Thought Leadership

May 18, 2016

In Plain Sight: The Perfect Exfiltration

Next week, on May 27, 2016, from 2 – 3 pm, Itzik Kotler, our CTO and co-founder and I will be presenting “In Plain Sight: The Perfect Exfiltration” at Hack In The Box in Amsterdam, Netherlands. Here’s a link to the media alert.

If you’ve not heard of Hack In The Box, it’s a “must-attend” security conference featuring two days of technical trainings and a two-day multi-track conference featuring technical security talks (by some of the best names in security), a Capture the Flag competition, technology exhibition and a Haxpo Hackerspaces village.

If you are an avid viewer of the U.S. FBI Profiler show Criminal Minds, you might have caught a Hack In The Box mention in one of the episodes in season 10. A character of the show, Supervisory Special Agent David Rossi, references Hugo Teso’s Aircraft Hacking Talk from #HITB2013AMS, citing how he demonstrated the ability to hack and take control of an aircraft.

So, how did we end up working on this exfiltration project?

Better Exfiltration Methods

It’s Itzik’s fault really. In mid-2015 he began challenging me to find better and better exfiltration methods. Exfiltration is the act of sending data from within an enterprise network to an external party (think, the opposite of infiltration). This gets interesting when the exfiltration is intentional and the data is sensitive.

Why are we looking at exfiltration methods you ask? Being able to understand exfiltration breach methods is important, because this is typically the last step in the cyber kill chain before an attacker gets away with the important data; and at SafeBreach, we believe that in order to properly understand your risks, validate your security controls and better prioritize your efforts, you must play the role of an attacker. By putting yourselves in the mindset of an attacker, you can better anticipate and validate how you can be attacked, allowing you to quickly take corrective action on the things that matter.

Our platform continuously executes hacker breach methods to find holes in the environment before an attacker does. We not only break down common attacks into breach methods that can be executed on our continuous security validation platform, but we also come up with new techniques. In other words, we don’t simply rely on what’s known, but “play the hacker” and think one step ahead. We want to anticipate the hacker’s next move rather than simply respond to it.

As part of our exfiltration research activities , Itzik and I engaged in a month-long dialogue going back and forth with ideas, concepts and counter attacks. One day this discussion led us to the concept of “perfect exfiltration”.

At the time, we didn’t quite know what it would encompass, but we were determined to find out. Now, when considering exfiltration data from an enterprise, it makes sense to look for covert channels that can be used by internal entities to send data to external entities outside of those channels managed and authorized by the enterprise. If exfiltration is conducted over authorized channels, security policy (implemented through security products) is likely to detect and prevent the act.

We determined we needed an approach that:

  • Should be able to resist normal network monitoring detection by the enterprise
  • Should not trigger any behavioral alerts or anomalies, under the assumption that the enterprise will have an understanding of normal Internet usage (IP addresses, reputation) and its corporate users (profiles, typical network “habits”, etc)
  • Should not require special software (beyond a popular browser), and can be implemented manually.

Altogether, we came up with a list of ten requirements, what we’re calling the “ten commandments” that our perfect exfiltration technique had to meet.

Eventually, we found a technique (or rather, a family of techniques) based on regular (HTTP) browsing, some of them with caching involved, that fulfills all “ten commandments”. This approach uses very low throughput, in a manner indistinguishable from genuine traffic and unlikely to raise suspicions that data is being leaked, even with analysis of enterprise network traffic.

Sounds too good to be true? Join us at Hack In the Box and find out. Our talk will discuss all of the “Ten Commandments” we defined as requirements to achieve the “perfect exfiltration”. We then deep dive into our family of techniques and demo how this can be achieved within the typical organization.

Our objective is not only to demonstrate an innovative breach technique but hopefully shine a light on the importance of always pushing the envelope when it comes to security. The only way to properly battle relentless and highly-motivated attackers is by continuously validating your security risks, challenging your security controls and innovating how you secure your environment.

Get the latest
research and news