This post is authored by Gayan de Silva and Martin Pospisil.
Recently, about 50 users across 20 companies were alarmed by the Cisco Cognitive Threat Analytics (CTA) about a malware that exfiltrates gigabytes of data from their computers. An example of such CTA detection:
In addition to the usual malware command and control activities, the incident features an upload of 2.3 gigabytes of data to a highly suspicious destination. CTA has classified this incident as a malware with high severity and confidence.
This particular malware is using a custom protocol over TCP port 443, which is assigned for HTTPS. Generally, less than 10% of organizations do any inspection of HTTPS traffic. In addition to relatively low probability of intercept, malware authors also use custom protocol that is not based on HTTPS. A comparison of the stream content of the custom protocol to a stream content of a HTTPS protocol is shown below.
Read More »
Tags: Cognitive Threat Analytics, exfiltration, malware
The Insider Lifecycle
Traditional security is designed to keep outsiders from getting in. What happens when the enemy is an insider? A new paradigm must be explored, where the focus needs to shift inward and how data is going outbound.
Identifying anomalies in data exfiltration is critical to how to spot the insider. The insider has a typical lifecycle:
1. Identify places where sensitive data is store
2. Retrieve the data from the location
3. Move the data within the organization to prepare for exfiltration
4. Transfer the data outside the organization
Arguably, the weak points of this chain of events occur in steps 1, 2, and 4, where the insider must go through funnel points—near the data and at a public outbound connection.
Things to Look For
In almost all cases of data theft, the insider had access to the data, but in many cases, the insider’s role would have been suspect when considering the data they were accessing. Consequently, role should be examined for the end user in the context of data they are accessing.
Read More »
Tags: compromise, espionage, exfiltration, insider, insider threat, intellectual property, security, Sensitive data, threat