The document discusses data breach mitigation and lessons learned. It provides an overview of common data stealing methods like tunneling and using common file transfer protocols. It also summarizes the Capital One data breach according to the MITRE ATT&CK framework, outlining the initial access, persistence, discovery, exfiltration and command/control stages. Key lessons include monitoring process and command execution related to compression/encryption tools, anomaly network/endpoint activities, data sent via uncommon protocols/tunneling, and endpoint configuration changes. The presenter is available for Q&A after reviewing detection engineering practices and characteristics of solutions that can help mitigate data breaches through monitoring, detection, analysis, response and recovery capabilities.

1. Webinar OIC-CERT
Data Breach Mitigation and
Lesson Learned
Digit Oktavianto
29th June 2021
@digitoktav
https://threathunting.id/
29th June 2021 https://www.cdef.id : We are Cyber Warrior - Blue Team 1
What the Hackers Do
to Steal Data?

2. Who Am I
 Infosec Consulting Manager at Mitra Integrasi Informatika
 Born to be DFIR Team
 Community Lead @ Cyber Defense Community Indonesia
(CDEF)
 Co-Founder BlueTeam.ID (https://blueteam.id)
 Member of Indonesia Honeynet Project
 Member of Asosiasi Cloud Computing Indonesia
 Opreker and Researcher
 {GCIH | GMON | GCFE | GICSP | CEH | ECSA | ECIH | CHFI |
CTIA | CSA | ECSS} Certifications Holder
29th June 2021 https://www.cdef.id : We are Cyber Warrior - Blue Team 2

3. Cost Of Data Breach 2020
29th June 2021 https://www.cdef.id : We are Cyber Warrior - Blue Team 3

4. ENISA Threat Landscape 2020
29th June 2021 https://www.cdef.id : We are Cyber Warrior - Blue Team 4

5. 29th June 2021 https://www.cdef.id : We are Cyber Warrior - Blue Team 5
https://cdef.id/cdef-awareness-1-enterprise-data-breach-prevention-using-mitre-attck-framework/

6. MITRE ATT&CK Framework
▪ MITRE ATT&CK™ is a globally-accessible knowledge base of
adversary tactics and techniques based on real-world
observations. The ATT&CK knowledge base is used as a
foundation for the development of specific threat models
and methodologies in the private sector, in government, and
in the cybersecurity product and service community.
With the creation of ATT&CK, MITRE is fulfilling its mission to
solve problems for a safer world — by bringing communities
together to develop more effective cybersecurity. ATT&CK is
open and available to any person or organization for use at no
charge
29th June 2021 https://www.cdef.id : We are Cyber Warrior - Blue Team 6

7. 29th June 2021 https://www.cdef.id : We are Cyber Warrior - Blue Team 7

8. Lesson Learned from Data Breach IR
29th June 2021 https://www.cdef.id : We are Cyber Warrior - Blue Team 8

9. Sample Data Stealing Method
 Exfiltration Data via Tunneling (DNS Tunnel, ICMP Tunnel, etc)
 Exfiltration Data via Common Method (FTP, Cloud Services)
 Exfiltration via Encrypted Communication Network Channel
 Exfiltration using Physical Media (USB Drive, Hard Disk, etc)
 Exfiltration using Scheduled Transfer Data
29th June 2021 https://www.cdef.id : We are Cyber Warrior - Blue Team 9

10. Case Study Data Breach Capital One
Several stages of an attack kill chain outlined in the MITRE ATT&CK framework were seen
in the Capital One data breach – initial access, persistence, discovery, exfiltration and
command & control. In fact, for some tactics, the attack leveraged multiple techniques to
accomplish that phase of the kill chain which is explained below.
29th June 2021 https://www.cdef.id : We are Cyber Warrior - Blue Team 10
Source : https://www.exabeam.com/ueba/mapping-capital-one-data-breach-to-mitre/

11. Data Breach Phase
▪ Initial Access : Exploit Public-Facing Application (T1190)
– The attacker leveraged a glitch or a vulnerability in the
application to get an initial access to the server.
▪ Persistence : External Remote Services (T1133) – The
attacker used remote services such as VPN to connect to
internal enterprise network resources from an external
location.
29th June 2021 https://www.cdef.id : We are Cyber Warrior - Blue Team 11

12. Data Breach Phase (Cont’d …)
Discovery
• System Time Discovery (T1124) – An adversary can find out the system time and/or
time zone from a local or remote system. This information can be used to schedule
tasks to execute programs at system startup or on a scheduled basis, to conduct
remote execution, to gain system privileges, or to run a process under the context of a
specified account.
• System Information Discovery (T1082) – The attacker used enumeration techniques
to access the system details such as version, patches, hotfixes, service packs, and
architecture.
• Password Policy Discovery (T1201) – The attacker may try to find the policy enforced
in the organization to make a list of passwords to attempt a brute force or any other type
of attack.
• Permission Group Discovery (T1069)– The attacker used discovery to check for local
level group and permission settings.
29th June 2021 https://www.cdef.id : We are Cyber Warrior - Blue Team 12

13. Data Breach Phase (Cont’d …)
Command-and-Control
• Multi-hop proxy (T1188) – The attacker used a TOR network for communication.
• Remote File Copy (T1105)– Large amounts of files were downloaded and transferred
through an unused port.
Exfiltration
• Data Compressed (T1002) or/and Data Encrypted (T1022) – It’s not clear from the
report the kind of commands used to compress the files but the attacker did compress
the data to make it easier to transfer the files.
• Exfiltration Over Command and Control Channel (T1041) – The attacker used a
backdoor to transfer files to their local system before uploading to her GitHub account.
However the legal document doesn’t name the exact command and control or the IP,
but she would have queried an unknown DNS server to get the data.
29th June 2021 https://www.cdef.id : We are Cyber Warrior - Blue Team 13

14. Example Detection and Mitigation of TTPs :
29th June 2021 https://www.cdef.id : We are Cyber Warrior - Blue Team 14

15. 29th June 2021 https://www.cdef.id : We are Cyber Warrior - Blue Team 15

16. 29th June 2021 https://www.cdef.id : We are Cyber Warrior - Blue Team 16

17. Data, Data, Data, Data, Data …..
29th June 2021 https://www.cdef.id : We are Cyber Warrior - Blue Team 17

18. High Level Architecture Detect, Respond
and Recover Functions
29th June 2021 https://www.cdef.id : We are Cyber Warrior - Blue Team 18

19. Component List for Detect and Response
from Data Breach
 Monitoring
 File -> HIDS Host IDS. File Integrity Monitoring (FIM)
 Network -> NIDS, Netflow, Proy, DNS Log,
 Users / System -> Auditd, Sysmon, Syslog, Win Event Log, osquery, velociraptor,
 Process -> Auditd, Sysmon, osquery, velociraptor,
 Event detection
 Exfiltration activity -> Packet Capture,
 Unauthorized activity -> System Ops
 Anomalous activity -> NIDS, NIPS, UBA,
 Log collection and correlation of all activities within the enterprise
 Reporting capability
 Capability to mitigate data loss
29th June 2021 https://www.cdef.id : We are Cyber Warrior - Blue Team 19

20. Detection Engineering
Detection engineering is a set of practices and systems to deliver modern
and effective threat detection.
When building a solid detection engineering, the main goal is
to catch malicious things and to not catch too many not malicious things. If
the detection system interrupt an analyst’s activities because calling
attention to things that are not malicious, then you’re creating more work for
the analysts.
Detection products only create value by detecting things that are truly bad,
and most detection products lean towards detecting more activity so as to
not miss anything.
29th June 2021 https://www.cdef.id : We are Cyber Warrior - Blue Team 20

21. Detection Engineering
29th June 2021 https://www.cdef.id : We are Cyber Warrior - Blue Team 21
Source : Fidelis Cyber Security and Vector8 About Data Source Spectrum

22. Solutions Characteristics to Mitigate from
Data Breach
 Monitor the enterprise’s user and data activity.
 Detect unauthorized data flows, user behavior, and data access.
 Report unauthorized activity with respect to users and data in transit, at rest, or
in use to centralized monitoring and reporting software.
 Analyze the impact of unauthorized behavior and malicious behavior on the
network or end points. Determine if a loss of data confidentiality is occurring or
has occurred.
 Mitigate the impact of such losses of data confidentiality by facilitating an
effective response to a data breach scenario.
 Contain the effects of a data breach so that more data is not exposed.
 Facilitate the recovery effort from data breaches by providing detailed
information as to the scope and severity of the breach.
29th June 2021 https://www.cdef.id : We are Cyber Warrior - Blue Team 22

23. Lesson Learned from Data Breach
29th June 2021 https://www.cdef.id : We are Cyber Warrior - Blue Team 23
 Monitoring Process and Command Execution, especially related to
compression utilities tools such as tar, zip, rar, zlib
 Monitoring Process and Command Execution related to encryption utilities such
as process which called Windows DLL “crypt32.dll” function
 Monitoring endpoint and network for anomaly activities, for example if there is
endpoint suddenly sending a large files data to outside using not common
protocol
 Monitoring data which sent out using uncommon protocol, or using tunneling
method
 Monitoring changes from the endpoint configuration

24. 29th June 2021 https://www.cdef.id : We are Cyber Warrior - Blue Team 24
THANK YOU
Q & A