded with his data theft.
“The impact of these data thefts is hard to quantify because the value of a lot of that data has yet to be realized,” Coyne said. “In many of the cases that we worked on, the attackers were inside for months or years. If all of your effort is on remediation after the fact, it’s too little too late.”
Coyne and Kazanciyan also said that they typically see two main types of attackers: those who are looking for one or two specific types of data and those who will steal anything they can find.
“What that tells us is that the guys who are stealing everything they can get their hands on have a lot of manpower behind them to sift through it all,” Coyne said. “Others go for specific things, take those and leave. They may not have as many resources to analyze the data.”