[BreachExchange] Why Does Data Exfiltration Remain an Almost Unsolvable Challenge?
Audrey McNeil
audrey at riskbasedsecurity.com
Tue Mar 27 18:59:28 EDT 2018
https://www.securityweek.com/why-does-data-exfiltration-
remain-almost-unsolvable-challenge
>From hacked IoT devices to corporate infrastructures hijacked for
crypto-mining to automated ransomware, novel and sophisticated
cyber-attacks are notoriously hard to catch. It is no wonder that defending
against these silent and never-seen-before threats dominates our security
agendas. But while we grapple with the challenge of detecting the unknown,
data exfiltration - an old and very well-known risk - doesn’t command
nearly the same amount of attention. Yet data exfiltration happens, and it
happens by the gigabyte.
As attackers improve their methods of purloining the sensitive data we
trust our organizations to keep safe, one critical question remains: why
does data exfiltration present the security community with such a
formidable challenge?
Gigawatts and Flux Capacitors. Let’s go Back in Time.
All data exfiltration attacks share one common trait: the early warning
signs of anomalous activity on the network were present but traditional
security failed to catch them. Regardless of level of subtlety, or the
number of devices involved, perimeter tools missed the window of
opportunity between impact and unauthorized data transfer – allowing for
hundreds of gigabytes of data to be exfiltrated from the organization.
The Sony hack of 2014 brought the world to a startling halt when it was
revealed that attackers had spent over a year leaking 100 terabytes of data
from the network. The next year brought us the Panama Papers, where
allegedly 2.6 terabytes of data were leaked, causing reputational damage to
some of the world’s most recognizable public figures. And in 2016,
allegedly 80 gigabytes of data escaped from the Democratic National
Committee’s network, launching two years of skepticism and distrust around
the US elections. Each of these cases of sizeable data exfiltration
remained undetected for months, or even years – only to be discovered when
the data had already long been lost.
When we look at this cycle of stealthy and silent data breaches, we have to
ask ourselves: how can such tremendous amounts of data leave our corporate
networks without raising any alarms?
Modern Networks: Living Organisms
The challenge in identifying indicators of data exfiltration lies partly in
the structure of today’s networks. As our businesses continue to innovate,
we open the door to increased digital complexity and vulnerability – from
BYOD to third party supply chains, organizations significantly amplify
their cyber risk profile in the name of optimal efficiency.
Against this backdrop, our security teams are hard-pressed to identify the
subtle telling signs of a data exfiltration attempt in the hope to stop it
in its tracks. To add to the complexity, they need to find the proverbial
needle in an ever growing haystack of hundreds of thousands of devices on
their network that they did not build, install, or even know existed.
Networks today are much like living organisms: they grow, they shrink, and
they evolve at a rapid rate. If we think about a network as a massive data
set that changes hundreds, if not thousands, of times per second, then we
have to realize that no security team will ever be able to keep up with
which actions are authorized versus which actions are indicative of data
exfiltration.
The Old Approach Needs Victims Before it Can Offer Solutions
Compounding the challenge of today’s labyrinthine networks, stretched
security teams are always on the offense – fighting back-to-back battles
against the latest form of unpredictable threat. So how can security teams
cut through the noise and discern the subtle differences between legitimate
activity and criminal data exfiltration campaigns?
Five years ago, we relied on historical intelligence to define tomorrow’s
attack. But the never-ending cycle of data breaches have taught us that
these approaches were just as insufficient then as they are now.
Identifying data exfiltration should be a low-hanging fruit for security
teams, but to do so, we need to rely upon technologies that make no
assumptions on what ‘malicious’ activity looks like.
Organizations are increasingly turning to AI technology for the answer,
capable of identifying subtle deviations from normal network activity. By
understanding the nuances of day-to-day network activity, self-learning
technology correlates seemingly-irrelevant pieces of information to form a
comprehensive picture of what is happening within our network borders.
Consequently, AI spots the subtle indicators of exfiltration as it’s
happening – giving security teams valuable time to mitigate the crisis
before it becomes a headline.
To break the cycle of high-profile data breaches, we must embrace AI
technologies that evolve with our organizations, strengthen its defenses
over time, and identify data exfiltration tactics before our sensitive
information is long past the network perimeter. And as we face a global
cyber skills shortage, it is now more imperative than ever that we work in
tandem with technology capable of doing the heavy lifting for us. Attackers
seeking to leak our most sensitive data are evolving to keep up with our
defenses – are we evolving too?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180327/52c816c9/attachment.html>
More information about the BreachExchange
mailing list