Data Exfiltration Techniques and Countermeasures (Pentester’s Perspective)

Data Exfiltration Techniques and Countermeasures (Pentester’s Perspective)

Presented at null Dubai Meet 27 October 2017 Monthly Meet

95dc04de5f5eca79b14a48ebcdaf43cf?s=128

Pralhad Chaskar

October 27, 2017
Tweet

Transcript

  1. Data Exfiltration Techniques and Countermeasures (Pentester’s Perspective) By : Pralhad

    Chaskar (@c0d3xpl0it)
  2. Data Exfiltration Exfiltration refers to techniques and attributes that result

    or aid in the adversary removing files and information from a target network. Ref :- https://attack.mitre.org/wiki/Exfiltration
  3. What are crown jewel to any business? • Personal Identifying

    Information (PII) • PCI Data • Patient Health Information (HIPAA) • Intellectual property • Etc.
  4. Why Pentester need to know Exfiltration ? • Regular Pentest

    revolves around finding and exploiting particular vulnerability in system Or Testing security controls at current point of time Or achieve Domain Admin ;) • When attacker are exfiltrating data from victim, why cant we test same and aid customer’s before outsider exploits.
  5. Ways of Exfiltration • Automated Exfiltration • Data Compressed •

    Data Encrypted • Data Transfer Size Limits • Exfiltration Over Alternative Protocol • Exfiltration Over Command and Control Channel • Exfiltration Over Other Network Medium • Exfiltration Over Physical Medium • Scheduled Transfer Ref :- https://attack.mitre.org/wiki/Exfiltration
  6. Tricks of the trades • After you have foothold in

    the network • Step1: Find out what ports are allowed from inside to out • nmap –sS –Pn open.zorinaq.com • nmap –sS –Pn portquiz.net • Step2: Choose the protocol over which you want to exfiltration the data • Step 3: Choose the data you want to exfiltrate • Step4: Start exfiltration
  7. None
  8. Tool of Trade : Egress-Assess

  9. What this tool does ? • It works on standard

    client/server model • Simulates data exfiltration • Exfiltrate data over multiple protocols • HTTP / HTTPS • FTP / SFTP • ICMP • SMB • DNS / • DNS_Resolved • Simulates Malware or APT Traffic • Easy to Go ;)
  10. None
  11. Countermeasure (…some of them) • Firewall Egress filters • Don’t

    blindly trust perimeter security tool, test them !! • Monitor the volume and frequency of data transmission by your users over email and other organizational messaging tools. • Block Unauthorized Communication Channels • Prevent Phishing Attacks and Credential Theft • Security-aware Employees
  12. None