In part five of a series on understanding the processes and tools behind an APT-based incident, CSO examines the exfiltration phase. At this point, all of the other phases are complete, and if the campaign hasn't been halted before now, it's likely that data will be removed from the network.
Exfiltration is the endgame for an attacker. If the attack -- and it doesn't matter if the attack is passive or targeted -- has made it to this point, your day is about head up a famous creek and you're missing a paddle.
Once the targeted data has been located, it will be copied and moved directly across the established C2 connection in bulk, or it may be copied to another area on the network, and moved across the established C2 channel in smaller, easily managed chunks. From this description, it should be easy to spot the passive, opportunistic attack, and the targeted one.
As mentioned previously, passive attacks are noisy, and they are easily detected by layered defenses because of this noise. However, since passive attacks work on volume first, noise isn't an issue to the person running such a campaign. Targeted attacks on the other hand, are the exact opposite.
The person(s) running targeted campaigns have taken care to keep a low profile while they work, so a massive data dump isn't likely. Instead, the targeted attack will see data leave the network via a C2 channel that is just as innocent looking as the traffic carrying the compromised data.
In the previous article covering the C2 phase, we explained that an opportunistic attack will often use a communications channel with a poor reputation. The attacker(s) in this scenario will use the same easily identified channel for each compromised host, with no variation.
Opportunistic attacks such as this exfiltrate data to bullet proof servers, located in datacenters within countries that are often out of reach for local law enforcement, or where local laws do not prohibit their intended use. In cases such as these, there is no help to be expected from the ISP (or webhost). So if you didn't stop the data from leaving, as it was happening; even if you discover where it went, such knowledge may be of little use legally.
Targeted attacks however, will use a C2 channel that is clean, often by compromising a legitimate server to store data on in the short term. In many cases, the compromised server's administrators have no clue that they're hosting data that isn't their own, and by the time they realize something's amiss, the criminal(s) behind the incident are long gone.
During the exfiltration phase, the best defense is awareness. You'll need to know what data is moving in and out of your network at all times. This is why monitoring outbound traffic is just as important as monitoring incoming traffic.
DLP solutions are often touted as an answer to the exfiltration phase, but they're not foolproof. However, if tuned properly, DLP offerings can help monitor network traffic, and control it. They can spot unauthorized encryption, something that passive and targeted attacks will use to hide communications with the outside. And likewise spot abnormal traffic patterns, and raise red flags.
In addition, monitoring user account activity is also worth a mention as a defense, particularly legit accounts that are taking actions that are abnormal, either abnormal activities, abnormal volume, or actions at abnormal times.
"Most attackers will have worked to secure legitimate credentials to access your data, so your best bet is trying stop spot abnormal user activity. Of course to do this you will have had to establish a set of baselines to measure against. This is critical," Rik Ferguson, the VP Security Research at Trend Micro, told CSO.
The same measures used to guard against C2 channels can also work for exfiltration, including policies that block access to domains by IP address only (ACL rules), IPS and IDS systems (which can be used with proper tuning to monitor all phases of a campaign), and application-based firewall rules that control what programs are allowed to send traffic to the outside. These rules can also be applied to workstations or network segments, depending on your organization's infrastructure.
Assuming you catch the exfiltration process as it is taking place, logs will be a key resource in the incident response, because they can help determine what happened, how it happened, and what was taken. Answering the question of "Who" is possible, but realistically it's unlikely. Often, during either a passive or a targeted campaign, attribution is fueled by assumptions rather than fact.
No matter what the mitigation however, the fact remains that the best bet is to prevent an incident before it can happen. This is what the Australian Signals Directorate (ASD) has focused their energies on, after their networks were constantly being targeted by "adversaries seeking access to sensitive information."
In a rather extensive workup on mitigations that deal with targeted intrusions, the ASD singled out four absolute essentials, designating them as mandatory requirements for their networks.
In order, the top four mandatory mitigations are as follows:
Patch management for third-party software (e.g., Adobe or Java)
Patch management for operating systems
Privilege management (limit the number of users with domain or local admin rights)
In a note to CSO, Ferguson said that patch management is a bit of a red herring.
"It's really about vulnerability management, sometimes patching is not an option, and almost always, for an enterprise, patching immediately is definitely impossible."
At the beginning of this series, it was explained that the difference between a targeted attack (or APT-based incident) and a passive attack is intent, and the overall objectives of the actors behind it. The TTPs (tools, tactics, and procedures) don't matter. Your organization is far more likely to be a victim of opportunity than a targeted mark by a nation state or organized syndicate.
Given that reality, layered defenses will work to address both situations. Awareness and visibility is the key to reacting quicker, and limiting loss. Nothing is perfect, and a persistent campaign will succeed eventually, but it is possible to make things harder for the attacker(s), and to lessen the damage. The trick is to weigh the risks, and develop a security plan that fits the needs of the organization first, and not the generic fears associated with APTs.