Network traffic analysis for IR: Data exfiltration
Introduction
Understanding network behavior is a prerequisite for developing effective incident detection and response capabilities. ESG research has found that 87 percent of companies use Network Traffic Analysis (NTA) tools for threat detection and response capabilities, and 43 percent say that NTA is their first line of defense for that purpose.
Network communication is one of the channels that cybercriminals use for data exfiltration. They can use HTTP or FTP to send files in order to trick incident response (IR) teams analyzing network traffic into thinking that the communication taking place is legitimate. The hackers, alternatively, can use the TOR browser to mask location and traffic.
The IR teams working in a Security Operation Center (SOC) are always ready to counter data exfiltration using NTA tools and other prevention techniques. In this article, we will learn about data exfiltration, how hackers steal your data, how dangerous data exfiltration is, exfiltration distribution techniques, malicious tactics used to increase sophistication and potential remedies to thwart data exfiltration.
What is data exfiltration?
Data exfiltration is the act of illegally transferring critical data and/or information from a targeted network to the hideouts of the cyber pests. Detecting data exfiltration is a daunting task, as data routinely moves in and out on networks and this nefarious technique closely resembles normal network traffic.
How do attackers steal your data using network traffic?
To infiltrate a network, threat actors mostly use Advanced Persistent Threats (APTs) and botnets, both high-risk threats, to perpetrate data exfiltration. Before actual data exfiltration, attackers find their targeted information using various data collecting and monitoring tools. Usually, threat actors utilize a mix of malicious and legitimate tools and methods to extract vital data from the victim’s machine(s), such as using various internet protocols to send a vast amount of traffic to targeted machines. (Read more...)
*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Fakhar Imam. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/d9THJG5Fkg4/
