CIO Magazine has a good article that looks at typical data exfiltration events. Criminals are increasingly becoming more sophisticated in their methods of both online attack, and data exfiltration. Data is usually exfiltrated (or exported) by copying the data from the victim system over the network, although removable media or physical theft can also be used. In 2009, Trustwave investigated over 200 data breaches in 24 different countries. While the methods used to exfiltrate data from a compromised environment varied, 45% of compromises involved attackers gaining access to a system through a remote access application being used by the victim organization.
Once a foothold is established, attackers often launch network enumeration tools to discover additional targets within the environment and retrieve system information, such as usernames, group privileges, network shares, and available services. The noise generated by enumeration tools can indicate a pending attack, if IT and Security staff are listening for it. Unfortunately, most are not monitoring their systems and networks extensively and fail to observe these indicators.
Once attackers gain access to the target environment, they harvest data using either manual or automated methods. Using manual processes, potentially valuable databases and documents are located, and searches of the operating system are conducted using specific keywords to further identify data. Automated methods use custom written malware that takes advantage of flaws found in the applications being used to process confidential data.
Criminals often used the same remote access application to extract data. Other existing services, such as native FTP and HTTP client functionality, were also frequently leveraged for data extraction. When malware is used for data extraction, FTP, SMTP and IRC functionality are regularly observed. With off-the-shelf malware, such as keystroke loggers, attackers most often use built-in FTP and e-mail capabilities to exfiltrate data. When e-mail services are employed for extraction, attackers often install a malicious SMTP server directly on the compromised system to ensure the data is properly routed.
Paying close attention to the behaviors of “normal” activity against “standard” systems is the key to identifying a problem before it is too late. Every anomaly should be viewed with a degree of suspicion and addressed through internal investigation by an expert.