Exfiltration techniques: an examination and emulation
Date
2011
Authors
Journal Title
Journal ISSN
Volume Title
Publisher
University of Delaware
Abstract
Data exfiltration is the process of transmitting data from an infected or attacker-controlled machine back to the attacker while attempting to minimize detection. In current attack scenarios, an attacker will attempt to break into a network, achieve control of a target machine and steal sensitive data. Current network defense mechanisms are largely implemented to prevent attackers from entering a network, however there are typically few defenses implemented which prevent sensitive data from leaving a network. In addition, a major obstacle is the inability of researchers to know exactly how data will be exfiltrated from a machine. Currently, detection suites focus on attributes of the sensitive data being stolen such as file names and keywords. However, simple modification by the attacker of the data or the exfiltration channel can bypass these defense mechanisms. In order to better understand how to defend against this type of activity, the attack surface must be examined. In this research, we examine the attack surface of data exfiltration by characterizing different exfiltration methods and observing common characteristics between them. By exploring the taxonomy of exfiltration techniques, we hope to help the research community improve existing detection algorithms and identify patterns that can be used to create new detection algorithms. After examining each method, a test bench suite was designed and implemented which emulates the data exfiltration process. This plug-in based framework allows a researcher to test common exfiltration methods on any given data. The framework is also extendable in that plug-ins can be quickly implemented using a wide array of existing libraries. The results from this research show that there is a set of common characteristics among all methods that can be used to help further research of detection algorithms. Features such as exfiltration timing, destination determination and traffic symmetry can be used to construct a stronger detection suite.