Intrusion and Data Exfiltration
July 31, 20199 min read

Intrusion and Data Exfiltration

Answers to the ‘hows’ and ‘whys’ of cyber attacks.

Written by José Afonso Ramos

The Cyberspace we live in

In 2013, I started collaborating with the ProcuradoriaGeral da República and the Judiciary Police as an Advisor and Forensics Expert. At this point, I realised that “Cyber” matter did not just cover technical or legal issues. The human being merged with all the technological devices surrounding us. The Internet of Things (IoT) is not a recent subject as it is thought, it is already part of the past, taking into account the speed in cyberspace-time.

The current paradigm of the Internet which is focused on infrastructures, is not the right way to deal with an emerging scenario with a wide range of digital applications that process personal data. All of this requires a new Internet paradigm called the Internet of People (IoP), where humans and their devices are not only seen as end users but active elements of the network, due to the symbiosis of all actors. Note that IoP does not replace the current infrastructure of the Internet, it exploits legacy Internet services for end-to-end connectivity on a global scale.

Regardless of connectivity and technology advancements, all of them will be based on the Internet which is not secure in its genesis. But is cutting-edge technology being created on an unsafe infrastructure? Yes, in practice this is what happens. The Internet has emerged from a perspective of enabling communication and sharing of information between systems, not having been developed with security or even privacy-related issues in mind.

The Internet is anything but safe, the protocols and technologies developed over time have come to add layers of security to the Internet. A technology that was created to facilitate remote communications, is becoming a means to commit criminal and war crimes for strategic purposes to the point of forcing governments, people, organisations, to yield to the external wishes, which may not always be typified considering its physical dimension or identity.

The history of recent years shows us that the internet is being used by actors with strategic purposes that can range from the appropriation of corporate data, personal data, industrial espionage. In more extreme cases, acts of cyberwar have happened against Estonia and Georgia, and even the creation of cyberweapon like Flame and Stuxnet malwares. This development can be done both inside and outside, there are no external or internal enemies. The classic concepts that terrorism itself had questioned, concepts that came from the time of the Cold War such as the division between security and defence, cannot be used to build models of threat prevention in cyberspace. In this domain, obsolete concepts in which we were able to quantify enemies and the origin of threats, cannot serve as references.

Cyberspace has brought a greater awareness of the right to access information and knowledge, allowing the perception of Cyberspace as a new common space – Global Common – to join existing ones. A common space can be defined as an area that is not under the jurisdiction of any national jurisdiction or sovereignty and which can be accessed by all actors, states, non-states or individuals. NATO considers the competition and denial of cyberspace use as one of the biggest threats considering the growing sophistication of cyberattacks, whose damage can inflict the proper functioning of government systems, businesses, economies, transport networks, as well as other critical infrastructures.

The Organization understands that cyberspace security is of the utmost importance, so much so that there is a growing need for mechanisms to regulate this new domain to the point of being logical and useful in determining Cyberspace as a common space to join existing ones.

Cybersecurity should not be taken lightly

There is a doctrinal challenge that must be debated in all strands and spaces. Implementing structures and procedures in everything that is related to cybersecurity takes time. Take NATO for example, its entire organisation started building structures in 2002 and only completed them in 2015, i.e. a period of 13 years to create the essential capabilities to be able to react to threats coming from cyberspace. If NATO with all its capabilities, took 13 years to build its cyberspace response capabilities against threats, a country, a company, an organisation must realize that cybersecurity is a complex issue that cannot be taken lightly.

There is a clear trend towards increased cyber-threats for the next few years, a scenario made possible by the advancement of technologies and the increased number of devices connected to the network as a consequence of IoP. The perimeter of defence is constantly increasing, and this can have consequences for all types of organisations. For example, companies that invested heavily on technological and procedural domains in cybersecurity, but did not prevent a major attack that resulted in exfiltration of data for industrial espionage. How was that possible? The attack vector, that is, the point of entry into the company’s network was a collaborator’s smartwatch. Through active and effective data collection on the target company’s employees a possible link was reached, that is, a collaborator who used a vulnerable device. Thus, allowing a cyberattack on a company apparently better prepared than many others.

In such computer attacks, all you need is a motivation to trigger a successful attack. It may not seem like it, but there are countries motivated to attack Portugal because it is a NATO member country and apparently more vulnerable than other partners. It is an old technique, when targeting a better prepared target, first attack the perimeter or the most vulnerable partners. The same applies in the business environment.

In November 2018, Portugal suffered a cyberattack on its defence systems, apparently from Russia. This attack allowed the attacker to get an intrusion into the computer systems of national defence and later a data exfiltration. Among the techniques used, highlight Phishing and APT (Advanced Persistent Threat) using a very common attack methodology in cyberattacks called the Cyber Kill Chain.

The Cyber Kill Chain methodology can describe the phases of an intrusion into an information system, map attack indicators, identify patterns in intrusions, and understand the nature of information gathering. With the advancement of technology, new threats have emerged with the aim of taking advantage of economic, political or military advantages. This new class of threats has received the designation of Advanced Persistent Threat. An APT is understood to be an advanced threat because it is oriented, coordinated and purposeful; persistent because it can be repeated month after month, or year after year; and it is a threat because it originates in people with an intention, with skills and opportunities to do so.

Most organisations today focus on risk analysis and mitigation through malware detection automation, not on approach to deter an attack from an APT. The response to risk from an APT fails when attempting to mitigate this as if it were a conventional incident. 

The Cyber Kill Chain methodology

The origin of this model is purely military, and in military jargon a Kill Chain is a multi-stage model that describes the various stages of an attack, but also helps determine the ways to avoid such attacks. The ideal is to stop the attack at the beginning of the chain because the less information the attacker obtains, the less likely this information will be used to complete the attack later.

The Cyber Kill Chain model is similar and was presented by the American company Lockheed Martin. The phases of an attack are described and can be used to protect information systems. The steps of the Cyber Kill Chain model are:

  1. Reconnaissance: consists in obtaining information about the target and visualising the system from the outside. This is the phase in which the attacker determines the best vectors in which to start the attack and the effort required, using open sources of information (OSINT). It is at this stage, that all information about the target and people involved is collected, using public websites, social networks or other open sources of information. Technical approaches such as verifying open ports on public servers should also be used to identify vulnerabilities, services, and applications to exploit. This is a comprehensive layer, mainly due to the human factor that can be easily exploited through social engineering.
  2. Weaponization: at this stage, the attacker analyses the information gathered on the target to determine which methods to use to trigger the attack on concrete targets. In addition, the attack can be directed to people within the organisation using phishing or spear-phishing attacks, the latter a phishing strand in which the attack is specifically targeted to a single individual. For example, using the information collected on LinkedIn from an individual and using social engineering techniques, coupled with the fact that the attacker knows what type of software exists in that organisation, a trojan can be easily sent that allows remote access.
  3. Delivery: sending the payload that will allow exploiting vulnerabilities and therefore, exploiting the target. Endpoints on a network are the primary means of transmission either through a download on a website, a targeted phishing attack, or through a vulnerable device belonging to an employee. Sending malware can also occur through a vulnerable web application.
  4. Exploitation: exploit a vulnerability to execute arbitrary code on the target system. At this stage, basically a malicious code is executed in the victim’s system.
  5. Installation: Install the malware and hide it. It all starts with a vulnerable device or application that is exploited, allowing malicious activity to spread quickly. One of the likely scenarios is the escalating privilege scenario, but also internal scans to find specific applications and devices for stealing information, capturing network traffic, and other malicious actions. Once the malware is installed, it must hide its existence by tampering with security processes.
  6. Command and Control: To communicate and share information between the victim and the attacker, the attacker must configure command and control channels to manipulate the target system. To hide the tracks during the attack it is necessary to use cryptography.
  7. Actions on Objectives: various arbitrary actions can be triggered, such as data and information theft, or even the use of processing resources for purposes other than normal, such as crypto-coin mining. With the infected system, the attacker can still move from one infected machine to several machines, substantially increasing the range radius. If nothing has detected the attack so far, we can say that it was an Advanced Persistent Threat (APT), which is a sophisticated way of saying that insufficient security measures have been implemented to detect the threat.

From the perspective of offensive security, understanding the Cyber Kill Chain methodology will help identify or mitigate threats at any attack layer. The earlier the threat detection and mitigation is done, the lower the loss to the organisation under attack. The Cyber Kill Chain defence will have to approach and understand every step of an attack, preventing it, if possible. Otherwise, all information on subsequent steps should be collected in order to avoid them, if possible.

Hackers have become more efficient and effective and information has gained an increased interest. We are all eligible for a cyberattack and should therefore consider cybersecurity in both our personal and professional lives.