Link Search Menu Expand Document
Publications
  1. EXFILTRATION
    1. RVA Attack Analysis
    2. Impact
    3. Mitigation/Remediation

EXFILTRATION

WHAT

Some adversaries target sensitive information, such as blueprints, security requirements documents, or vulnerability information from a compromised system or enclave.

WHY

Many adversaries conduct attacks to gain access to information such as building plans, IP ranges, software versions, and hardware lists. By removing this data, adversaries may be able to analyze organizational information from the safety of their remote location. Even if their activity is detected by the compromised agency and their campaign is ended, the stolen data is still available to the attacker for later use.

HOW

Using either existing C2 channels or hidden within traffic flowing through common ports and protocols–such as HTTPS–attackers can package and send data to various systems on the internet. APT39 has also used the legitimate web service DropBox to conduct C2 for uploading and downloading stolen files and malicious code.

RVA Attack Analysis

Exfiltration over C2 Channel: 68.2 percent of successful exfiltration attempts by the assessment teams was conducted through C2 channels. Using the same channels previously established for remote access allowed the teams to download information without the need for establishing additional pathways and potentially alerting network defenders.

Impact

The analysis of stolen information may lead to the recreation of blueprinted technologies, targeting of supply chain components, or public release of information to achieve other sociopolitical objectives.

Mitigation/Remediation

  • Deploy network IDS/IPS to alert or stop network traffic associated with known malware. At the network boundaries, IDS and IPS protections use signature-based analysis to determine if traffic is malicious.
  • Implement SSL decryption for web proxies and ensure all internet traffic flows through this mechanism. Monitor cleartext traffic for unusual activities.
  • Deploy data loss prevention (DLP) tools to detect and provide alerts on unauthorized data removal.

Table of Contents