Abstract
Whether it is an insider or an Advanced Persistent Threat (APT), sensitive data is being stolen. This year’s German Federal Office for Information Security (BSI) annual report (https://www.bsi.bund.de/EN/Service-Navi/Publikationen/Lagebericht/lagebericht_node.html) on the state of Information Technology’s (IT) Security in Germany points to the worsening situation. A key result of the BSI is that cyber extortion attempts have become the number-one threat due to leading cyber-attacker collectives expanding their strategy. They exfiltrate data unlawfully for offsite storage before encrypting it. This year, the organizations were also being extorted for hush money and faced with the threat of disclosure of sensitive, but stolen data. Data exfiltration has become a standard procedure in almost all cases of ransomware attacks. In our work, we take up this currently most dangerous threat. First, we provide a universal definition for the operation of data exfiltration. In the next step we evaluate three frequently used methods for cyber threat intelligence: Microsoft Threat Modeling Tool, the Malware Information and Sharing Platform (MISP), and the MITRE Adversarial Tactics, Techniques and Common Knowledge (ATT &CK) framework. Our evaluation goal is to find out whether these methods allow to investigate and describe data exfiltration in an appropriate way. In particular, we search for a suitable categorization structure and semantics in order to categorize data exfiltration approaches. Given this, we carry out a systematic research, where we consider recent peer-reviewed publications from the Digital Threats: Research and Practice (DTRAP) forum in the context of data exfiltration. We categorize data exfiltration techniques as they are described in the papers. This provides an excellent indication of the focus and distribution and allows us to specifically address deficiencies and further research needs related to data exfiltration categories. Finally, we identify and choose one relevant example of a category of data exfiltration and show interactions with detection and protection measures. Our work provides an excellent assessment of the subject matter, frequently used tools and current research priorities in the context of the threat of adversarial data exfiltration.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
- 12.
- 13.
- 14.
- 15.
- 16.
References
Ahmed, M., et al.: MITRE ATT &CK-driven cyber risk assessment (2022). https://doi.org/10.1145/3538969.3544420
Alrehaili, M., Alshamrani, A., Eshmawi, A.: A hybrid deep learning approach for advanced persistent threat attack detection. In: The 5th International Conference on Future Networks & Distributed Systems, ICFNDS 2021, pp. 78–86. Association for Computing Machinery, New York (2022). ISBN: 9781450387347. https://doi.org/10.1145/3508072.3508085
Ayinala, S., Murimi, R.: On a territorial notion of a smart home. In: Proceedings of the 1st Workshop on Cybersecurity and Social Sciences, CySSS 2022, pp. 33–37. Association for Computing Machinery, New York (2022). ISBN: 9781450391771. https://doi.org/10.1145/3494108.3522766
Bhattarai, B., Huang, H.: SteinerLog: prize collecting the audit logs for threat hunting on enterprise network. In: Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security, ASIA CCS 2022, pp. 97–108. Association for Computing Machinery, New York (2022). ISBN: 9781450391405. https://doi.org/10.1145/3488932.3523261
Birnbach, S., Eberz, S., Martinovic, I.: Haunted house: physical smart home event verification in the presence of compromised sensors. ACM Trans. Internet Things 3(3) (2022). ISSN: 2691-1914. https://doi.org/10.1145/3506859
Botacin, M., et al.: Terminator: a secure coprocessor to accelerate real-time antiviruses using inspection breakpoints. ACM Trans. Priv. Secur. 25(2) (2022). ISSN: 2471-2566. https://doi.org/10.1145/3494535
Carter, J., Mancoridis, S., Galinkin, E.: Fast, lightweight IoT anomaly detection using feature pruning and PCA. In: Proceedings of the 37th ACM/SIGAPP Symposium on Applied Computing, SAC 2022, pp. 133–138. Association for Computing Machinery, New York (2022). ISBN: 9781450387132. https://doi.org/10.1145/3477314.3508377
Chen, Z., et al.: Machine learning-enabled IoT security: open issues and challenges under advanced persistent threats. ACM Comput. Surv. 55(5) (2022). ISSN: 0360-0300. https://doi.org/10.1145/3530812
Chignell, M., et al.: The evolution of HCI and human factors: integrating human and artificial intelligence. ACM Trans. Comput.-Hum. Interact. (2022). ISSN: 1073-0516. https://doi.org/10.1145/3557891
Clausen, H., Flood, R., Aspinall, D.: Traffic generation using containerization for machine learning. In: Proceedings of the 2019 Workshop on DYnamic and Novel Advances in Machine Learning and Intelligent Cyber Security, DYNAMICS 2019. Association for Computing Machinery, New York (2022). ISBN: 9781450384902. https://doi.org/10.1145/3464458.3464460
MISP Community. Malware Information Sharing Platform (MISP) User Guide: A Threat Sharing Platform (2022). https://www.circl.lu/doc/misp/book.pdf
MITRE Corporation. Cyber Threat Intelligence Repository Expressed in STIX 2.0 (2022). https://github.com/mitre/cti
MITRE Corporation. MITRE ATT &CK (2022). https://attack.mitre.org/
MITRE Corporation. MITRE ATT &CK Navigator: Web app that provides basic navigation and annotation of ATT &CK matrices (2022). https://github.com/mitre-attack/attack-navigator
MITRE Corporation et al.: Finding Cyber Threats with ATT &CK Based Analytics (2017). https://www.mitre.org/sites/default/files/2021-11/16-3713-finding-cyber-threats-with-attack-based-analytics.pdf
MITRE Corporation et al.: MITRE ATT &CK - Design and Philosophy (2020). https://attack.mitre.org/docs/ATTACK_Design_and_Philosophy_March_2020.pdf
MITRE Corporation et al.: MITRE ATT &CK for Industrial Control Systems: Design and Philosophy (2020). https://attack.mitre.org/docs/ATTACK_for_ICS_Philosophy_March_2020.pdf
Deochake, S., Channapattan, V.: Identity and access management framework for multi-tenant resources in hybrid cloud computing. In: Proceedings of the 17th International Conference on Availability, Reliability and Security, ARES 2022. Association for Computing Machinery, New York (2022). ISBN: 9781450396707. https://doi.org/10.1145/3538969.3544896
European Parliament. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). European Parliament, Brussel (2016)
ExtraHop. How to Monitor Sensitive Data & Stop Exfiltration via the Network (2022). https://www.extrahop.com/company/blog/2020/monitor-sensitive-data-and-stop-exfiltration-via-the-network/
Faulkenberry, A., et al.: View from above: exploring the malware ecosystem from the upper DNS hierarchy. In: Proceedings of the 38th Annual Computer Security Applications Conference, ACSAC 2022, pp. 240–250. Association for Computing Machinery, New York (2022). ISBN: 9781450397599. https://doi.org/10.1145/3564625.3564646
Giani, A., Berk, V.H., Cybenko, G.V.: Data exfiltration and covert channels (2006). https://www.spiedigitallibrary.org/conference-proceedings-of-spie/6201/620103/Data-exfiltration-and-covert-channels/10.1117/12.670123.short
Gorbett, M., Shirazi, H., Ray, I.: WiP: the intrinsic dimensionality of IoT networks. In: Proceedings of the 27th ACM on Symposium on Access Control Models and Technologies, SACMAT 2022, pp. 245–250. Association for Computing Machinery, New York (2022). ISBN: 9781450393577. https://doi.org/10.1145/3532105.3535038
de Gortari Briseno, J., Singh, A.D., Srivastava, M.: InkFiltration: using inkjet printers for acoustic data exfiltration from air-gapped networks. ACM Trans. Priv. Secur. 25(2) (2022). ISSN: 2471-2566. https://doi.org/10.1145/3510583
Guan, Y., Li, Z., Xiong, G.: Research on novel TLS protocol network traffic management and monitoring method. In: Proceedings of the 7th International Conference on Cyber Security and Information Engineering, ICCSIE 2022, pp. 89–94. Association for Computing Machinery, New York (2022). ISBN: 9781450397414. https://doi.org/10.1145/3558819.3558835
Guarascio, M., et al.: Revealing MageCart-like threats in favicons via artificial intelligence. In: Proceedings of the 17th International Conference on Availability, Reliability and Security, ARES 2022. Association for Computing Machinery, New York (2022). ISBN: 9781450396707. https://doi.org/10.1145/3538969.3544437
Hantke, F., Stock, B.: HTML violations and where to find them: a longitudinal analysis of specification violations in HTML. In: Proceedings of the 22nd ACM Internet Measurement Conference, IMC 2022, pp. 358–373. Association for Computing Machinery, New York (2022). ISBN: 9781450392594. https://doi.org/10.1145/3517745.3561437
Hernan, S., et al.: Uncover Security Design Flaws Using the STRIDE Approach (2019). https://learn.microsoft.com/en-us/archive/msdn-magazine/2006/november/uncover-security-design-flaws-using-the-stride-approach
Hittmeir, M., Mayer, R., Ekelhart, A.: Distance-based techniques for personal microbiome identification. In: Proceedings of the 17th International Conference on Availability, Reliability and Security, ARES 2022. Association for Computing Machinery, New York (2022). ISBN: 9781450396707. https://doi.org/10.1145/3538969.3538985
Illumio. Zero Trust Segmentation delivers Cyber Resilience (2022). https://www.illumio.com/solutions/cyber-resilience
Inam, M.A., et al.: FAuSt: striking a bargain between forensic auditing’s security and throughput. In: Proceedings of the 38th Annual Computer Security Applications Conference, ACSAC 2022, pp. 813–826. Association for Computing Machinery, New York (2022). ISBN: 9781450397599. https://doi.org/10.1145/3564625.3567990
MISP Standard - Collaborative Intelligence. Malware Information Sharing Platform (MISP) Program (2022). https://www.misp-project.org/
MISP Standard - Collaborative Intelligence. Python library using the MISP Rest API (2023). https://github.com/MISP/PyMISP
International Organization for Standardization. ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection—Information security management systems—Requirements (2022). https://www.iso.org/standard/82875.html
Joback, E., et al.: A statistical approach to detecting low-throughput exfiltration through the domain name system protocol. In: Proceedings of the 2020 Workshop on DYnamic and Novel Advances in Machine Learning and Intelligent Cyber Security, DYNAMICS 2020. Association for Computing Machinery, New York (2022). ISBN: 9781450387149. https://doi.org/10.1145/3477997.3478007
Kalderemidis, I., et al.: GTM: game theoretic methodology for optimal cybersecurity defending strategies and investments. In: Proceedings of the 17th International Conference on Availability, Reliability and Security, ARES 2022. Association for Computing Machinery, New York (2022). ISBN: 9781450396707. https://doi.org/10.1145/3538969.3544431
Kapoor, M., et al.: Flurry: a fast framework for provenance graph generation for representation learning. In: Proceedings of the 31st ACM International Conference on Information & Knowledge Management, CIKM 2022, pp. 4887–4891. Association for Computing Machinery, New York (2022). ISBN: 9781450392365. https://doi.org/10.1145/3511808.3557200
Karagiannis, S., et al.: A-DEMO: ATT &CK documentation, emulation and mitigation operations: deploying and documenting realistic cyberattack scenarios - a rootkit case study. In: 25th Pan-Hellenic Conference on Informatics, PCI 2021, pp. 328–333. Association for Computing Machinery, New York (2022). ISBN: 9781450395557. https://doi.org/10.1145/3503823.3503884
Kumar, N., Handa, A., Shukla, S.K.: RBMon: real time system behavior monitoring tool. In: Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security, ASIA CCS 2022, pp. 1228–1230. Association for Computing Machinery, New York (2022). ISBN: 9781450391405. https://doi.org/10.1145/3488932.3527289
Ladisa, P., et al.: Towards the detection of malicious Java packages. In: Proceedings of the 2022 ACM Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses, SCORED 2022, pp. 63–72. Association for Computing Machinery, New York (2022). ISBN: 9781450398855. https://doi.org/10.1145/3560835.3564548
Lamshöft, K., Dittmann, J.: Covert channels in network time security. In: Proceedings of the 2022 ACM Workshop on Information Hiding and Multimedia Security, IH & MMSec 2022, pp. 69–79. Association for Computing Machinery, New York (2022). ISBN: 9781450393553. https://doi.org/10.1145/3531536.3532947
Landauer, M., et al.: A framework for automatic labeling of log datasets from model-driven testbeds for HIDS evaluation. In: Proceedings of the 2022 ACM Workshop on Secure and Trustworthy Cyber-Physical Systems, Sat-CPS 2022, pp. 77–86. Association for Computing Machinery, New York (2022). ISBN: 9781450392297. https://doi.org/10.1145/3510547.3517924
Lang, M., et al.: The evolving menace of ransomware: a comparative analysis of pre-pandemic and mid-pandemic attacks. Digit. Threats (2022). ISSN: 2692-1626. https://doi.org/10.1145/3558006
Liu, Y., et al.: RAPID: real-time alert investigation with context-aware prioritization for efficient threat discovery. In: Proceedings of the 38th Annual Computer Security Applications Conference, ACSAC 2022, pp. 827–840. Association for Computing Machinery, New York (2022). ISBN: 9781450397599. https://doi.org/10.1145/3564625.3567997
Lyu, M., Gharakheili, H.H., Sivaraman, V.: A survey on DNS encryption: current development, malware misuse, and inference techniques. ACM Comput. Surv. 55(8) (2022). ISSN: 0360-0300. https://doi.org/10.1145/3547331
Mahdavifar, S., et al.: Lightweight hybrid detection of data exfiltration using DNS based on machine learning. In: 2021 the 11th International Conference on Communication and Network Security, ICCNS 2021, pp. 80–86. Association for Computing Machinery, New York (2022). ISBN: 9781450386425. https://doi.org/10.1145/3507509.3507520
Mahmod, J., Hicks, M.: SRAM has no chill: exploiting power domain separation to steal on-chip secrets. In: Proceedings of the 27th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2022, pp. 1043–1055. Association for Computing Machinery, New York (2022). ISBN: 9781450392051. https://doi.org/10.1145/3503222.3507710
Martins, C., Medeiros, I.: Generating quality threat intelligence leveraging OSINT and a cyber threat unified taxonomy. ACM Trans. Priv. Secur. 25(3) (2022). ISSN: 2471-2566. https://doi.org/10.1145/3530977
Mundt, M., Baier, H.: Towards Mitigation of Data Exfiltration Techniques using the MITRE ATT &CK Framework (2022). https://www.unibw.de/digfor/publikationen/pdf/2021-12-icdf2c-mundt-baier.pdf
Microsoft. Microsoft Threat Modeling Tool (2022). https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool
Microsoft. Microsoft Threat Modeling Tool threats (2022). https://learn.microsoft.com/en-us/azure/security/develop/threat-modeling-tool-threats
MITRE. MITRE ATT &CK framework (2021). https://attack.mitre.org/
Mohammed, A.S., et al.: Cybersecurity challenges in the offshore oil and gas industry: an industrial cyber-physical systems (ICPS) perspective. ACM Trans. Cyber-Phys. Syst. 6(3) (2022). ISSN: 2378-962X. https://doi.org/10.1145/3548691
Moiz, A., Alalfi, M.H.: A survey of security vulnerabilities in Android automotive apps. In: Proceedings of the 3rd International Workshop on Engineering and Cybersecurity of Critical Systems, EnCyCriS 2022, pp. 17–24. Association for Computing Machinery, New York (2022). ISBN: 9781450392907. https://doi.org/10.1145/3524489.3527300
Moure-Garrido, M., Campo, C., Garcia-Rubio, C.: Detecting malicious use of DOH tunnels using statistical traffic analysis. In: Proceedings of the 19th ACM International Symposium on Performance Evaluation of Wireless Ad Hoc, Sensor, & Ubiquitous Networks, PE-WASUN 2022, pp. 25–32. Association for Computing Machinery, New York (2022). ISBN: 9781450394833. https://doi.org/10.1145/3551663.3558605
Mundt, M., Baier, H.: Threat-based simulation of data exfiltration towards mitigating multiple ransomware extortion. Digit. Threats Res. Pract. 23, 1–23 (2022)
Mundt, M., Baier, H.: Threat-based simulation of data exfiltration towards mitigating multiple ransomware extortions. Digit. Threats (2022). ISSN: 2692-1626. https://doi.org/10.1145/3568993
Oz, H., et al.: A survey on ransomware: evolution, taxonomy, and defense solutions. ACM Comput. Surv. 54(11s) (2022). ISSN: 0360-0300. https://doi.org/10.1145/3514229
Payne, B., Mienie, E.: Multiple-extortion ransomware: the case for active cyber threat intelligence. In: ECCWS 2021 20th European Conference on Cyber Warfare and Security, vol. 6, pp. 331–336 (2021)
Pöhn, D., Hommel, W.: TaxidMA: towards a taxonomy for attacks related to identities. In: Proceedings of the 17th International Conference on Availability, Reliability and Security, ARES 2022. Association for Computing Machinery, New York (2022). ISBN: 9781450396707. https://doi.org/10.1145/3538969.3544430
Pradeep, A., et al.: A comparative analysis of certificate pinning in Android & iOS. In: Proceedings of the 22nd ACM Internet Measurement Conference, IMC 2022, pp. 605–618. Association for Computing Machinery, New York (2022). ISBN: 9781450392594. https://doi.org/10.1145/3517745.3561439
Sahu, I.K., Nene, M.J.: Model for IaaS Security Model: MISP Framework (2021). https://ieeexplore.ieee.org/abstract/document/9498375
Scandariato, R., Wuyts, K., Joosen, W.: A descriptive study of Microsoft’s threat modeling technique (2013). https://link.springer.com/article/10.1007/s00766-013-0195-2
Shen, J., et al.: Gringotts: fast and accurate internal denial-of-wallet detection for serverless computing. In: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, CCS 2022, pp. 2627–2641. Association for Computing Machinery, New York (2022). ISBN: 9781450394505. https://doi.org/10.1145/3548606.3560629
Shreeve, B., et al.: Making sense of the unknown: how managers make cyber security decisions. ACM Trans. Softw. Eng. Methodol. (2022). ISSN: 1049-331X. https://doi.org/10.1145/3548682
Stoleriu, R., Puncioiu, A., Bica, I.: Cyber attacks detection using open source ELK stack (2021). https://ieeexplore.ieee.org/abstract/document/9515120
Sun, Z., et al.: Recent advances in LoRa: a comprehensive survey. ACM Trans. Sen. Netw. 18(4) (2022). ISSN: 1550-4859. https://doi.org/10.1145/3543856
Ullah, F., et al.: Data exfiltration: a review of external attack vectors and countermeasures. Univ. Bristol Bristol Res. 57, 1–57 (2018)
Vaccari, I., et al.: Exploiting Internet of Things protocols for malicious data exfiltration activities (2021). https://ieeexplore.ieee.org/abstract/document/9493887
Vandeplas, C., Iklody, A.: Malware information sharing platform core software - open source threat intelligence and sharing platform (2022). https://github.com/MISP/MISP
Wala, F.B., Cotton, C.: “off-label” use of DNS. Digit. Threats 3(3) (2022). ISSN: 2692-1626. https://doi.org/10.1145/3491261
Zeng, J., Zhang, C., Liang, Z.: Palantír: optimizing attack provenance with hardware-enhanced system observability. In: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, CCS 2022, pp. 3135–3149. Association for Computing Machinery, New York (2022). ISBN: 9781450394505. https://doi.org/10.1145/3548606.3560570
Zeng, Z., Chung, C.-J., Xie, L.: Security challenges for modern data centers with IoT: a preliminary study. In: Companion Proceedings of the Web Conference 2022, WWW 2022, pp. 555–562. Association for Computing Machinery, New York (2022). ISBN: 9781450391306. https://doi.org/10.1145/3487553.3524857
Zipperle, M., et al.: Provenance-based intrusion detection systems: a survey. ACM Comput. Surv. 55(7) (2022). ISSN: 0360-0300. https://doi.org/10.1145/3539605
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Mundt, M., Baier, H. (2024). Enhancing Incident Management by an Improved Understanding of Data Exfiltration: Definition, Evaluation, Review. In: Goel, S., Nunes de Souza, P.R. (eds) Digital Forensics and Cyber Crime. ICDF2C 2023. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 570. Springer, Cham. https://doi.org/10.1007/978-3-031-56580-9_3
Download citation
DOI: https://doi.org/10.1007/978-3-031-56580-9_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-56579-3
Online ISBN: 978-3-031-56580-9
eBook Packages: Computer ScienceComputer Science (R0)