Automated exfiltration advice

GM192

Hi,

I'm new to Pfsense and was looking for some advice with a project I'm working on for uni. The premise of the project is how firewalls can cope with data exfiltration techniques.

Currently, I'm using a screen logger called powershell rat in a virtual lab that sends screenshots via Gmail every 5 minutes. I tried using Snort with Pfsense, but no alerts are triggering. I have also considered squid due to the Gmail SSL encryption, but I'm unsure if it would work for this purpose.

Any help/advice on how to utilise Pfsense against this technique would be really appreciated

KOM

@gm192 How would pfSense (or a package) know that packets destined for Gmail were data the company didn't want sent?? How do you distinguish between 'good' and 'bad' packets??

msf2000

You can't use pfSense for this. What you want is "Data Loss Prevention" (DLP) software.

There is a small chance that custom Snort rule(s) can detect a large upload stream (how big is large to you?), but it's a crude alert and has no way to know what data is allowed vs not. Alternatively, you could also write Snort rules to say, detect large transfers from "database" vlan to "internet" but not "database" to "user" vlan. IIRC, the Snort community rules might have some examples that you could tune to your purposes.

bmeeks

Snort (or any IDS) will be somewhat crippled by the use of encryption such as SSL (web traffic) or TLS (email traffic). You could look into the preamble headers, as those are not encrypted, but I doubt you will find much there to be of use. Especially in determining private versus non-private data.

You want to do this kind of traffic inspection at the source before it is encrypted. So that means software running on the "source" endpoint such as a server or possibly a user workstation. That is what @msf2000 is referring to (DLP software). There is a lot of this software out there, but I'm not aware of any that's free. And what I am aware of is part of a much larger overall security package. These are usually marketed to large enterprises (and priced accordingly).

Another tool is looking for large file transfers and other anomalous network traffic (for example, transfers to IP space in a foreign county might be highly suspect). However, most bad guys are not stupid enough to directly transfer stolen data to their home country's IP space. They will bounce it around about a dozen "legit" locations before eventually sending it home.

If your normal outbound Internet traffic is typically web surfing and email, and suddenly you see a 20 GB file upload, that should raise a red flag. Of course data is most often "stolen" by trusted individuals (employees or on-premises contractors) using nothing more sophisticated than a USB memory stick. Firewalls and IDS won't see that. You can only prevent that by putting controls on the endpoint devices (servers and PCs) on the network.

GM192

Thanks for all the advice. After reading the replies it looks like I'm going about things the wrong way. Using a firewall is set, but I get to choose the data exfiltration techniques and I've clearly tried the wrong one. I'll have a look at transferring large amounts of data and see if I have any success. I was thinking of trying DNS exfiltration, but I imagine I'd run into the same issues as before.

Again, thanks for all the help and if you have anymore advice it would be welcomed :)

bmeeks

@gm192 said in Automated exfiltration advice:

Thanks for all the advice. After reading the replies it looks like I'm going about things the wrong way. Using a firewall is set, but I get to choose the data exfiltration techniques and I've clearly tried the wrong one. I'll have a look at transferring large amounts of data and see if I have any success. I was thinking of trying DNS exfiltration, but I imagine I'd run into the same issues as before.

Again, thanks for all the help and if you have anymore advice it would be welcomed :)

Here is a link to some Gartner data on Data Loss Prevention software (DLP): https://www.gartner.com/reviews/market/enterprise-data-loss-prevention. As I mentioned previously, this kind of software tends to start getting pretty expensive pretty fast. But it can be quite effective. The company I retired from ran a product on all user PCs, and also a few servers (might have been the Symantec one, now that I think about it). Any data copied from any network drive or local hard drive to portable media (i.e., CD/DVD-ROM or USB stick or hard drive) was logged. It recorded the logged-in user, the filenames copied, where they were copied from (source) and where they were copied to (destination). I believe remote alerts from this activity could also be generated. Even though I worked in network security, I was not directly responsible for managing the DLP product, so I don't know all of its features.

It also goes without saying, that having the proper permissions on file folders containing sensitive or proprietary data is paramount! You probably don't want to give the group everyone read access ... .