Republic of the Philippines
National Police Commission
PHILIPPINE NATIONAL POLICE
Camp BGen Rafael T Crame, Quezon City
ACG-CYBER SECURITY BULLETIN NR 249: UNDERSTANDING THE THREATS BEHIND DATA EXFILTRATION
Reference Number ACG-CSB 052422249
The following information was obtained from different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG) and classified as “Restricted” pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.
Data exfiltration aka “data extrusion” is a technique used by malicious actors to carry out an unauthorized transfer of data from a computer. The transfer of data can be done manually by someone with physical access to the computer or automated/remotely, carried out through malware over a network and can be difficult to detect from normal network traffic.
A common data exfiltration definition is the theft or unauthorized removal or movement of any data from a device. Data exfiltration typically involves a cybercriminal stealing data from personal or corporate devices, such as computers and mobile phones, through various cyberattack methods. Another data exfiltration meaning is data exportation and extrusion, data leakage, or data theft, which can pose serious problems for organizations. Failing to control information security can lead to data loss that could cause reputational and financial damage to an organization.
Some strands of malware are designed to spread across an organization’s network and infiltrate other devices, searching for sensitive corporate data to exfiltrate information. Other types of malwares will lay dormant on a network to avoid detection by organizations’ security systems until data is exfiltrated subversively or information is gradually collected over a period of time.
Attacks can result from malicious insiders stealing their own organization’s data and sending documents to their personal email address or cloud storage services, potentially to sell to cyber criminals. They can also be caused by careless employee behavior that sees corporate data fall into the hands of bad actors.
The techniques cyber criminals use to exfiltrate data from organizations’ networks and systems are becoming increasingly sophisticated, which help them avoid detection. These include anonymizing connections to servers, Domain Name System (DNS), Hypertext Transfer Protocol (HTTP), and Hypertext Transfer Protocol Secure (HTTPS) tunneling, direct Internet Protocol (IP) addresses, fileless attacks, and remote code execution.
The number one type of data that is looked for is credentials of all kinds, most often passwords and cryptographic keys and certificates. The main reason for this is that gaining access to credentials is a widely established practice in almost every offensive security area. It is often the preferred method of gaining access to resources which should be evident because it tends to save time, effort, and is often the most direct way to other data.
Cyberattacks using techniques that are more difficult to detect can be mistaken for regular network traffic. This means they can lurk in networks unnoticed for months and even years, while the data exfiltration will often only be discovered when the damage has been caused to the organization. When cyber criminals successfully carry out data exfiltration, they may use the newly obtained data to damage the company’s reputation, for financial gain, or sabotage.
Data exfiltration is a serious and ongoing issue in the field of information security. The number and capabilities of data exfiltration vectors are growing at an alarming rate. The existence and emergence of such attack vectors make the data exfiltration countermeasures critical for an organization’s security. These countermeasures are designed to prevent, detect, and investigate data exfiltration attempts.
All PNP personnel as well as the public are advised to follow these tips to understand the threats behind data exfiltration and avoid being a victim of it:
- Block unauthorized communication channels;
- Scan emails sent from systems with access to sensitive data to ensure they do not contain unauthorized content;
- Wrap files with Digital Rights Management (DRM) tools;
- Implement data encryption and backup process;
- Systematically revoke data access for former employees; and
- Prevent installation of unsecure third party software, such as social media apps or unauthorized browser plugins, on devices with access to sensitive data.
For additional information, please refer to the following websites:
POINT OF CONTACT