Automated Exfiltration

00:00

hello and welcome to another application of the minor attack framework discussion.

00:06

Today we're looking at automated ex filtration, and so our objectives are as follows we're going to describe for you what automated ex filtration is per miner, some mitigation techniques detection techniques and will be squeezing some tool talk into this space here.

00:24

So with that, let's go ahead and jump into what automated exfiltration is.

00:29

And so, as the name suggests, this is when threat actors attempt to take data through automated processing or scripting after everything is gathered during the collection phase. This could be done through exfiltration, over command and control and over alternative protocols,

00:46

and so a few tools to keep in mind and some of their capabilities.

00:51

Rover, which for me sounds a lot like the game Red Rover that kids used to play, is when automatically searches for files on local drive based on prey, to find lists of file extensions and sends them on over to the command and control server. Every 60 minutes,

01:07

tani, typhoon or Typhon is searches for documents, and when one is found with a matching extension, it uploads it to the command and control server USB Stiller is automatically excell traits collected files via removable media when an infected devices connected to a second victim. And so this is essentially

01:26

when your initial media gets infected for everything you plug it into. After that, it starts to still data. Some of the common things that we see here are the command and control servers being used in these techniques. Now, mitigation here is still limited to end user awareness training. Because

01:46

this reduces the overall risk of compromise,

01:49

you may be able to get some of this block to using something like intrusion prevention

01:53

and looking for common commanding control signatures and data uploads. Their also. Maybe some discussions that could be had on using firewall protections and other data blocking activities to ensure that files are not precariously uploaded are out of the network.

02:12

Now that would just involve some data classification

02:15

and additional protections. Put in place detection techniques, conclude monitoring process, file access patterns and network behavior. Again, what is normal for the environment? What is not normal base lining that, and then being able to proactively address instances where it is outside of the norm?

02:34

Now, with that, let's do a quick check on learning

02:38

true or false Automated ex filtration is when a threat actor automatically removes data from a victim network through things like scripting.

02:49

So if you need additional time, Teoh, consider this question. Please pause the video. So automated Ex Filtration is when a threat actor automatically removes data from a victim network through things like scripting. So

03:02

with these points in mind, this is a true statement.

03:07

Automated ex filtration is essentially when threat actors tried to use tools or automatic means to remove data. Now let's jump into the summary for today's discussion. As we discussed, we looked at automated ex filtration from a scripting or tool standpoint, using those things

03:24

to essentially pull data as it's identified and pushed to a commanding control server.

03:30

We describe some mitigation techniques, and we looked at detection techniques as well, both of those still being in the realm of behavioral analysis based lining system activity. And any time it's outside of the normally evaluated that activity mitigation techniques still sticking around in user awareness training.

03:51

And there may be some credence here for network intrusion prevention and additional data protections.

03:55

But again, that end user awareness training is going to be the biggest mitigating factor.