Rob Murawski CERT Coordination Center
Data exfiltration, or the unauthorized transmission of data from a system, is a large problem affecting many organizations. After a system is compromised by malicious code, the removal of the malware is only one step in mitigating the threat - confidential data may already have been stolen from the infected system. Depending on the data that has been exfiltrated, there may even be legal requirements to disclose the intrusion.
Analysis on collected samples of malicious code with exfiltration capabilities has uncovered several common techniques for performing data exfiltration. This paper describes the current techniques commonly seen to exfiltrate data from a system. This includes techniques to transmit the data back to the attacker, tactics to obfuscate the data so it is difficult to detect, and how the data is selected to be exfiltrated. Finally, these exfiltration techniques will be compared against common network monitoring practices to determine which defences are effective.