When it comes to understanding data exfiltration, you need to be able to see the whole picture. But most of us have been viewing it from our old 20th-century monitors that just can’t do this. Well, it’s time for an upgrade. With today’s advancements in NetFlow and metadata exports from a variety of vendors, there is no reason that we can’t start monitoring with the latest 4K monitors that give you full visibility no matter where you look. Today, I want to show you how you can get the complete picture by using NetFlow and packet capture to detect data exfiltration.

outdated monitoring

What is Data Exfiltration?

Exfiltration is a rather new word in the English language. In fact, it wasn’t used prevalently until recently.

By definition, data exfiltration is the unauthorized copying, transfer, or retrieval of data from a computer or server. It is a malicious activity performed through various different techniques, typically by cybercriminals over the internet or other network.

More specifically, data exfiltration is a security breach that occurs when one’s data is illegally copied. Normally, it’s the result of a targeted attack where the malicious actor’s primary intent is to find and copy specific data from a specific machine. The hacker gains access to the target machine through a remote application or by directly installing a portable media device. These breaches often occur on systems that still use the hardware/software vendor’s default password or an easy-to-guess password.

Data Exfiltration with NetFlow

One of the many benefits of NetFlow and metadata is that you have quick access to the most valuable information on your network. You have details on the source and destination IPs, ports used, application details (depending on your exports), latency, etc., which gives you a good representation of what is taking place on your network. By leveraging this information, you can identify problems quickly, and you can determine root-cause without needing full packet capture to understand what’s taken place.

As you can see, if we look at this default NetFlow report from our internet-facing firewall, we can see much of the data I mentioned above.

default_flow_report

If we take advantage of additional metadata from our flow exporters, we can further understand from where data is being taken. As an example, if I look at this alarm showing 4.60GB of outbound data with 0 bytes of data coming in, I have a fairly good understanding that this is a large push of data and not, in fact, a legitimate flow connection (after all, even the connection would normally require some level of inbound traffic).

zero-bytes-inbound

If I drill in a bit deeper, I can see where this traffic was heading by looking at information like URL details, DNS information, etc. This is all very important when trying to understand where data is being leaked on your network. Now, while these reports provide valuable insight relating to where the data was taken from, it doesn’t tell us exactly what data was taken. For this, we need packet capture.

Pivot with Packet Capture

The ability to pivot directly from your NetFlow and metadata reports to packet capture is extremely valuable. NetFlow is lightweight and can be filtered through very quickly, while starting with data from your SIEM or packet capture devices can leave you frustrated and still unsure of what you need to search for to get to where you need. As I mentioned in my last post, Scrutinizer has an integration with Endace that allows you to jump directly to Endace Vision from Scrutinizer and pass the filters needed to present only the packet capture data related to the flow reports you were viewing in Scrutinizer. As Bob discussed in his last post, the same pivot functionality also works in both Splunk and Elasticsearch, which gives you additional options to pre-filter data and review information in your preferred SIEM.

endace-vision-details

 

If you’d like to learn more about the Endace and Plixer integration, watch our joint Plixer and Endace webinar “The Art of Catching and Investigating Data Exfiltration: A best practice use case leveraging Plixer and Endace.

References:
“Data Breach.” Wikipedia, Wikimedia Foundation, 7 Oct. 2017, en.wikipedia.org/wiki/Data_breach.
“Exfiltration.” Random House Unabridged Electronic Dictionary: with Recorded Pronunciations and Graphics, Random House, 1994.

Justin

Justin Jett is Director of Audit and Compliance at Plixer with roles ranging from system administration of web services to technical product marketing for Plixer’s incident response system, Scrutinizer. Jett, a graduate of the University of Maine at Farmington, is an avid learner of all things security, with a particular interest in TLS and DNS attacks.

Related