How Attackers Siphon Data In Targeted, APT Attacks
Researchers provide rare inside peek at the exfiltration methods used in targeted attacks
January 18, 2011
ARLINGTON, VA -- Black Hat DC -- Incident-response experts specializing in targeted, advanced persistent threats (APTs) here today revealed some common exfiltration techniques by these typically nation-state sponsored attacks.
It's difficult to know for sure just how many APT attacks actually occur -- mainly because victim organizations aren't required to report them as long as customer data isn't breached, and many prefer to keep it under wraps. "A large percentage of organizations don't report it to law enforcement. They want to remediate, keep it quiet, and move on," says Sean Coyne, a consultant with Mandiant. "We have seen attackers that have been there [inside organizations] for months and years," for example, he says.
Since the goal of these types of attacks is to maintain access over a period of time undetected, these attackers typically begin with a spear-phishing email attack that infects a workstation, or several workstations, in the targeted organization. "Once he has a shell, he has access. From there, he can move laterally and get other accounts," Coyne says.
After the attacker zeroes in on the data he wants, he sets up a staging area -- typically an end-user workstation. That's where the data transfer occurs, according to Coyne, and the data gets packaged as an RAR, ZIP, or CAB file, for instance. "One large data transfer is tougher to detect and hard to stop ... by the time you notice it, it's too late to stop it," Coyne says.
Workstations make better staging areas than servers because they have plenty of available storage, and the typical end user isn't likely to notice a 25- to 50-gigabyte transfer of data from his machine over a long period of time. Servers, on the other hand, are obviously monitored by administrators and thus not the ideal staging platforms, he says.
Most attackers camouflage their data getaway by transmitting the stolen data or files via an outbound FTP connection or HTTP-S. "Attackers are going to do everything they can to blend in," he says. And their command and control server is rarely the same as the drop site where they send the stolen files, he notes.
Even when an organization or its hired security guns discover an attacker's drop-site, that's only a fraction of the stolen goods, he says. "Don't think for a second that it's the end of it. You're [likely] only seeing a small piece of it," Coyne says.
And interestingly, most attackers pick up their data at set, rather than random, times. "They will come back and get their data on a schedule," like a job, says Ryan Kazanciyan, principal with Mandiant.
In one case Mandiant worked on, a defense contractor had more than 120 gigabytes worth of documents siphoned from its network over several months. The attackers used six different staging workstations to store, prepare, and transmit the stolen data back home.
Coyne and Kazansicyan shared case studies of three of Mandiant's nonclassified clients hit by APT attacks, each of which didn't learn of their breaches until after law enforcement alerted them. Each attack began with a phishing email, and had been underway for several months or years before being discovered.
A midsize enterprise had 50 of its hosts compromised by attackers looking for the organization's email addresses. "They had a command line interface tool that established an HTTP-S connection to Hotmail" to ferry the stolen data, Kazanciyan says, which blended in as legitimate traffic.
In another attack that Mandiant investigated, a small firm of 2,000 host machines was hit by a Poison Ivy-based backdoor that infected more than 150 hosts. This enterprise ended up getting attacked all over again after it cleaned up from the first attack. "They got spear-phished again. And the attackers took a completely different approach to the attack" the second time, Kazanciyan says.
"Most of these breaches are not to get operational control or to disrupt operations. The attackers usually gain continued access to data," Kazansicyan says. "It's not a big whiz-bang event, but a lot more covert and continuous."
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.
About the Author
You May Also Like