Blog
How To Monitor Sensitive Data & Stop Exfiltration via The Network
Chase Snyder
August 28, 2020
The act of data exfiltration—moving sensitive data like intellectual property or payment card information out of a target environment and into a separate location under the control of the adversary—is the ultimate goal of many cyber attacks.
Despite the wide array of technologies that promise to detect and prevent data theft, many breaches are reported in the news every year. The financial impact, regulatory fines, and overall scope of these breaches are enormous.
This blog post will explore why current, status quo mechanisms for monitoring sensitive data movement and stopping breaches aren't working, and offer a way to improve the efficacy of sensitive data monitoring using network detection and response.
When and How Do Attackers Move Sensitive Data?
To catch sensitive data movement at critical junctures during an attack, you need to understand what an attacker is trying to do with the data. Attackers will:
- Gain access to an individual machine on their target network.
- Attempt to escalate their privileges and gain root/admin access on that machine.
- Conduct internal reconnaissance to find other machines to compromise to assure that if one access point is lost, they still have a toehold in the environment.
That toehold is only useful if they can eventually expand it and use it to steal data. Monitoring sensitive data movement offers a key opportunity to catch an adversary during the late stages of an attack, but before they exfiltrate data.
With admin privileges in hand and persistence established, the attacker will conduct more intensive internal reconnaissance. This can result in several clear signals that sensitive data is at risk. Some signs of this attack stage are:
- Login failures or "access denied" events on sensitive storage or databases.
- Unusual behavior patterns among privileged accounts—like logging in at unusual times or from unusual locations.
Once an attacker has located sensitive data and attained the credentials needed to access it, they probably aren't going to move it off all at once. They also probably can't just dump it directly from its (hopefully more secure) primary location to their own server somewhere else on the internet.
They'll need to gradually move the data to a machine they control, and then trickle it out through some obscure channel. That might be the same channel by which they established a command and control link when they first compromised the network. This phase of the attack can generate several strong signals of an attack in progress, but only if you're watching for them.
Why The Status Quo For Sensitive Data Monitoring Doesn't Work
Like we said before, there are many technologies that promise to monitor sensitive data and prevent breaches. So why do breaches keep happening? You could argue that hackers are always developing new, sophisticated ways to steal data, but the truth is that most data breaches don't make use of some fancy, brand new zero day.
Attackers use tried and true mechanisms like brute force attacks to access privileged accounts, network scanning to map out the territory, and standard protocols like HTTP/S, DNS, or even FTP to exfiltrate the data. The breach of a major U.S. bank, in which over 30Gb of customer financial records were stolen, used well-known and detectable mechanisms to find and exfiltrate the highly sensitive data. How did that happen, and how can you prevent it from happening to you?
Ask yourself, how would you detect sensitive data being moved in small pieces to a less sensitive location within your own network? Common answers might be:
- Internal firewall deployments preventing certain data from crossing between network segments.
- Zero-trust architecture requiring all data access and movement to require verification and authentication before being allowed.
- Data Loss Prevention technologies that examine the contents of data being moved, check whether the data contains sensitive information, and if the data movement itself is in violation of pre-existing policies.
These approaches, while valid, share a few challenges, including:
- Internal firewall deployments can be costly and require a lot of effort to deploy and maintain. Zero-trust architecture may require a complete rebuild of the network environment because it is an entirely different paradigm from the existing network architecture. These obstacles may prevent you from deploying the technology enterprise-wide, leaving blind spots.
- Data Loss Prevention technology similarly requires buy-in from many teams and may require the deployment of agents on every device to be monitored, leading to management burdens that reduce the likelihood of being deployed widely enough to really work.
- These approaches and many others affect overall endpoint and network performance. If data has to be actively inspected before transferring, that uses compute cycles and network bandwidth.
Why Network Detection & Response Is Better for Sensitive Data Monitoring
Network detection and response platforms like ExtraHop Reveal(x) passively observe and analyze network traffic in real time to detect risky or unauthorized data movement. This approach offers certain benefits:
- It's covert and cannot be tampered with. Attackers don't know you're watching. They can turn off or alter activity logging on any endpoints they control, and even delete existing logs, but they can't hide from the network.
- It's passive. NDR platforms receive traffic from a TAP or port mirror, so they sit out of band and don't impact network throughput or endpoint performance at all.
- It sees everything. Because NDR sees all of the traffic that crosses the wire, it doesn't rely on pre-written rules or policies to decide what to analyze.
In today's large dynamic environments, this kind of always-on visibility that covertly watches every transaction, and can even capture packets for forensics, is the only way to assure complete visibility with 100% coverage of sensitive data in a network.
Watch the short video at the top of this blog post to see how Reveal(x) monitors sensitive data better than other methods, or try out a demo of Reveal(x) for yourself!
Discover more