Network traffic analysis for IR: data exfiltration
Understanding network behavior is a prerequisite for developing effective incident detection and response capabilities. ESG research found that 87% of organizations use network traffic analysis (NTA) tools for threat detection and response capabilities, and 43% say NTA is their first line of defense for this purpose. .
Network communication is one of the channels used by cybercriminals for data exfiltration. They can use HTTP or FTP to send files to trick incident response (IR) teams analyzing network traffic into believing that the communication taking place is legitimate. Hackers can also use the TOR browser to hide location and traffic.
IR teams working in a Security Operation Center (SOC) are always ready to counter data exfiltration using NTA tools and other prevention techniques. In this article, we will learn about data exfiltration, how hackers steal your data, how dangerous data exfiltration is, exfiltration distribution techniques, malicious tactics used to increase sophistication and potential remedies to thwart data exfiltration.
What is data exfiltration?
Data exfiltration is the act of illegally transferring critical data and/or information from a targeted network to the hideouts of cyber harmful organisms. Detecting data exfiltration is a daunting task, as data enters and leaves networks regularly and this nefarious technique closely resembles normal network traffic.
How do attackers steal your data using network traffic?
To infiltrate a network, hackers mainly use Advanced Persistent Threats (APTs) and botnets, two high-risk threats, to perpetrate data exfiltration. Prior to actual data exfiltration, attackers find their targeted information using various data collection and monitoring tools. Usually, hackers use a combination of malicious and legitimate tools and methods to extract vital data from the victim’s machine(s), such as using various internet protocols to send large amounts of traffic to the targeted machines. (Read more…)