When it comes to cybercrime, getting into a system is only half the battle; the real challenge is extracting the stolen data without being detected. Companies often focus on preventing unauthorised access, but they must also ensure that data doesn’t slip out undetected. Hackers, driven by profit, constantly innovate methods to exfiltrate data from corporate networks, making it essential for businesses to understand and defend against these techniques.
The Challenge of Data Exfiltration
Once hackers breach a network, they need to smuggle data out without triggering alarms. Intrusion Detection Systems (IDS) are crucial in this fight. They monitor network traffic and system activities for suspicious patterns that may indicate unauthorised data extraction attempts. IDS can trigger alerts or even automatically block suspicious traffic to prevent data loss. To avoid detection, hackers use obfuscation techniques to disguise their actions. This can involve encrypting data or embedding it within harmless-looking traffic, making it difficult for IDS to identify and block the exfiltration attempts.
Reality vs. Hollywood
In Hollywood movies like "Mission Impossible," data theft is often depicted as a physical heist involving stealth and daring. In reality, hackers prefer remote methods to avoid detection and the risk of getting caught. By exploiting vulnerabilities in web servers, hackers can gain access to a network and search for valuable data. Once they find it, the challenge becomes how to exfiltrate it without triggering security systems.
One common way hackers hide their tracks is through obfuscation. A well-known method of obfuscation is image steganography, where data is embedded within images. This technique allows small amounts of data, such as passwords, to be hidden within images without raising suspicion. However, it is impractical for large datasets due to its low bandwidth and the potential for triggering alarms when numerous images are sent out.
Innovative DNS Data Exfiltration
The Domain Name System (DNS) is essential for internet functionality, translating domain names into IP addresses. Hackers can exploit this by sending data disguised as DNS queries. Typically, corporate firewalls scrutinise unfamiliar DNS requests and block those from untrusted sources. However, a novel method known as "Data Bouncing" has emerged, bypassing these restrictions and making data exfiltration easier for hackers.
How Data Bouncing Works
Data Bouncing leverages trusted web hosts to facilitate DNS resolution. Here’s how it works: hackers send an HTTP request to a reputable domain, like "bbc.co.uk," with a forged "Host" header containing the attacker’s domain. Akami Ghost HTTP servers, configured to resolve such domains, process the request, unknowingly aiding the exfiltration.
Every HTTP request a browser makes to a web server includes some metadata in the request’s headers. One of these header fields is the "Host" field, which specifies the requested domain. Normally, if you request a domain that the IP address doesn’t host, you get an error. However, Akami Ghost HTTP servers are set up to send a DNS request to resolve the domain you’ve asked for, even if it’s outside their network. This means you can send a request to a trusted domain, like "bbc.co.uk," with a "Host" header for "encryptedfilechunk.attackerdomain.com," and the trusted domain carries out the DNS resolution for you.
To prevent data exfiltration, companies need a comprehensive security strategy that includes multiple layers of defence. This makes it harder for hackers to succeed and gives security teams more time to detect and stop them. While preventing intrusions is crucial, detecting and mitigating ongoing exfiltration attempts is equally important to protect valuable data.
As cyber threats take new shapes, so must our defences. Understanding sophisticated exfiltration techniques like Data Bouncing is essential in the fight against cybercrime. By staying informed and vigilant, companies can better protect their data from falling into the wrong hands.
