Hello and welcome to the penetration testing execution Standard discussion Today we're going to look at data exfiltration within the post exploitation section. Now. A quick disclaimer.
The tools and techniques discussed in the Pee test videos could be used for system hacking. So many tools, discussed or demonstrated should be understood by the user pride to their use.
Please research your laws and regulations regarding the use of such tools in your given area to ensure that you do not violate any applicable laws. Now the objectives of today's discussion are pretty straightforward. We're going to do a review of mapping possible ex filtration paths and how that can help us in post exploitation.
We're going to review testing ex filtration paths and
measure control strengths and looking at those within
the data exfiltration section so mapping possible ex filtration pants. What this means is, is that from each of the areas where access has been achieved, full ex filtration paths should be created, so this includes secondary and tertiary means of getting to the outside world
different sub nets. Whatever the case may be wants, the mapping has provided the actual ex filtration test should be commit so you should have, Like a physio diagram that lays out. Okay, this is the system. I can go through the Internet here. I've got a VPN connection here that I can use. I've got a system over here that I can use. I've got a path over
here that's a potential way to get back out.
So you need to map all of those potential ex illustration paths out
before you go through the process of attempting to exfiltrate data now testing the ex filtration paths per exfiltration path mapping data should be extra traded from the organization being tested there should already be covered in the pre engagement. Scoping and adequate infrastructure
should have been set up, which adheres to customers acceptable engagement policies. The data being extra traded is usually to a server in the full control of the tester,
and we'll access and they will have access and under ship rights to the testing organization. So
you need to make sure that if you're going to exfiltrate data, the customer knows where it's going. They agree on what can be expelled, traded. You know what? Shouldn't shouldn't be there, and it goes from there. And so an example of this is usually a staging area inside the network where data is archived inside of zip files and then sent to FTP. Http servers on the Internet,
if it more sophisticated through an actor,
was in there than using means that simulates such strategies and tactics for ex filtration could be used. Instead.
Each of those things plays a role in again the rules of engagement and what is and is not acceptable for the client now measuring control strength. So while performing ex filtration testing, the main goal of the test is to see whether the current controls for detecting and blocking sensitive information
from leaving the network organization actually work
a CZ well as exercise the response team, if any, has been detected in terms of how they react to such alerts and how the events were being investigated and media and remediated. So in a lot of times, these is data loss prevention systems. It may work for an I. D. S system.
You may have overall a SIM solution or something of that nature that feeds information back to a security team. Our department,
depending on the compliance requirements for the industry or the business that could dictate the type of controls that are in place and what you would be looking for us faras testing those given controls. So with that in mind, let's do a quick check on learning. True or false it would.
It would be best to extra trade any data to a system under the testers control and in the same geographical location.
So if you need some additional time, please pause the video. So this is a true statement. It would be best to exfiltrate data to a system under the testers control and in the Sam geographical location. The reason for that is
that laws may vary state to state and they definitely very nation to nation. And so sending data to a separate state or separate nation could
violate laws or regulations and that given state, even though you're testing in another, so take the time to set up a system that will be in the same location as your client so that the laws and regulations you research are applicable to that information
now. In summary, we discussed mapping possible ex filtration paths and how that should look. We discussed testing ex filtration pants and we discussed measuring control strengths, and that would be done through trying to get information out of the network, seeing how well the team responds and seeing whether or not the systems prevent the ex filtration of those data sets.
So with that in mind, I want to thank you for your time today
and I look forward to seeing you again Sin.