Why Does Data Exfiltration Remain an Almost Unsolvable Challenge?
From hacked IoT devices to corporate infrastructures hijacked for crypto-mining to automated ransomware, novel and sophisticated cyber-attacks are notoriously hard to catch. It is no wonder that defending against these silent and never-seen-before threats dominates our security agendas. But while we grapple with the challenge of detecting the unknown, data exfiltration – an old and very well-known risk – doesn’t command nearly the same amount of attention. Yet data exfiltration happens, and it happens by the gigabyte.
As attackers improve their methods of purloining the sensitive data we trust our organizations to keep safe, one critical question remains: why does data exfiltration present the security community with such a formidable challenge?
Gigawatts and Flux Capacitors. Let’s go Back in Time.
All data exfiltration attacks share one common trait: the early warning signs of anomalous activity on the network were present but traditional security failed to catch them. Regardless of level of subtlety, or the number of devices involved, perimeter tools missed the window of opportunity between impact and unauthorized data transfer – allowing for hundreds of gigabytes of data to be exfiltrated from the organization.
The Sony hack of 2014 brought the world to a startling halt when it was revealed that attackers had spent over a year leaking 100 terabytes of data from the network. The next year brought us the Panama Papers, where allegedly 2.6 terabytes of data were leaked, causing reputational damage to some of the world’s most recognizable public figures. And in 2016, allegedly 80 gigabytes of data escaped from the Democratic National Committee’s network, launching two years of skepticism and distrust around the US elections. Each of these cases of sizeable data exfiltration remained undetected for months, or even years – only to be discovered when the data had already long been lost.
When we look at this cycle of stealthy and silent data breaches, we have to ask ourselves: how can such tremendous amounts of data leave our corporate networks without raising any alarms?
Modern Networks: Living Organisms
The challenge in identifying indicators of data exfiltration lies partly in the structure of today’s networks. As our businesses continue to innovate, we open the door to increased digital complexity and vulnerability – from BYOD to third party supply chains, organizations significantly amplify their cyber risk profile in the name of optimal efficiency.
Against this backdrop, our security teams are hard-pressed to identify the subtle telling signs of a data exfiltration attempt in the hope to stop it in its tracks. To add to the complexity, they need to find the proverbial needle in an ever growing haystack of hundreds of thousands of devices on their network that they did not build, install, or even know existed.
Networks today are much like living organisms: they grow, they shrink, and they evolve at a rapid rate. If we think about a network as a massive data set that changes hundreds, if not thousands, of times per second, then we have to realize that no security team will ever be able to keep up with which actions are authorized versus which actions are indicative of data exfiltration.
The Old Approach Needs Victims Before it Can Offer Solutions
Compounding the challenge of today’s labyrinthine networks, stretched security teams are always on the offense – fighting back-to-back battles against the latest form of unpredictable threat. So how can security teams cut through the noise and discern the subtle differences between legitimate activity and criminal data exfiltration campaigns?
Five years ago, we relied on historical intelligence to define tomorrow’s attack. But the never-ending cycle of data breaches have taught us that these approaches were just as insufficient then as they are now. Identifying data exfiltration should be a low-hanging fruit for security teams, but to do so, we need to rely upon technologies that make no assumptions on what ‘malicious’ activity looks like.
Organizations are increasingly turning to AI technology for the answer, capable of identifying subtle deviations from normal network activity. By understanding the nuances of day-to-day network activity, self-learning technology correlates seemingly-irrelevant pieces of information to form a comprehensive picture of what is happening within our network borders. Consequently, AI spots the subtle indicators of exfiltration as it’s happening – giving security teams valuable time to mitigate the crisis before it becomes a headline.
To break the cycle of high-profile data breaches, we must embrace AI technologies that evolve with our organizations, strengthen its defenses over time, and identify data exfiltration tactics before our sensitive information is long past the network perimeter. And as we face a global cyber skills shortage, it is now more imperative than ever that we work in tandem with technology capable of doing the heavy lifting for us. Attackers seeking to leak our most sensitive data are evolving to keep up with our defenses – are we evolving too?
Justin Fier is the Director for Cyber Intelligence & Analytics at Darktrace, based in Washington D.C. With over 10 years of experience in cyber defense, Fier has supported various elements in the US intelligence community, holding mission-critical security roles with Lockheed Martin, Northrop Grumman Mission Systems and Abraxas. Fier is a highly-skilled technical officer, and a specialist in cyber operations across both offensive and defensive arenas.