SlideShare a Scribd company logo

Data Exfiltration Techniques and Avoiding Detection

Iftach Ian Amit
Iftach Ian Amit

The document is a presentation by Iftach Ian Amit on data exfiltration techniques. It discusses infiltrating target networks through both technical exploits and social engineering. It then covers targeting specific data for acquisition using tools like ZeuS or SpyEye. Finally, it outlines various methods for exfiltrating the acquired data covertly, such as using SSL encryption, avoiding detection by DLP and IPS systems, and encoding the data.

TechnologyNews & Politics
1 of 50
Download to read offline
Iftach Ian Amit | August 2011 Data Exfiltration Not just for Hollywood! Iftach Ian Amit VP Consulting DC9723 CSA-IL Board member IL-CERT Visionary All rights reserved to Security Art ltd. 2002-2011 www.security-art.com
Iftach Ian Amit | August 2011 whoami • Not certified • VP Consulting at Security-Art • Hacker, researcher, developer • I like crime, and war :-) • DC9723, PTES, IL-CERT, IAF All rights reserved to Security Art ltd. 2002-2011 2
Iftach Ian Amit | August 2011 Agenda All rights reserved to Security Art ltd. 2002-2011 3
Iftach Ian Amit | August 2011 Agenda All rights reserved to Security Art ltd. 2002-2011 3
Iftach Ian Amit | August 2011 Agenda All rights reserved to Security Art ltd. 2002-2011 3
Iftach Ian Amit | August 2011 Agenda All rights reserved to Security Art ltd. 2002-2011 3
Iftach Ian Amit | August 2011 1. Infiltration • Technical factors • Human factors • Command & Control in loosely connected environments All rights reserved to Security Art ltd. 2002-2011 4
Iftach Ian Amit | August 2011 Infiltration - Technical • Exploits! of what??? • Web, FTP, mail, SSL-VPN... • Will only get you the basic stuff • 3rd party tools used (LinkedIn, SalesForce, SaaS applications)... • Harder to get *although nice to have as reproducible on many targets All rights reserved to Security Art ltd. 2002-2011 5
Iftach Ian Amit | August 2011 Infiltration - Technical The problem: Small attack surface All rights reserved to Security Art ltd. 2002-2011 6
Iftach Ian Amit | August 2011 Infiltration - Technical • How about them windows? • Win XP still the dominantly deployed OS on clients (both in corporate and government settings) • Win 7 is no big deal • Attack surface is much broader (spell Adobe, Symantec, WinZip, AOL, Mozilla, etc...) All rights reserved to Security Art ltd. 2002-2011 7
Iftach Ian Amit | August 2011 Infiltration - Human • Not as in “I got your guy and I want $1,000,000 to set him free” • More like “dude, check out the pics from the conference we went to last month. Wicked!” • “did you get my memo with the new price-list <link to .xls file>” • You get the idea... All rights reserved to Security Art ltd. 2002-2011 8
Iftach Ian Amit | August 2011 Infiltration - Human All rights reserved to Security Art ltd. 2002-2011 9
Iftach Ian Amit | August 2011 Infiltration - Human • eMails, web links, phishing... • Works like a charm! • And can be mostly automated • SET to the rescue All rights reserved to Security Art ltd. 2002-2011 10
Iftach Ian Amit | August 2011 Infiltration - Human And... being nice/nasty/ obnoxious/needy always helps! All rights reserved to Security Art ltd. 2002-2011 11
Iftach Ian Amit | August 2011 2. Data Targeting & Acquisition • Weaponizing commercial tools • Creating “APT” capabilities • But first - targeting... All rights reserved to Security Art ltd. 2002-2011 12
Iftach Ian Amit | August 2011 Step 1: Basic Intel What is the target “willing” to tell about itself? All rights reserved to Security Art ltd. 2002-2011 13
Iftach Ian Amit | August 2011 Who’s your daddy? And buddy, and friends, relatives, colleagues... All rights reserved to Security Art ltd. 2002-2011 14
Iftach Ian Amit | August 2011 Select your target wisely And then craft your payload :-) All rights reserved to Security Art ltd. 2002-2011 15
Iftach Ian Amit | August 2011 Not as expensive as you think • ZeuS: $3000-$5000 E! RE • SpyEye: $2500-$4000 F • Limbo: $500-$1500 All rights reserved to Security Art ltd. 2002-2011 16
Iftach Ian Amit | August 2011 Just make sure to pack Experienced travelers know the importance of packing properly All rights reserved to Security Art ltd. 2002-2011 17
Iftach Ian Amit | August 2011 And set measurable goals • File servers • Databases • File types • Gateways (routes) • Printers All rights reserved to Security Art ltd. 2002-2011 18
Iftach Ian Amit | August 2011 From mass infection to APT PATIENCE Mass infection: APT: 5-6 days before 5-6 months before detection detection Frequent updates No* updates * Almost All rights reserved to Security Art ltd. 2002-2011 20
Iftach Ian Amit | August 2011 Control? • What happens when you are so far behind? Internet • Just use your friends (peers) • Expect a one-way 3rd party command scheme. You! • Exfiltration is a Target different animal... All rights reserved to Security Art ltd. 2002-2011 21
Iftach Ian Amit | August 2011 3. Exfiltration • Avoiding DLP • Avoiding IPS/IDS egress filters • Encryption • Archiving • Additional techniques All rights reserved to Security Art ltd. 2002-2011 22
Iftach Ian Amit | August 2011 All rights reserved to Security Art ltd. 2002-2011 23
Iftach Ian Amit | August 2011 How about them SSLs? • Cool. • Although sometimes may be intercepted • Pesky content filters... All rights reserved to Security Art ltd. 2002-2011 24
Iftach Ian Amit | August 2011 -----BEGIN PGP MESSAGE----- So... Version: GnuPG/MacGPG2 v2.0.14 (Darwin) hQMOA1jQIm6UkL4eEAv/W3r/eYLUmqRNi/Jegt72lK6qdBiBfkg9PZ5YKql9CUZp FGnVk029K3gEVcrA4k7w2aOtP7tYKRF8v4yrZQ9GZ7eXzR7+Tbf1g+7dveH6U8Bf BHo8LRovj5OlGghrvpyKYRPIf/NAgzL2G8dyi/FVB0YB4J7/4x0YFEalQHaLiKyt /gkikyV92njPJ6tPm2sdKUqUHSb20r9AdowZ0VVRrWwdRgUhdNXajjwcbH1BjVuS Gilw8MnmQkmJAT+TAFkTqC9fjiwtnNMNANJbo2Z36RqsAcKbhVh1eMA7ev0pUakp Tm4xN64syk/1DEc0VHFbanAreTV3tCbUUIoPQDFGFpiu3oS6/089oUvRtBBbC5p6 leYKEnDllcGWAomRSiYBFWjTca/DIw43QIW/lmdBnwcWLuQmDCmwr3HuhEaOmqfO hdgaxM4GuVdJCDdwXzwpuaPElCd18weH2XNzudLdeRKN+wjl/4D6bIo+038BcLei SyhWrMFB7mKSmEzQufQUDACFamtMCn9YOo3mgo+YYk505qhIDLNwZXqyVUqOHvIG vu7gzuNwUdY5idLqsGEs0K0xVwYntTKUh61tNS/HDfNTVm4Y3p8M88JHhcg7npY5 gJuhWuHkgp2CTsQT+gRjthm3l3AlnIvAfuC5uWLMsjA4sCw2FRDOARxrN9El8maX /vCxN9aB3dK4S9MSGJ5HhaYpTfpc9CdFkFryzb2sFWfW85nSzNo7dVFCy0jmSr19 o4Jsfj0J0izS3MeGYYz5NSsfBz+6o/IYURL3OXrm4DuJNHY0DvVbYqSQRRx3o2S+ uZekwXwYsqpei/f/sYo875p5NeX3g62zgjy2Vly+n58WaZWoHb5Y0QCxNfpjdcAQ 3tuZQaUvlqrkQeSRxKXD7pxlHdwHDgfvw01RU8NsMkfsBoTZY27BjFvIg5S/pv9O 6IznXaJu9jRWDj6tvSypx8X2iiVgtSHYahlqEUH1RusAMCILkx0DydCvUud/qRbT YcnkVVgA8ojeDoVpp3AabRrSmgEAOwW6M0KvnSuMKniLIKe7kolqGjEuLAx7s5Kg mMHfNki5dYWvQzHv03ID9UG+uW6o54BnsajEVe2EcYTPT+8pg2bCxnMElK0ds9Is qvf2Kx4kqO0qMeJG1II2zfAFqmMiTMtgA2CZ0Y42hA/bQK/CCM8QVo9JcGn3Jf6N 0X1TVob7xDo/fkRROHv74dIh2Kxa0SH8iGdb4kI= =jN3t -----END PGP MESSAGE----- All rights reserved to Security Art ltd. 2002-2011 25
Iftach Ian Amit | August 2011 Still “too detectable” All rights reserved to Security Art ltd. 2002-2011 26
Iftach Ian Amit | August 2011 Still “too detectable” hQMOA1jQIm6UkL4eEAv/W3r/eYLUmqRNi/Jegt72lK6qdBiBfkg9PZ5YKql9CUZp FGnVk029K3gEVcrA4k7w2aOtP7tYKRF8v4yrZQ9GZ7eXzR7+Tbf1g+7dveH6U8Bf BHo8LRovj5OlGghrvpyKYRPIf/NAgzL2G8dyi/FVB0YB4J7/4x0YFEalQHaLiKyt /gkikyV92njPJ6tPm2sdKUqUHSb20r9AdowZ0VVRrWwdRgUhdNXajjwcbH1BjVuS Gilw8MnmQkmJAT+TAFkTqC9fjiwtnNMNANJbo2Z36RqsAcKbhVh1eMA7ev0pUakp Tm4xN64syk/1DEc0VHFbanAreTV3tCbUUIoPQDFGFpiu3oS6/089oUvRtBBbC5p6 leYKEnDllcGWAomRSiYBFWjTca/DIw43QIW/lmdBnwcWLuQmDCmwr3HuhEaOmqfO hdgaxM4GuVdJCDdwXzwpuaPElCd18weH2XNzudLdeRKN+wjl/4D6bIo+038BcLei SyhWrMFB7mKSmEzQufQUDACFamtMCn9YOo3mgo+YYk505qhIDLNwZXqyVUqOHvIG vu7gzuNwUdY5idLqsGEs0K0xVwYntTKUh61tNS/HDfNTVm4Y3p8M88JHhcg7npY5 gJuhWuHkgp2CTsQT+gRjthm3l3AlnIvAfuC5uWLMsjA4sCw2FRDOARxrN9El8maX /vCxN9aB3dK4S9MSGJ5HhaYpTfpc9CdFkFryzb2sFWfW85nSzNo7dVFCy0jmSr19 o4Jsfj0J0izS3MeGYYz5NSsfBz+6o/IYURL3OXrm4DuJNHY0DvVbYqSQRRx3o2S+ uZekwXwYsqpei/f/sYo875p5NeX3g62zgjy2Vly+n58WaZWoHb5Y0QCxNfpjdcAQ 3tuZQaUvlqrkQeSRxKXD7pxlHdwHDgfvw01RU8NsMkfsBoTZY27BjFvIg5S/pv9O 6IznXaJu9jRWDj6tvSypx8X2iiVgtSHYahlqEUH1RusAMCILkx0DydCvUud/qRbT YcnkVVgA8ojeDoVpp3AabRrSmgEAOwW6M0KvnSuMKniLIKe7kolqGjEuLAx7s5Kg mMHfNki5dYWvQzHv03ID9UG+uW6o54BnsajEVe2EcYTPT+8pg2bCxnMElK0ds9Is qvf2Kx4kqO0qMeJG1II2zfAFqmMiTMtgA2CZ0Y42hA/bQK/CCM8QVo9JcGn3Jf6N 0X1TVob7xDo/fkRROHv74dIh2Kxa0SH8iGdb4kI= =jN3t All rights reserved to Security Art ltd. 2002-2011 26
Iftach Ian Amit | August 2011 Much better • Throws in some additional encodings • And an XOR for old time’s sake • And we are good to go... • 0% detection rate All rights reserved to Security Art ltd. 2002-2011 27
Iftach Ian Amit | August 2011 Resistance is futile All rights reserved to Security Art ltd. 2002-2011 28
Iftach Ian Amit | August 2011 But you have no network • They killed 80, 443, 53 and cut the cable to the interwebs! • Go old-school! All rights reserved to Security Art ltd. 2002-2011 29
Iftach Ian Amit | August 2011 Kill some trees All rights reserved to Security Art ltd. 2002-2011 30
Iftach Ian Amit | August 2011 To shred or not to shred? All rights reserved to Security Art ltd. 2002-2011 31
Iftach Ian Amit | August 2011 To shred or not to shred? All rights reserved to Security Art ltd. 2002-2011 31
Iftach Ian Amit | August 2011 Yeah, good ol’e DD... All rights reserved to Security Art ltd. 2002-2011 32
Iftach Ian Amit | August 2011 Back to hi-tech (?) ET Phone Home Got VOIP? Excellent! Target a handset/switch Collect your data Set up a public PBX Encode OR a conference call Call, leave a message, don’t OR a voicemail box expect to be called back... All rights reserved to Security Art ltd. 2002-2011 33
Iftach Ian Amit | August 2011 Voice exfiltration demo All rights reserved to Security Art ltd. 2002-2011 34
Iftach Ian Amit | August 2011 Voice exfiltration demo All rights reserved to Security Art ltd. 2002-2011 34
Iftach Ian Amit | August 2011 Voice exfiltration demo All rights reserved to Security Art ltd. 2002-2011 34
Iftach Ian Amit | August 2011 Voice exfiltration demo All rights reserved to Security Art ltd. 2002-2011 34
Iftach Ian Amit | August 2011 All rights reserved to Security Art ltd. 2002-2011 35
Iftach Ian Amit | August 2011 Killing paper isn’t nice • Fax it! • Most corporations have email-to-fax services • heard of the address 555-7963@fax.corp.com ? • Just send any document (text, doc, pdf) to it and off you go with the data... All rights reserved to Security Art ltd. 2002-2011 36
Iftach Ian Amit | August 2011 Conclusions • Available controls • Information flow path mapping • Asset mapping and monitoring All rights reserved to Security Art ltd. 2002-2011 37
Iftach Ian Amit | August 2011 Controls • Start with the human factor • Then add technology All rights reserved to Security Art ltd. 2002-2011 38
Iftach Ian Amit | August 2011 Know yourself, know your enemy • Where do people leave data • Hint - spend time with developers. • “Hack” the business process • Test, test again, and then test. Follow with a surprise test! All rights reserved to Security Art ltd. 2002-2011 39
Iftach Ian Amit | August 2011 Map your assets “be true to yourself, not to what you believe things should look like” Old chinese proverb All rights reserved to Security Art ltd. 2002-2011 40
Iftach Ian Amit | August 2011 And monitor them! They are YOUR assets after all No reason to be shy about it... And remember to add honey... All rights reserved to Security Art ltd. 2002-2011 41
Iftach Ian Amit | August 2011 Then... TEST SOME MORE Shameless Plug! For hints/guides see: www.pentest-standard.org All rights reserved to Security Art ltd. 2002-2011 42
Iftach Ian Amit | August 2011 Questions? Thank you! Go get your fix here: www.security-art.com Data modulation Exfil POC: Too shy to ask now? http://code.google.com/p/ iamit@security-art.com data-sound-poc/ Need your daily chatter? twitter.com/iiamit All rights reserved to Security Art ltd. 2002-2011 43

Recommended

Advanced Data Exfiltration - the way Q would have done it
Advanced Data Exfiltration - the way Q would have done itAdvanced Data Exfiltration - the way Q would have done it
Advanced Data Exfiltration - the way Q would have done itIftach Ian Amit
 
Pushing in, leaving a present, and pulling out slowly without anyone noticing
Pushing in, leaving a present, and pulling out slowly without anyone noticingPushing in, leaving a present, and pulling out slowly without anyone noticing
Pushing in, leaving a present, and pulling out slowly without anyone noticingIftach Ian Amit
 
189 Remote Alarm - Simple Disposable Cellphone based
189 Remote Alarm - Simple Disposable Cellphone based189 Remote Alarm - Simple Disposable Cellphone based
189 Remote Alarm - Simple Disposable Cellphone basedChief Innovation
 
Sigilo - Cellular Transmitter For Property Security
Sigilo - Cellular Transmitter For Property SecuritySigilo - Cellular Transmitter For Property Security
Sigilo - Cellular Transmitter For Property SecurityChief Innovation
 
Presentación MENORAH
Presentación MENORAHPresentación MENORAH
Presentación MENORAHdiazcindy
 
Arame Tall 2013: Climate Services Lessons from Africa & South Asia
Arame Tall 2013: Climate Services Lessons from Africa & South Asia Arame Tall 2013: Climate Services Lessons from Africa & South Asia
Arame Tall 2013: Climate Services Lessons from Africa & South Asia CCAFS | CGIAR Research Program on Climate Change, Agriculture and Food Security
 
Technical Services for Turnarounds in Petrochemical Plants Germany, Austria, ...
Technical Services for Turnarounds in Petrochemical Plants Germany, Austria, ...Technical Services for Turnarounds in Petrochemical Plants Germany, Austria, ...
Technical Services for Turnarounds in Petrochemical Plants Germany, Austria, ...TACook Consultants
 
Wearnes eduction center cd interaktif dewa purnama sidi putra
Wearnes eduction center cd interaktif dewa purnama sidi putraWearnes eduction center cd interaktif dewa purnama sidi putra
Wearnes eduction center cd interaktif dewa purnama sidi putraDewa Purnama Sidi Putra
 

Recommended

Advanced Data Exfiltration - the way Q would have done it
Advanced Data Exfiltration - the way Q would have done itAdvanced Data Exfiltration - the way Q would have done it
Advanced Data Exfiltration - the way Q would have done itIftach Ian Amit
 
Pushing in, leaving a present, and pulling out slowly without anyone noticing
Pushing in, leaving a present, and pulling out slowly without anyone noticingPushing in, leaving a present, and pulling out slowly without anyone noticing
Pushing in, leaving a present, and pulling out slowly without anyone noticingIftach Ian Amit
 
189 Remote Alarm - Simple Disposable Cellphone based
189 Remote Alarm - Simple Disposable Cellphone based189 Remote Alarm - Simple Disposable Cellphone based
189 Remote Alarm - Simple Disposable Cellphone basedChief Innovation
 
Sigilo - Cellular Transmitter For Property Security
Sigilo - Cellular Transmitter For Property SecuritySigilo - Cellular Transmitter For Property Security
Sigilo - Cellular Transmitter For Property SecurityChief Innovation
 
Presentación MENORAH
Presentación MENORAHPresentación MENORAH
Presentación MENORAHdiazcindy
 
Arame Tall 2013: Climate Services Lessons from Africa & South Asia
Arame Tall 2013: Climate Services Lessons from Africa & South Asia Arame Tall 2013: Climate Services Lessons from Africa & South Asia
Arame Tall 2013: Climate Services Lessons from Africa & South Asia CCAFS | CGIAR Research Program on Climate Change, Agriculture and Food Security
 
Technical Services for Turnarounds in Petrochemical Plants Germany, Austria, ...
Technical Services for Turnarounds in Petrochemical Plants Germany, Austria, ...Technical Services for Turnarounds in Petrochemical Plants Germany, Austria, ...
Technical Services for Turnarounds in Petrochemical Plants Germany, Austria, ...TACook Consultants
 
Wearnes eduction center cd interaktif dewa purnama sidi putra
Wearnes eduction center cd interaktif dewa purnama sidi putraWearnes eduction center cd interaktif dewa purnama sidi putra
Wearnes eduction center cd interaktif dewa purnama sidi putraDewa Purnama Sidi Putra
 
Ps 14 002 instrumentos internacionales
Ps 14 002 instrumentos internacionalesPs 14 002 instrumentos internacionales
Ps 14 002 instrumentos internacionalesXimena Ponce León
 
Busqueda de candidatos busqueda de empleo v2016
Busqueda de candidatos busqueda de empleo v2016Busqueda de candidatos busqueda de empleo v2016
Busqueda de candidatos busqueda de empleo v2016María Dolores Sánchez-Fernández, PhD.
 
ENG Brochure
ENG BrochureENG Brochure
ENG BrochureThomas Wilson
 
ROI-Institute-Brochure1
ROI-Institute-Brochure1ROI-Institute-Brochure1
ROI-Institute-Brochure1ROI Institute Inc.
 
SAVE ME Movement 2012 Documentation
SAVE ME Movement 2012 DocumentationSAVE ME Movement 2012 Documentation
SAVE ME Movement 2012 DocumentationSAVE_ME_NSDAPS
 
Flyer to present the XIVth Uniapac World Congress
Flyer to present the XIVth Uniapac World CongressFlyer to present the XIVth Uniapac World Congress
Flyer to present the XIVth Uniapac World CongressAdce Perfil
 
Tableau tens tdg - (sarca-csmb)
Tableau tens tdg - (sarca-csmb)Tableau tens tdg - (sarca-csmb)
Tableau tens tdg - (sarca-csmb)L'Événement Carrières
 
Tuenti la red social joven española
Tuenti la red social joven españolaTuenti la red social joven española
Tuenti la red social joven españolaPaqui Pedrosa
 
Como ripear un dvd correctamente con dvd fab9
Como ripear un dvd correctamente con dvd fab9Como ripear un dvd correctamente con dvd fab9
Como ripear un dvd correctamente con dvd fab9Ronnie Martínez
 
Complete reference to_abap_basics
Complete reference to_abap_basicsComplete reference to_abap_basics
Complete reference to_abap_basicsAbhishek Dixit
 
Ruta kosei-2cuatrimestre
Ruta kosei-2cuatrimestreRuta kosei-2cuatrimestre
Ruta kosei-2cuatrimestreformespa
 
Teambuilding - Outdoor Training - Tornasol Aventura
Teambuilding - Outdoor Training - Tornasol AventuraTeambuilding - Outdoor Training - Tornasol Aventura
Teambuilding - Outdoor Training - Tornasol AventuraJordi Munell
 
Agencia de viajes 3(3)
Agencia de viajes 3(3)Agencia de viajes 3(3)
Agencia de viajes 3(3)Alexis Amaro
 
Advertising Workshop
Advertising WorkshopAdvertising Workshop
Advertising WorkshopDavid Edmundson-Bird
 
Sabes por que nos duele la espalda
Sabes por que nos duele la espaldaSabes por que nos duele la espalda
Sabes por que nos duele la espaldaJavier VG
 
Cyber [Crime|War] - SourceBoston 2011
Cyber [Crime|War] - SourceBoston 2011Cyber [Crime|War] - SourceBoston 2011
Cyber [Crime|War] - SourceBoston 2011Iftach Ian Amit
 
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItAdvanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItSource Conference
 
Ian Iftach Amit - Cyber[Crime|War] - Connecting The Dots
Ian Iftach Amit - Cyber[Crime|War] - Connecting The DotsIan Iftach Amit - Cyber[Crime|War] - Connecting The Dots
Ian Iftach Amit - Cyber[Crime|War] - Connecting The DotsSource Conference
 
Cyber[Crime|War] - Brucon
Cyber[Crime|War] - BruconCyber[Crime|War] - Brucon
Cyber[Crime|War] - BruconIftach Ian Amit
 
Cyber Terror ICT Conference
Cyber Terror ICT ConferenceCyber Terror ICT Conference
Cyber Terror ICT ConferenceIftach Ian Amit
 
How To Use It With Safe
How To Use It With SafeHow To Use It With Safe
How To Use It With SafePituphong Yavirach
 
Developing Mobile Apps for China
Developing Mobile Apps for ChinaDeveloping Mobile Apps for China
Developing Mobile Apps for ChinaA.M. Barnard
 

More Related Content

Viewers also liked

Ps 14 002 instrumentos internacionales
Ps 14 002 instrumentos internacionalesPs 14 002 instrumentos internacionales
Ps 14 002 instrumentos internacionalesXimena Ponce León
 
SAVE ME Movement 2012 Documentation
SAVE ME Movement 2012 DocumentationSAVE ME Movement 2012 Documentation
SAVE ME Movement 2012 DocumentationSAVE_ME_NSDAPS
 
Flyer to present the XIVth Uniapac World Congress
Flyer to present the XIVth Uniapac World CongressFlyer to present the XIVth Uniapac World Congress
Flyer to present the XIVth Uniapac World CongressAdce Perfil
 
Tuenti la red social joven española
Tuenti la red social joven españolaTuenti la red social joven española
Tuenti la red social joven españolaPaqui Pedrosa
 
Como ripear un dvd correctamente con dvd fab9
Como ripear un dvd correctamente con dvd fab9Como ripear un dvd correctamente con dvd fab9
Como ripear un dvd correctamente con dvd fab9Ronnie Martínez
 
Complete reference to_abap_basics
Complete reference to_abap_basicsComplete reference to_abap_basics
Complete reference to_abap_basicsAbhishek Dixit
 
Ruta kosei-2cuatrimestre
Ruta kosei-2cuatrimestreRuta kosei-2cuatrimestre
Ruta kosei-2cuatrimestreformespa
 
Teambuilding - Outdoor Training - Tornasol Aventura
Teambuilding - Outdoor Training - Tornasol AventuraTeambuilding - Outdoor Training - Tornasol Aventura
Teambuilding - Outdoor Training - Tornasol AventuraJordi Munell
 
Agencia de viajes 3(3)
Agencia de viajes 3(3)Agencia de viajes 3(3)
Agencia de viajes 3(3)Alexis Amaro
 
Sabes por que nos duele la espalda
Sabes por que nos duele la espaldaSabes por que nos duele la espalda
Sabes por que nos duele la espaldaJavier VG
 

Viewers also liked (15)

Ps 14 002 instrumentos internacionales
Ps 14 002 instrumentos internacionalesPs 14 002 instrumentos internacionales
Ps 14 002 instrumentos internacionales
 
Busqueda de candidatos busqueda de empleo v2016
Busqueda de candidatos busqueda de empleo v2016Busqueda de candidatos busqueda de empleo v2016
Busqueda de candidatos busqueda de empleo v2016
 
ENG Brochure
ENG BrochureENG Brochure
ENG Brochure
 
ROI-Institute-Brochure1
ROI-Institute-Brochure1ROI-Institute-Brochure1
ROI-Institute-Brochure1
 
SAVE ME Movement 2012 Documentation
SAVE ME Movement 2012 DocumentationSAVE ME Movement 2012 Documentation
SAVE ME Movement 2012 Documentation
 
Flyer to present the XIVth Uniapac World Congress
Flyer to present the XIVth Uniapac World CongressFlyer to present the XIVth Uniapac World Congress
Flyer to present the XIVth Uniapac World Congress
 
Tableau tens tdg - (sarca-csmb)
Tableau tens tdg - (sarca-csmb)Tableau tens tdg - (sarca-csmb)
Tableau tens tdg - (sarca-csmb)
 
Tuenti la red social joven española
Tuenti la red social joven españolaTuenti la red social joven española
Tuenti la red social joven española
 
Como ripear un dvd correctamente con dvd fab9
Como ripear un dvd correctamente con dvd fab9Como ripear un dvd correctamente con dvd fab9
Como ripear un dvd correctamente con dvd fab9
 
Complete reference to_abap_basics
Complete reference to_abap_basicsComplete reference to_abap_basics
Complete reference to_abap_basics
 
Ruta kosei-2cuatrimestre
Ruta kosei-2cuatrimestreRuta kosei-2cuatrimestre
Ruta kosei-2cuatrimestre
 
Teambuilding - Outdoor Training - Tornasol Aventura
Teambuilding - Outdoor Training - Tornasol AventuraTeambuilding - Outdoor Training - Tornasol Aventura
Teambuilding - Outdoor Training - Tornasol Aventura
 
Agencia de viajes 3(3)
Agencia de viajes 3(3)Agencia de viajes 3(3)
Agencia de viajes 3(3)
 
Advertising Workshop
Advertising WorkshopAdvertising Workshop
Advertising Workshop
 
Sabes por que nos duele la espalda
Sabes por que nos duele la espaldaSabes por que nos duele la espalda
Sabes por que nos duele la espalda
 

Similar to Data Exfiltration Techniques and Avoiding Detection

Cyber [Crime|War] - SourceBoston 2011
Cyber [Crime|War] - SourceBoston 2011Cyber [Crime|War] - SourceBoston 2011
Cyber [Crime|War] - SourceBoston 2011Iftach Ian Amit
 
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItAdvanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItSource Conference
 
Ian Iftach Amit - Cyber[Crime|War] - Connecting The Dots
Ian Iftach Amit - Cyber[Crime|War] - Connecting The DotsIan Iftach Amit - Cyber[Crime|War] - Connecting The Dots
Ian Iftach Amit - Cyber[Crime|War] - Connecting The DotsSource Conference
 
Cyber[Crime|War] - Brucon
Cyber[Crime|War] - BruconCyber[Crime|War] - Brucon
Cyber[Crime|War] - BruconIftach Ian Amit
 
Cyber Terror ICT Conference
Cyber Terror ICT ConferenceCyber Terror ICT Conference
Cyber Terror ICT ConferenceIftach Ian Amit
 
Developing Mobile Apps for China
Developing Mobile Apps for ChinaDeveloping Mobile Apps for China
Developing Mobile Apps for ChinaA.M. Barnard
 

Similar to Data Exfiltration Techniques and Avoiding Detection (9)

Cyber [Crime|War] - SourceBoston 2011
Cyber [Crime|War] - SourceBoston 2011Cyber [Crime|War] - SourceBoston 2011
Cyber [Crime|War] - SourceBoston 2011
 
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItAdvanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done It
 
Ian Iftach Amit - Cyber[Crime|War] - Connecting The Dots
Ian Iftach Amit - Cyber[Crime|War] - Connecting The DotsIan Iftach Amit - Cyber[Crime|War] - Connecting The Dots
Ian Iftach Amit - Cyber[Crime|War] - Connecting The Dots
 
Cyber[Crime|War] - Brucon
Cyber[Crime|War] - BruconCyber[Crime|War] - Brucon
Cyber[Crime|War] - Brucon
 
Cyber Terror ICT Conference
Cyber Terror ICT ConferenceCyber Terror ICT Conference
Cyber Terror ICT Conference
 
How To Use It With Safe
How To Use It With SafeHow To Use It With Safe
How To Use It With Safe
 
Developing Mobile Apps for China
Developing Mobile Apps for ChinaDeveloping Mobile Apps for China
Developing Mobile Apps for China
 
Intersect
IntersectIntersect
Intersect
 
ObserveIT Customer presentation
ObserveIT Customer presentation ObserveIT Customer presentation
ObserveIT Customer presentation
 

More from Iftach Ian Amit

Cyber Risk Quantification - CyberTLV
Cyber Risk Quantification - CyberTLVCyber Risk Quantification - CyberTLV
Cyber Risk Quantification - CyberTLVIftach Ian Amit
 
BSidesTLV Closing Keynote
BSidesTLV Closing KeynoteBSidesTLV Closing Keynote
BSidesTLV Closing KeynoteIftach Ian Amit
 
Social Media Risk Metrics
Social Media Risk MetricsSocial Media Risk Metrics
Social Media Risk MetricsIftach Ian Amit
 
From your Pocket to your Heart and Back
From your Pocket to your Heart and BackFrom your Pocket to your Heart and Back
From your Pocket to your Heart and BackIftach Ian Amit
 
Painting a Company Red and Blue
Painting a Company Red and BluePainting a Company Red and Blue
Painting a Company Red and BlueIftach Ian Amit
 
"Cyber" security - all good, no need to worry?
"Cyber" security - all good, no need to worry?"Cyber" security - all good, no need to worry?
"Cyber" security - all good, no need to worry?Iftach Ian Amit
 
Seeing Red In Your Future?
Seeing Red In Your Future?Seeing Red In Your Future?
Seeing Red In Your Future?Iftach Ian Amit
 
Passwords good badugly181212-2
Passwords good badugly181212-2Passwords good badugly181212-2
Passwords good badugly181212-2Iftach Ian Amit
 
Infecting Python Bytecode
Infecting Python BytecodeInfecting Python Bytecode
Infecting Python BytecodeIftach Ian Amit
 
Cheating in Computer Games
Cheating in Computer GamesCheating in Computer Games
Cheating in Computer GamesIftach Ian Amit
 
Telecommunication basics dc9723
Telecommunication basics dc9723Telecommunication basics dc9723
Telecommunication basics dc9723Iftach Ian Amit
 

More from Iftach Ian Amit (20)

Cyber Risk Quantification - CyberTLV
Cyber Risk Quantification - CyberTLVCyber Risk Quantification - CyberTLV
Cyber Risk Quantification - CyberTLV
 
Devsecops at Cimpress
Devsecops at CimpressDevsecops at Cimpress
Devsecops at Cimpress
 
BSidesTLV Closing Keynote
BSidesTLV Closing KeynoteBSidesTLV Closing Keynote
BSidesTLV Closing Keynote
 
Social Media Risk Metrics
Social Media Risk MetricsSocial Media Risk Metrics
Social Media Risk Metrics
 
ISTS12 Keynote
ISTS12 KeynoteISTS12 Keynote
ISTS12 Keynote
 
From your Pocket to your Heart and Back
From your Pocket to your Heart and BackFrom your Pocket to your Heart and Back
From your Pocket to your Heart and Back
 
Painting a Company Red and Blue
Painting a Company Red and BluePainting a Company Red and Blue
Painting a Company Red and Blue
 
"Cyber" security - all good, no need to worry?
"Cyber" security - all good, no need to worry?"Cyber" security - all good, no need to worry?
"Cyber" security - all good, no need to worry?
 
Armorizing applications
Armorizing applicationsArmorizing applications
Armorizing applications
 
Seeing Red In Your Future?
Seeing Red In Your Future?Seeing Red In Your Future?
Seeing Red In Your Future?
 
Hacking cyber-iamit
Hacking cyber-iamitHacking cyber-iamit
Hacking cyber-iamit
 
Passwords good badugly181212-2
Passwords good badugly181212-2Passwords good badugly181212-2
Passwords good badugly181212-2
 
Bitcoin
BitcoinBitcoin
Bitcoin
 
Sexy defense
Sexy defenseSexy defense
Sexy defense
 
Cyber state
Cyber stateCyber state
Cyber state
 
Infecting Python Bytecode
Infecting Python BytecodeInfecting Python Bytecode
Infecting Python Bytecode
 
Exploiting Second life
Exploiting Second lifeExploiting Second life
Exploiting Second life
 
Dtmf phreaking
Dtmf phreakingDtmf phreaking
Dtmf phreaking
 
Cheating in Computer Games
Cheating in Computer GamesCheating in Computer Games
Cheating in Computer Games
 
Telecommunication basics dc9723
Telecommunication basics dc9723Telecommunication basics dc9723
Telecommunication basics dc9723
 

Recently uploaded

Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 

Recently uploaded (20)

Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 

Data Exfiltration Techniques and Avoiding Detection

  • 1. Iftach Ian Amit | August 2011 Data Exfiltration Not just for Hollywood! Iftach Ian Amit VP Consulting DC9723 CSA-IL Board member IL-CERT Visionary All rights reserved to Security Art ltd. 2002-2011 www.security-art.com
  • 2. Iftach Ian Amit | August 2011 whoami • Not certified • VP Consulting at Security-Art • Hacker, researcher, developer • I like crime, and war :-) • DC9723, PTES, IL-CERT, IAF All rights reserved to Security Art ltd. 2002-2011 2
  • 3. Iftach Ian Amit | August 2011 Agenda All rights reserved to Security Art ltd. 2002-2011 3
  • 4. Iftach Ian Amit | August 2011 Agenda All rights reserved to Security Art ltd. 2002-2011 3
  • 5. Iftach Ian Amit | August 2011 Agenda All rights reserved to Security Art ltd. 2002-2011 3
  • 6. Iftach Ian Amit | August 2011 Agenda All rights reserved to Security Art ltd. 2002-2011 3
  • 7. Iftach Ian Amit | August 2011 1. Infiltration • Technical factors • Human factors • Command & Control in loosely connected environments All rights reserved to Security Art ltd. 2002-2011 4
  • 8. Iftach Ian Amit | August 2011 Infiltration - Technical • Exploits! of what??? • Web, FTP, mail, SSL-VPN... • Will only get you the basic stuff • 3rd party tools used (LinkedIn, SalesForce, SaaS applications)... • Harder to get *although nice to have as reproducible on many targets All rights reserved to Security Art ltd. 2002-2011 5
  • 9. Iftach Ian Amit | August 2011 Infiltration - Technical The problem: Small attack surface All rights reserved to Security Art ltd. 2002-2011 6
  • 10. Iftach Ian Amit | August 2011 Infiltration - Technical • How about them windows? • Win XP still the dominantly deployed OS on clients (both in corporate and government settings) • Win 7 is no big deal • Attack surface is much broader (spell Adobe, Symantec, WinZip, AOL, Mozilla, etc...) All rights reserved to Security Art ltd. 2002-2011 7
  • 11. Iftach Ian Amit | August 2011 Infiltration - Human • Not as in “I got your guy and I want $1,000,000 to set him free” • More like “dude, check out the pics from the conference we went to last month. Wicked!” • “did you get my memo with the new price-list <link to .xls file>” • You get the idea... All rights reserved to Security Art ltd. 2002-2011 8
  • 12. Iftach Ian Amit | August 2011 Infiltration - Human All rights reserved to Security Art ltd. 2002-2011 9
  • 13. Iftach Ian Amit | August 2011 Infiltration - Human • eMails, web links, phishing... • Works like a charm! • And can be mostly automated • SET to the rescue All rights reserved to Security Art ltd. 2002-2011 10
  • 14. Iftach Ian Amit | August 2011 Infiltration - Human And... being nice/nasty/ obnoxious/needy always helps! All rights reserved to Security Art ltd. 2002-2011 11
  • 15. Iftach Ian Amit | August 2011 2. Data Targeting & Acquisition • Weaponizing commercial tools • Creating “APT” capabilities • But first - targeting... All rights reserved to Security Art ltd. 2002-2011 12
  • 16. Iftach Ian Amit | August 2011 Step 1: Basic Intel What is the target “willing” to tell about itself? All rights reserved to Security Art ltd. 2002-2011 13
  • 17. Iftach Ian Amit | August 2011 Who’s your daddy? And buddy, and friends, relatives, colleagues... All rights reserved to Security Art ltd. 2002-2011 14
  • 18. Iftach Ian Amit | August 2011 Select your target wisely And then craft your payload :-) All rights reserved to Security Art ltd. 2002-2011 15
  • 19. Iftach Ian Amit | August 2011 Not as expensive as you think • ZeuS: $3000-$5000 E! RE • SpyEye: $2500-$4000 F • Limbo: $500-$1500 All rights reserved to Security Art ltd. 2002-2011 16
  • 20. Iftach Ian Amit | August 2011 Just make sure to pack Experienced travelers know the importance of packing properly All rights reserved to Security Art ltd. 2002-2011 17
  • 21. Iftach Ian Amit | August 2011 And set measurable goals • File servers • Databases • File types • Gateways (routes) • Printers All rights reserved to Security Art ltd. 2002-2011 18
  • 22. Iftach Ian Amit | August 2011 From mass infection to APT PATIENCE Mass infection: APT: 5-6 days before 5-6 months before detection detection Frequent updates No* updates * Almost All rights reserved to Security Art ltd. 2002-2011 20
  • 23. Iftach Ian Amit | August 2011 Control? • What happens when you are so far behind? Internet • Just use your friends (peers) • Expect a one-way 3rd party command scheme. You! • Exfiltration is a Target different animal... All rights reserved to Security Art ltd. 2002-2011 21
  • 24. Iftach Ian Amit | August 2011 3. Exfiltration • Avoiding DLP • Avoiding IPS/IDS egress filters • Encryption • Archiving • Additional techniques All rights reserved to Security Art ltd. 2002-2011 22
  • 25. Iftach Ian Amit | August 2011 All rights reserved to Security Art ltd. 2002-2011 23
  • 26. Iftach Ian Amit | August 2011 How about them SSLs? • Cool. • Although sometimes may be intercepted • Pesky content filters... All rights reserved to Security Art ltd. 2002-2011 24
  • 27. Iftach Ian Amit | August 2011 -----BEGIN PGP MESSAGE----- So... Version: GnuPG/MacGPG2 v2.0.14 (Darwin) hQMOA1jQIm6UkL4eEAv/W3r/eYLUmqRNi/Jegt72lK6qdBiBfkg9PZ5YKql9CUZp FGnVk029K3gEVcrA4k7w2aOtP7tYKRF8v4yrZQ9GZ7eXzR7+Tbf1g+7dveH6U8Bf BHo8LRovj5OlGghrvpyKYRPIf/NAgzL2G8dyi/FVB0YB4J7/4x0YFEalQHaLiKyt /gkikyV92njPJ6tPm2sdKUqUHSb20r9AdowZ0VVRrWwdRgUhdNXajjwcbH1BjVuS Gilw8MnmQkmJAT+TAFkTqC9fjiwtnNMNANJbo2Z36RqsAcKbhVh1eMA7ev0pUakp Tm4xN64syk/1DEc0VHFbanAreTV3tCbUUIoPQDFGFpiu3oS6/089oUvRtBBbC5p6 leYKEnDllcGWAomRSiYBFWjTca/DIw43QIW/lmdBnwcWLuQmDCmwr3HuhEaOmqfO hdgaxM4GuVdJCDdwXzwpuaPElCd18weH2XNzudLdeRKN+wjl/4D6bIo+038BcLei SyhWrMFB7mKSmEzQufQUDACFamtMCn9YOo3mgo+YYk505qhIDLNwZXqyVUqOHvIG vu7gzuNwUdY5idLqsGEs0K0xVwYntTKUh61tNS/HDfNTVm4Y3p8M88JHhcg7npY5 gJuhWuHkgp2CTsQT+gRjthm3l3AlnIvAfuC5uWLMsjA4sCw2FRDOARxrN9El8maX /vCxN9aB3dK4S9MSGJ5HhaYpTfpc9CdFkFryzb2sFWfW85nSzNo7dVFCy0jmSr19 o4Jsfj0J0izS3MeGYYz5NSsfBz+6o/IYURL3OXrm4DuJNHY0DvVbYqSQRRx3o2S+ uZekwXwYsqpei/f/sYo875p5NeX3g62zgjy2Vly+n58WaZWoHb5Y0QCxNfpjdcAQ 3tuZQaUvlqrkQeSRxKXD7pxlHdwHDgfvw01RU8NsMkfsBoTZY27BjFvIg5S/pv9O 6IznXaJu9jRWDj6tvSypx8X2iiVgtSHYahlqEUH1RusAMCILkx0DydCvUud/qRbT YcnkVVgA8ojeDoVpp3AabRrSmgEAOwW6M0KvnSuMKniLIKe7kolqGjEuLAx7s5Kg mMHfNki5dYWvQzHv03ID9UG+uW6o54BnsajEVe2EcYTPT+8pg2bCxnMElK0ds9Is qvf2Kx4kqO0qMeJG1II2zfAFqmMiTMtgA2CZ0Y42hA/bQK/CCM8QVo9JcGn3Jf6N 0X1TVob7xDo/fkRROHv74dIh2Kxa0SH8iGdb4kI= =jN3t -----END PGP MESSAGE----- All rights reserved to Security Art ltd. 2002-2011 25
  • 28. Iftach Ian Amit | August 2011 Still “too detectable” All rights reserved to Security Art ltd. 2002-2011 26
  • 29. Iftach Ian Amit | August 2011 Still “too detectable” hQMOA1jQIm6UkL4eEAv/W3r/eYLUmqRNi/Jegt72lK6qdBiBfkg9PZ5YKql9CUZp FGnVk029K3gEVcrA4k7w2aOtP7tYKRF8v4yrZQ9GZ7eXzR7+Tbf1g+7dveH6U8Bf BHo8LRovj5OlGghrvpyKYRPIf/NAgzL2G8dyi/FVB0YB4J7/4x0YFEalQHaLiKyt /gkikyV92njPJ6tPm2sdKUqUHSb20r9AdowZ0VVRrWwdRgUhdNXajjwcbH1BjVuS Gilw8MnmQkmJAT+TAFkTqC9fjiwtnNMNANJbo2Z36RqsAcKbhVh1eMA7ev0pUakp Tm4xN64syk/1DEc0VHFbanAreTV3tCbUUIoPQDFGFpiu3oS6/089oUvRtBBbC5p6 leYKEnDllcGWAomRSiYBFWjTca/DIw43QIW/lmdBnwcWLuQmDCmwr3HuhEaOmqfO hdgaxM4GuVdJCDdwXzwpuaPElCd18weH2XNzudLdeRKN+wjl/4D6bIo+038BcLei SyhWrMFB7mKSmEzQufQUDACFamtMCn9YOo3mgo+YYk505qhIDLNwZXqyVUqOHvIG vu7gzuNwUdY5idLqsGEs0K0xVwYntTKUh61tNS/HDfNTVm4Y3p8M88JHhcg7npY5 gJuhWuHkgp2CTsQT+gRjthm3l3AlnIvAfuC5uWLMsjA4sCw2FRDOARxrN9El8maX /vCxN9aB3dK4S9MSGJ5HhaYpTfpc9CdFkFryzb2sFWfW85nSzNo7dVFCy0jmSr19 o4Jsfj0J0izS3MeGYYz5NSsfBz+6o/IYURL3OXrm4DuJNHY0DvVbYqSQRRx3o2S+ uZekwXwYsqpei/f/sYo875p5NeX3g62zgjy2Vly+n58WaZWoHb5Y0QCxNfpjdcAQ 3tuZQaUvlqrkQeSRxKXD7pxlHdwHDgfvw01RU8NsMkfsBoTZY27BjFvIg5S/pv9O 6IznXaJu9jRWDj6tvSypx8X2iiVgtSHYahlqEUH1RusAMCILkx0DydCvUud/qRbT YcnkVVgA8ojeDoVpp3AabRrSmgEAOwW6M0KvnSuMKniLIKe7kolqGjEuLAx7s5Kg mMHfNki5dYWvQzHv03ID9UG+uW6o54BnsajEVe2EcYTPT+8pg2bCxnMElK0ds9Is qvf2Kx4kqO0qMeJG1II2zfAFqmMiTMtgA2CZ0Y42hA/bQK/CCM8QVo9JcGn3Jf6N 0X1TVob7xDo/fkRROHv74dIh2Kxa0SH8iGdb4kI= =jN3t All rights reserved to Security Art ltd. 2002-2011 26
  • 30. Iftach Ian Amit | August 2011 Much better • Throws in some additional encodings • And an XOR for old time’s sake • And we are good to go... • 0% detection rate All rights reserved to Security Art ltd. 2002-2011 27
  • 31. Iftach Ian Amit | August 2011 Resistance is futile All rights reserved to Security Art ltd. 2002-2011 28
  • 32. Iftach Ian Amit | August 2011 But you have no network • They killed 80, 443, 53 and cut the cable to the interwebs! • Go old-school! All rights reserved to Security Art ltd. 2002-2011 29
  • 33. Iftach Ian Amit | August 2011 Kill some trees All rights reserved to Security Art ltd. 2002-2011 30
  • 34. Iftach Ian Amit | August 2011 To shred or not to shred? All rights reserved to Security Art ltd. 2002-2011 31
  • 35. Iftach Ian Amit | August 2011 To shred or not to shred? All rights reserved to Security Art ltd. 2002-2011 31
  • 36. Iftach Ian Amit | August 2011 Yeah, good ol’e DD... All rights reserved to Security Art ltd. 2002-2011 32
  • 37. Iftach Ian Amit | August 2011 Back to hi-tech (?) ET Phone Home Got VOIP? Excellent! Target a handset/switch Collect your data Set up a public PBX Encode OR a conference call Call, leave a message, don’t OR a voicemail box expect to be called back... All rights reserved to Security Art ltd. 2002-2011 33
  • 38. Iftach Ian Amit | August 2011 Voice exfiltration demo All rights reserved to Security Art ltd. 2002-2011 34
  • 39. Iftach Ian Amit | August 2011 Voice exfiltration demo All rights reserved to Security Art ltd. 2002-2011 34
  • 40. Iftach Ian Amit | August 2011 Voice exfiltration demo All rights reserved to Security Art ltd. 2002-2011 34
  • 41. Iftach Ian Amit | August 2011 Voice exfiltration demo All rights reserved to Security Art ltd. 2002-2011 34
  • 42. Iftach Ian Amit | August 2011 All rights reserved to Security Art ltd. 2002-2011 35
  • 43. Iftach Ian Amit | August 2011 Killing paper isn’t nice • Fax it! • Most corporations have email-to-fax services • heard of the address 555-7963@fax.corp.com ? • Just send any document (text, doc, pdf) to it and off you go with the data... All rights reserved to Security Art ltd. 2002-2011 36
  • 44. Iftach Ian Amit | August 2011 Conclusions • Available controls • Information flow path mapping • Asset mapping and monitoring All rights reserved to Security Art ltd. 2002-2011 37
  • 45. Iftach Ian Amit | August 2011 Controls • Start with the human factor • Then add technology All rights reserved to Security Art ltd. 2002-2011 38
  • 46. Iftach Ian Amit | August 2011 Know yourself, know your enemy • Where do people leave data • Hint - spend time with developers. • “Hack” the business process • Test, test again, and then test. Follow with a surprise test! All rights reserved to Security Art ltd. 2002-2011 39
  • 47. Iftach Ian Amit | August 2011 Map your assets “be true to yourself, not to what you believe things should look like” Old chinese proverb All rights reserved to Security Art ltd. 2002-2011 40
  • 48. Iftach Ian Amit | August 2011 And monitor them! They are YOUR assets after all No reason to be shy about it... And remember to add honey... All rights reserved to Security Art ltd. 2002-2011 41
  • 49. Iftach Ian Amit | August 2011 Then... TEST SOME MORE Shameless Plug! For hints/guides see: www.pentest-standard.org All rights reserved to Security Art ltd. 2002-2011 42
  • 50. Iftach Ian Amit | August 2011 Questions? Thank you! Go get your fix here: www.security-art.com Data modulation Exfil POC: Too shy to ask now? http://code.google.com/p/ iamit@security-art.com data-sound-poc/ Need your daily chatter? twitter.com/iiamit All rights reserved to Security Art ltd. 2002-2011 43