The processes and tools behind a true APT campaign: Exfiltration

This article is part of a series about APT campaigns. The other topics covered in this series are reconnaissance, weaponization and delivery, command and control, and exfiltration.

In part five of a series on understanding the processes and tools behind an APT-based incident, CSO examines the exfiltration phase. At this point, all of the other phases are complete, and if the campaign hasn't been halted before now, it's likely that data will be removed from the network.

Exfiltration is the endgame for an attacker. If the attack -- and it doesn't matter if the attack is passive or targeted -- has made it to this point, your day is about head up a famous creek and you're missing a paddle.

Once the targeted data has been located, it will be copied and moved directly across the established C2 connection in bulk, or it may be copied to another area on the network, and moved across the established C2 channel in smaller, easily managed chunks. From this description, it should be easy to spot the passive, opportunistic attack, and the targeted one.

As mentioned previously, passive attacks are noisy, and they are easily detected by layered defenses because of this noise. However, since passive attacks work on volume first, noise isn't an issue to the person running such a campaign. Targeted attacks on the other hand, are the exact opposite.

The person(s) running targeted campaigns have taken care to keep a low profile while they work, so a massive data dump isn't likely. Instead, the targeted attack will see data leave the network via a C2 channel that is just as innocent looking as the traffic carrying the compromised data.

In the previous article covering the C2 phase, we explained that an opportunistic attack will often use a communications channel with a poor reputation. The attacker(s) in this scenario will use the same easily identified channel for each compromised host, with no variation.

Opportunistic attacks such as this exfiltrate data to bullet proof servers, located in datacenters within countries that are often out of reach for local law enforcement, or where local laws do not prohibit their intended use. In cases such as these, there is no help to be expected from the ISP (or webhost). So if you didn't stop the data from leaving, as it was happening; even if you discover where it went, such knowledge may be of little use legally.

Targeted attacks however, will use a C2 channel that is clean, often by compromising a legitimate server to store data on in the short term. In many cases, the compromised server's administrators have no clue that they're hosting data that isn't their own, and by the time they realize something's amiss, the criminal(s) behind the incident are long gone.

During the exfiltration phase, the best defense is awareness. You'll need to know what data is moving in and out of your network at all times. This is why monitoring outbound traffic is just as important as monitoring incoming traffic.

DLP solutions are often touted as an answer to the exfiltration phase, but they're not foolproof. However, if tuned properly, DLP offerings can help monitor network traffic, and control it. They can spot unauthorized encryption, something that passive and targeted attacks will use to hide communications with the outside. And likewise spot abnormal traffic patterns, and raise red flags.

In addition, monitoring user account activity is also worth a mention as a defense, particularly legit accounts that are taking actions that are abnormal, either abnormal activities, abnormal volume, or actions at abnormal times.

"Most attackers will have worked to secure legitimate credentials to access your data, so your best bet is trying stop spot abnormal user activity. Of course to do this you will have had to establish a set of baselines to measure against. This is critical," Rik Ferguson, the VP Security Research at Trend Micro, told CSO.

The same measures used to guard against C2 channels can also work for exfiltration, including policies that block access to domains by IP address only (ACL rules), IPS and IDS systems (which can be used with proper tuning to monitor all phases of a campaign), and application-based firewall rules that control what programs are allowed to send traffic to the outside. These rules can also be applied to workstations or network segments, depending on your organization's infrastructure.

Assuming you catch the exfiltration process as it is taking place, logs will be a key resource in the incident response, because they can help determine what happened, how it happened, and what was taken. Answering the question of "Who" is possible, but realistically it's unlikely. Often, during either a passive or a targeted campaign, attribution is fueled by assumptions rather than fact.

No matter what the mitigation however, the fact remains that the best bet is to prevent an incident before it can happen. This is what the Australian Signals Directorate (ASD) has focused their energies on, after their networks were constantly being targeted by "adversaries seeking access to sensitive information."

In a rather extensive workup on mitigations that deal with targeted intrusions, the ASD singled out four absolute essentials, designating them as mandatory requirements for their networks.

In order, the top four mandatory mitigations are as follows:

Application Whitelisting

Patch management for third-party software (e.g., Adobe or Java)

Patch management for operating systems

Privilege management (limit the number of users with domain or local admin rights)

In a note to CSO, Ferguson said that patch management is a bit of a red herring.

"It's really about vulnerability management, sometimes patching is not an option, and almost always, for an enterprise, patching immediately is definitely impossible."

At the beginning of this series, it was explained that the difference between a targeted attack (or APT-based incident) and a passive attack is intent, and the overall objectives of the actors behind it. The TTPs (tools, tactics, and procedures) don't matter. Your organization is far more likely to be a victim of opportunity than a targeted mark by a nation state or organized syndicate.

Given that reality, layered defenses will work to address both situations. Awareness and visibility is the key to reacting quicker, and limiting loss. Nothing is perfect, and a persistent campaign will succeed eventually, but it is possible to make things harder for the attacker(s), and to lessen the damage. The trick is to weigh the risks, and develop a security plan that fits the needs of the organization first, and not the generic fears associated with APTs.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about Adobe SystemsAPTC2CSODLPIPSTrend Micro Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steve Ragan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts