DOCSLIB.ORG

Data Exfiltration a Review of External Attack Vectors And

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Data Exfiltration a Review of External Attack Vectors And Author’s Accepted Manuscript Data Exfiltration: A Review of External Attack Vectors and Countermeasures Faheem Ullah, Matthew Edwards, Rajiv Ramdhany, Ruzanna Chitchyan, M. Ali Babar, Awais Rashid www.elsevier.com/locate/jnca PII: S1084-8045(17)30356-9 DOI: https://doi.org/10.1016/j.jnca.2017.10.016 Reference: YJNCA1996 To appear in: Journal of Network and Computer Applications Received date: 8 August 2017 Revised date: 18 October 2017 Accepted date: 28 October 2017 Cite this article as: Faheem Ullah, Matthew Edwards, Rajiv Ramdhany, Ruzanna Chitchyan, M. Ali Babar and Awais Rashid, Data Exfiltration: A Review of External Attack Vectors and Countermeasures, Journal of Network and Computer Applications, https://doi.org/10.1016/j.jnca.2017.10.016 This is a PDF file of an unedited manuscript that has been accepted for publication. As a service to our customers we are providing this early version of the manuscript. The manuscript will undergo copyediting, typesetting, and review of the resulting galley proof before it is published in its final citable form. Please note that during the production process errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain. Data Exfiltration: A Review of External Attack Vectors and Countermeasures Faheem Ullah1, Matthew Edwards2, Rajiv Ramdhany2, Ruzanna Chitchyan3, M. Ali Babar1, 4, Awais Rashid2 1University of Adelaide, Australia & 4IT University of Copenhagen, Denmark 2Security Lancaster, School of Computing and Communications, Lancaster University, UK, 3Department of Computer Science, University of Leicester, UK ABSTRACT Context: One of the main targets of cyber-attacks is data exfiltration, which is the leakage of sensitive or private data to an unauthorized entity. Data exfiltration can be perpetrated by an outsider or an insider of an organization. Given the increasing number of data exfiltration incidents, a large number of data exfiltration countermeasures have been developed. These countermeasures aim to detect, prevent, or investigate exfiltration of sensitive or private data. With the growing interest in data exfiltration, it is important to review data exfiltration attack vectors and countermeasures to support future research in this field. Objective: This paper is aimed at identifying and critically analysing data exfiltration attack vectors and countermeasures for reporting the status of the art and determining gaps for future research. Method: We have followed a structured process for selecting 108 papers from seven publication databases. Thematic analysis method has been applied to analyse the extracted data from the reviewed papers. Results: We have developed a classification of (1) data exfiltration attack vectors used by external attackers and (2) the countermeasures in the face of external attacks. We have mapped the countermeasures to attack vectors. Furthermore, we have explored the applicability of various countermeasures for different states of data (i.e., in use, in transit, or at rest). Conclusion: This review has revealed that (a) most of the state of the art is focussed on preventive and detective countermeasures and significant research is required on developing investigative countermeasures that are equally important; (b) Several data exfiltration countermeasures are not able to respond in real-time, which specifies that research efforts need to be invested to enable them to respond in real-time (c) A number of data exfiltration countermeasures do not take privacy and ethical concerns into consideration, which may become an obstacle in their full adoption (d) Existing research is primarily focussed on protecting data in ‘in use’ state, therefore, future research needs to be directed towards securing data in ‘in rest’ and ‘in transit’ states (e) There is no standard or framework for evaluation of data exfiltration countermeasures. We assert the need for developing such an evaluation framework. Keywords: Data Exfiltration, Data Leakage, Data Theft, Data Breach, External Attack Vector, Countermeasure 1. Introduction Data theft (formally referred to as data exfiltration) is one of the main motivators for cyber-attacks irrespective of whether carried out by organised crime, commercial competitors, state actors or even “hacktivists”. Preventing data exfiltration is increasingly becoming a challenging task due to two main reasons. First, over the span of last few years, cyber-crime has transformed from an individual’s act to an organizational act. This transformation has provided attackers (or often called hackers) with high budget, resources, and sophistication to become more professional in data exfiltration. Second, the existing data infrastructure contains several means (as shown in Fig. 1a) that are originally designed for the legitimate exchange of data but can be used for data exfiltration. Fig. 1b shows one scenario of how these legitimate means can be leveraged for data exfiltration. Stage-1: The attacker researches the available means within an enterprise to find some weaknesses that can be exploited to exfiltrate data. Stage-2: Once the weakness has been identified, the attacker launches the attack to exploit the identified weakness. The attack can either be network-based or physical-based. In a network-based attack, an attacker may use different techniques such as phishing email, malware, or some kind of injections. In a physical attack, an attacker may leverage techniques like copying data to a removable device or even get hold on some printed documents. Stage-3: Once the attacker gains the required access to the sensitive data, the process 1 Fig. 1a: Some of the means of Data Exfiltration Fig. 1b: Data Exfiltration Scenario of data exfiltration starts as shown in Fig. 1b. Due to the sophistication of attacks and several available means, there has been a number of data exfiltration incidents reported recently. According to ITRC Breach Report1, until 3rd October 2017, there have been 1056 data exfiltration incidents in 2017. A popular incident reported in June 2017 was the leakage of data of 200 million American voters, which was compiled for Republican National Committee. The data contained personal information of voters that included name, home address, phone number, date of birth, and voter registration details. The leak occurred due to misconfiguration of the database holding the data. Equifax and Deloitte are two of the top companies, which have recently fallen victims to major cyber security attacks that have left millions of people’s private and business data exfiltrated23. Both of the companies were entrusted with the responsibilities of safeguarding that very data that got stolen with known and unknown personal, professional, and business implications for private citizens as well as businesses. ITRC Breach Report has several other incidents among which the most noticeable are shown in Fig. 2. Recently, Verizon released 2017 Data Breach Investigations Report4 that revealed some interesting aspects of this growing concern. According to this report, 75% of data exfiltration attacks were perpetrated by external attackers (i.e., hackers) while 25% of the attacks involved actors within the victim organization. This report also reveals that among all the data leaks, about 24% occurred in the financial sector, about 15% occurred in the healthcare sector, about 15% occurred in retail and accommodation sector, and about 12% occurred in public sector entities. As evident from the above-mentioned statistics, such proliferation of data exfiltration is becoming a serious concern for business and government organizations. For businesses, data exfiltration may cause huge financial and reputational damage by disclosing trade secrets, information about future projects, and customers’ profiles to competitors. For governments, the consequences of data exfiltration can be even more severe when national secrets or information about political settlements fall into the hands of adversaries. Driven by the need to address such a serious concern, security experts develop various security systems that include but not limited to Intrusion Detection System (IDS), Intrusion Prevention System (IPS), firewall, and Security Information and Event Management (SIEM). However, these systems fall short in dealing with data exfiltration due to unstructured and constantly evolving nature of data. To overcome this limitation, security experts and researchers come up with the idea of data exfiltration countermeasures, which specifically aim to detect, prevent, or investigate data exfiltration. Unlike traditional security systems (e.g., IDS, IPS, and firewall), which 1 http://www.idtheftcenter.org/images/breach/2017Breaches/ITRCBreachReport2017.pdf 2 https://www.theguardian.com/us-news/2017/sep/07/equifax-credit-breach-hack-social-security 3 https://www.theguardian.com/business/2017/sep/25/deloitte-hit-by-cyber-attack-revealing-clients-secret-emails 4 https://www.ictsecuritymagazine.com/wp-content/uploads/2017-Data-Breach-Investigations-Report.pdf 2 are supposed to act when an attacker tries to enter the enterprise, data exfiltration countermeasures are expected to work when an attacker is on its way back from the enterprise with the sensitive data. We assert that there is an important need of providing an extensive overview and in-depth analysis of the available literature to connect the knowledge about the current state of the art on this topic. We have carried out an extensive literature review on data exfiltration to derive
Load more

Recommended publications
  • Agent Based System for Realtime Database Audit Monitoring
    UNIVERSITY OF NAIROBI SCHOOL OF COMPUTING AND INFORMATICS AGENT BASED SYSTEM FOR REALTIME DATABASE AUDIT MONITORING BY BONIFACE AKUKU P58/73079/2009 SUPERVISOR MR. CHRISTOPHER MOTURI August 2011 A research report submitted in partial fulfillment for the requirements of Master of Science in Computer Science University of NAIROBI Library 0439225 4 Table of Contents Table of Contents........................................................................................................................................ „... ii Abstract............................................................................................................................................................. iii Dedication......................................................................................................................................................... iv Acknowledgement..............................................................................................................................................v Declaration........................................................................................................................................................ vi Abbreviations...................................................................................................................................................vii List of Tables...................................................................................................................................................viii List of Figures...................................................................................................................................................ix
    [Show full text]
  • Negative Database for Data Security
    Negative Database for Data Security Anup Patel Niveeta Sharma Magdalini Eirinaki Computer Engineering Department San Jose State University [email protected], [email protected], [email protected] Abstract high database security levels. This framework is a collection of some algorithms that manipulate the input Data Security is a major issue in any web-based data and store it in the database. This populated database application. There have been approaches to handle is referred to as the negative database. A negative intruders in any system, however, these approaches are database can be defined as a database that contains huge not fully trustable; evidently data is not totally protected. amount of data which consists of counterfeit data along Real world databases have information that needs to be with the actual data. A few approaches that describe this securely stored. The approach of generating negative concept have been proposed but have not yet been database could help solve such problem. A Negative implemented to work for real world databases [5]. All Database can be defined as a database that contains the proposed algorithms had issues related to the huge amount of data consisting of counterfeit data along reversibility of the data, converting back to the original with the real data. Intruders may be able to get access to form from the negative representations [3] and the fact is such databases, but, as they try to extract information, that they have not yet been implemented. [2, 4]. they will retrieve data sets that would include both the Contrary to previous work, the proposed framework actual and the negative data.
    [Show full text]
  • Security Implementation on EAV Model Using Negative Database and Shuffling
    Pooja Vartak. Int. Journal of Engineering Research and Application www.ijera.com ISSN: 2248-9622, Vol. 7, Issue 8, (Part -6) August 2017, pp.56-60 RESEARCH ARTICLE OPEN ACCESS Security Implementation on EAV model using Negative database and Shuffling. Pooja Vartak*, Prof. Amarja Adgaonkar** *(Department of Computer Engineering, L R Tiwari College of Engineering, Mumbai University, India ** (Department of Computer Engineering, K C College of Engineering and Technology, Thane Mumbai University, India Corresponding Author: Pooja Vartak ABSTRACT This Paper presents an improvised security mechanism for EAV (Entity Attribute Value) data model. EAV data model for data storage has been used in various information systems now days as it gives an advantage of data flexibility and addition and modification of new data without changing the physical database schema. In EAV (Entity Attribute Value) model uses only three columns to store the data where first column stores entity, second column stores attribute and third column stores the value of the attribute for particular entity and single generic table is used to the data. As data security and database flexibility is important in this paper we are proposing security mechanism for existing databases using concept of negative database and shuffling. Keywords: EAV Model, Negative Database, Information Security, Shuffling. -------------------------------------------------------------------------------------------------------------------------------------- Date of Submission: 11-08-2017 Date of acceptance:
    [Show full text]
  • Self-Protection Against Insider Threats in DBMS Through Policies Implementation
    (IJACSA) International Journal of Advanced Computer Science and Applications, Vol. 8, No. 3, 2017 Self-Protection against Insider Threats in DBMS through Policies Implementation Farukh Zaman, Basit Raza Ahmad Kamran Malik, Adeel Anjum Department of Computer Science Department of Computer Science COMSATS Institute of Information Technology COMSATS Institute of Information Technology Islamabad, Pakistan Islamabad, Pakistan Abstract—In today’s world, information security of an Firewall, network traffic monitoring, enforcing password organization has become a major challenge as well as a critical mechanism and penetration testing [4]. However, it’s difficult business issue. Managing and mitigating these internal or to monitor insider’s intent. According to CERT survey, more external security related issues, organizations hire highly than 700 cases were caused by the insider threats [6]. To knowledgeable security expert persons. Insider threats in protect against these threats database should have some extra database management system (DBMS) are inherently a very hard features of Autonomic Computing like self-protection. We problem to address. Employees within the organization carry out first provide an introduction to Autonomic computing and its or harm organization data in a professional manner. To protect components. and monitor organization information from insider user in DBMS, the organization used different techniques, but these Autonomic computing has the ability to self-manage its techniques are insufficient to secure their data.
    [Show full text]
  • University of Hawa1'1 Ubra~Y
    UNIVERSITY OF HAWA1'1 UBRA~Y NETWORK THREAT DETECTION UTILIZING ADAPTIVE AND INNATE IMMUNE SYSTEM METAPHORS A DISSERTATION SUBMITTED TO THE GRADUATE DIVISION OF THE UNIVERSITY OF HAW AI 1 IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF DOCTOR OF PHILOSOPHY IN COMPUTER SCIENCE MAY 2008 By Robert L. Fanelli Dissertation Committee: Kimberly Binsted, Chairperson Edoardo Biagioni David Chin WesJey Peterson Raymond Panko We certify that we have read this dissertation and that, in our opinion, it is satisfactory in scope and quality as a dissertation for the degree of Doctor of Philosophy in Computer Science. DISSERTATION COMMITTEE ~ ~ Chairperson , i Dedication To Lisa, Anne and John. the true Precious. ii Acknowledgements My thanks go to my advisor, Kim Binsted, for her guidance and support throughout the dissertation process. Thanks also go to my committee members, Edo Biagioni, David Chin, Wes Peterson and Ray Panko for their valuable time, sage advice and keen eyes. I'd like to acknowledge the support of the United States Anny in providing the opportunity to pursue this research. Thanks also go to the International Infonnation Systems Security Certification Consortium, (ISC)2, for their support in the conduct of this research. Finally, heartfelt thanks go to my family for their unwavering support and for putting up with distractedness, irritability, missed weekends and all the other features of life in the computer dungeon. The views expressed in this document are those of the author and do not necessarily reflect the official policy or position of the United States Anny, the Department of Defense or the U.S.
    [Show full text]
  • Leveraging Positive and Negative Representations of Information
    Leveraging Positive and Negative Representations of Information by Eric Delarosa Trias B.S., Computer Science, University of California, Davis, 1988 M.S., Computer Engineering, Air Force Institute of Technology, 2002 DISSERTATION Submitted in Partial Fulfillment of the Requirements for the Degree of Doctor of Philosophy Computer Science The University of New Mexico Albuquerque, New Mexico December, 2008 c 2008, Eric Delarosa Trias iii Dedication Sa aking pamilia, mga kaibigan at guro na tumulong para ako’y magtagumpay. iv Acknowledgments First and foremost, I thank God for his countless blessings and for giving me the strength to persevere. I also know that I couldn’t have done this without the support of my wife and children. They sacrificed much for me to finish. I was fortunate to have dedicated collaborators who were essential to this research. I would like to thank Fernando Esponda for his help and inspiration. To Elena S. Ackley, your enthusiasm and hard work gave life to our research. To Jorge Navas, your partnership was invaluable to this work. I heartily acknowledge Prof. Stephanie Forrest, my advisor and dissertation chair, for her guidance and encouragement. I also thank my committee members, Prof. Greg Heileman, Prof. Terran Lane, and Prof. Jedidiah Crandall. Finally, I thank the U.S. Air Force and the Air Force Institute of Technology for providing this fellowship opportunity. The views expressed in this article are those of the author and do not reflect the official policy or position of the United States Air Force, Department
    [Show full text]
  • Adding Belief Annotations to Databases
    Believe It or Not: Adding Belief Annotations to Databases Wolfgang Gatterbauer, Magdalena Balazinska, Nodira Khoussainova, and Dan Suciu Department of Computer Science and Engineering, University of Washington, Seattle, WA, USA fgatter, magda, nodira, [email protected] ABSTRACT As the community accumulates knowledge and the data- We propose a database model that allows users to anno- base content evolves over time, it may contain conflict- tate data with belief statements. Our motivation comes ing information and members may disagree on the in- from scientific database applications where a commu- formation it should store. Relational database man- nity of users is working together to assemble, revise, agement systems (DBMSs) today can help these com- and curate a shared data repository. As the commu- munities manage their shared data, but provide limited nity accumulates knowledge and the database content support for managing conflicting facts and conflicting evolves over time, it may contain conflicting informa- opinions about the correctness of the stored data. tion and members can disagree on the information it The recent concept of database annotations aims to should store. For example, Alice may believe that a tu- address this need: annotations are commonly seen as su- ple should be in the database, whereas Bob disagrees. perimposed information that helps to explain, correct, He may also insert the reason why he thinks Alice be- or refute base information [36] without actually chang- lieves the tuple should be in the database, and explain ing it. Annotations have been recognized by scientists as what he thinks the correct tuple should be instead. an essential feature for new generation database man- We propose a formal model for Belief Databases that agement systems [4, 8, 18], and efficient management interprets users' annotations as belief statements.
    [Show full text]
  • Adding Belief Annotations to Databases
    Believe It or Not: Adding Belief Annotations to Databases Wolfgang Gatterbauer, Magdalena Balazinska, Nodira Khoussainova, and Dan Suciu Department of Computer Science and Engineering, University of Washington, Seattle, WA, USA fgatter, magda, nodira, [email protected] ABSTRACT As the community accumulates knowledge and the data- We propose a database model that allows users to anno- base content evolves over time, it may contain conflict- tate data with belief statements. Our motivation comes ing information and members may disagree on the in- from scientific database applications where a commu- formation it should store. Relational database man- nity of users is working together to assemble, revise, agement systems (DBMSs) today can help these com- and curate a shared data repository. As the commu- munities manage their shared data, but provide limited nity accumulates knowledge and the database content support for managing conflicting facts and conflicting evolves over time, it may contain conflicting informa- opinions about the correctness of the stored data. tion and members can disagree on the information it The recent concept of database annotations aims to should store. For example, Alice may believe that a tu- address this need: annotations are commonly seen as su- ple should be in the database, whereas Bob disagrees. perimposed information that helps to explain, correct, He may also insert the reason why he thinks Alice be- or refute base information [36] without actually chang- lieves the tuple should be in the database, and explain ing it. Annotations have been recognized by scientists as what he thinks the correct tuple should be instead. an essential feature for new generation database man- We propose a formal model for Belief Databases that agement systems [4, 8, 19], and efficient management interprets users' annotations as belief statements.
    [Show full text]
  • Negative Representations of Information
    Negative Representations of Information by Carlos Fernando Esponda Darlington B.S., Instituto Tecnol´ogico Aut´onomo de M´exico, 1995 DISSERTATION Submitted in Partial Fulfillment of the Requirements for the Degree of Doctor of Philosophy Computer Science The University of New Mexico Albuquerque, New Mexico December 2005 c 2005, Carlos Fernando Esponda Darlington iii Dedication Para mi Luciernaga preciosa. iv Acknowledgments I would like to thank my Dad, Mom and Sister; Mom, Dad and Sister; Sister, Mom and Dad; Mom, Sister and Dad; Dad, Sister and Mom; Sister, Dad and Mom in no particular order and with all my heart. I want to thank and acknowledge Stephanie Forrest mentor, collaborator and friend, Paul Helman who taught me a lot and whose input made this work robust, and Elena Ackley for helping me make it real. Throughout the years the people at the adaptive computation laboratory have listened and provided input, in particular Todd Kaplan, Dennis Chao, Anil Somayaji, Matt Glickman, Josh Karlin, Rob Abbott, Ken Ingham, Hajime Inoue, Gabriela Barrantes, Haixia Jia, Justin Balthrop and Ryan Gerety. Terran Lane, professor and committee member continually poses challenges that enrich my research (thanks). I thank Nitant Kenkre for being in my committee and providing a different perspective on things. My friends Gerardo, Horacio, Vladimir, Todd, Dennis, Lucinda and Alejandro (Barru) have provided input and support that is impossible to quantify. My sisters Le, Gaby, Susi and Flor have been my strong advocates and have always helped me along the way. In particular, I want to thank Gaby and Xavier for always making my trips back home pleasurable.
    [Show full text]
  • U Niversal I Ntegration a Rchitecture for H
    U NIVERSAL I NTEGRATION A RCHITECTURE FOR H ETEROGENEOUS D ATASOURCES AND O PTIMISATION M ETHODS UNIWERSALNA ARCHITEKTURA INTEGRACYJNA DLA HETEROGENICZNYCH ZRÓDEŁ´ DANYCH I METOD OPTYMALIZACJI THIS DISSERTATION IS SUBMITTED FOR THE DEGREE OF Doctor of Philosophy BY MICHAŁ CHROMIAK FACULTY OF MATHEMATICS, PHYSICS AND COMPUTER SCIENCE, Maria Curie-Skłodowska University, Lublin ADVISOR: prof. dr hab. Krzysztof Stencel INSTITUTEOF FUNDAMENTAL TECHNOLOGICAL RESEARCH, POLISH ACADEMYOF SCIENCES WARSAW 2015 Table of Contents Page LISTINGS ............................................... 5 LISTOF FIGURES ........................................... 6 LISTOF TABLES ........................................... 8 ABSTRACT .............................................. 9 CHAPTER 1. INTRODUCTION ................................... 19 1.1 Motivation . 19 1.2 Considerations, Objectives and the Thesis . 20 1.3 History and Related Work . 22 1.4 Thesis Outline . 23 CHAPTER 2. THE STATE OF THE ART AND THE RELATED WORKS . 25 2.1 Integrity - the Philosophy of Integration . 25 2.2 Integration - Cure for Chaos of Multiplicity, General Considerations . 27 2.2.1 At the beginning there was a relation . 28 2.2.2 Revolution - the Web changes everything ................... 30 2.2.3 Integration - Principia and Taxonomy . 35 2.2.4 Data Integration Practices . 38 2.2.5 Integration Theory . 42 2.2.6 Data Integration Issues . 47 2.3 Data Stores - the Integration Targets . 51 2.3.1 Database modelling - persistence . 51 2.3.2 Relational Model . 51 2.3.3 Object-oriented Database Model . 55 2.3.4 Column-oriented Relational Database Model (CORDB) – Relational Ap- proach . 56 2.3.5 NoSQL – Distributed Storage Services . 57 2.3.6 NewSQL . 63 2.3.7 Big Data - all or nothing . 66 2.3.8 After SQL Era . 68 2.3.9 Database taxonomy .
    [Show full text]
  • Database Repairing and Consistent Query Answering
    BERTOSSI SeriesSeriesSeries ISSN: ISSN:ISSN: 2153-5418 2153-54182153-5418 BERTOSSI BERTOSSI MMM MorganMorganMorgan & & & ClaypoolClaypoolClaypool PublishersPublishersPublishers SSSYNTHESISYNTHESISYNTHESIS L LLECTURESECTURESECTURES ON ONON D DDATAATAATA M MMANAGEMENTANAGEMENTANAGEMENT &&&CCC SeriesSeriesSeries Editor: Editor:Editor: M. M.M. Tamer TamerTamer Özsu, Özsu,Özsu, University UniversityUniversity of ofof Waterloo WaterlooWaterloo DATABASE REPAIRING AND CONSISTENT QUERYDATABASE ANSWERING DATABASE REPAIRING AND CONSISTENT QUERYDATABASE ANSWERING REPAIRING AND CONSISTENT QUERYDATABASE ANSWERING DatabaseDatabaseDatabase Repairing RepairingRepairing and andand Consistent ConsistentConsistent DatabaseDatabaseDatabase RepairingRepairingRepairing QueryQueryQuery Answering AnsweringAnswering LeopoldoLeopoldoLeopoldo Bertossi, Bertossi,Bertossi, Carleton CarletonCarleton University, University,University, Ottowa, Ottowa,Ottowa, Canada CanadaCanada andandand ConsistentConsistentConsistent QueryQueryQuery IntegrityIntegrityIntegrity constraints constraintsconstraints are areare semantic semanticsemantic conditions conditionsconditions that thatthat a a adatabase databasedatabase should shouldshould satisfy satisfysatisfy in inin order orderorder to toto be bebe an anan appropriate appropriateappropriate model modelmodel ofofof external externalexternal reality. reality.reality. In InIn practice, practice,practice, and andand for forfor many manymany reasons, reasons,reasons, a a adatabase databasedatabase may maymay not notnot satisfy satisfysatisfy
    [Show full text]