PFSense notification if large amounts of data downloaded

nambi

I know that many hackers and ransomware extortion schemes now download your entire DATA to hold you up as ransom threatening to contact your contacts and exploit you.

This is different then just encrypting files.

I was wondering if PFSENSE had a way of notifying the administrator if the system was experiencing large amounts of data being sent out through the firewall.

stephenw10

I'm not sure there is anything that can do that directly.

You mean alert on a data total in a given period or a data rate? How do you imagine that measuring?

Steve

bmeeks

You need more "stuff" to detect data exfiltration at the network or firewall level. By that I mean some type of SIEM platform that gets a lot of net flow data and even packet captures from say an IDS/IPS. Accurately detecting data exfiltration is difficult. It is hard to separate an individual tree from the forest in this instance. I say that familiar phrase backwards because in the case of data exfiltration you are looking for a single flow in a sea of other traffic flows.

Do a Google search using this phrase: "detect data exfiltration". You will get a lot of hits. Several of them should be to research papers describing the difficulties. I found a number of PDF papers from Universities.

And the widespread use of encryption these days, with most traffic being sent using either SSL or TLS, makes detection of data exfiltration hard. You must resort to indirect indicators in many cases since you can't see the actual packet payloads of encrypted traffic.

So the bottom line is it can be done, but it is not cheap and easy. It's not as simple as just installing some package or checking a feature box. If it was super easy, all these big corporations would not keep getting their crown jewels (proprietary company information) stolen by ransomeware hackers ... . That is the new "insurance policy" the ransomeware guys use these days. They first exfiltrate the company's secrets before encrypting their data systems. Then, if the victim refuses to pay for the decryption key, the ransomeware guys threaten to publish the stolen data.

maverick_slo

Well...
I use XDR which alerts on behavioral anomaly if large upload is detected (per host).
But additionally I also use zabbix which will send alert if upload is larger than 80Mbit/s for at least 10 minutes (configured this way so that "regular" traffic wont trigger alerts, will be different for every company...)
But it`s hard and requires deep knowledge of your network and whats OK traffic and whats not.

NollipfSense

Interesting conversations here, indeed.

bmeeks

@maverick_slo said in PFSense notification if large amounts of data downloaded:

Well...
I use XDR which alerts on behavioral anomaly if large upload is detected (per host).
But additionally I also use zabbix which will send alert if upload is larger than 80Mbit/s for at least 10 minutes (configured this way so that "regular" traffic wont trigger alerts, will be different for every company...)
But it`s hard and requires deep knowledge of your network and whats OK traffic and whats not.

Yes, there are some host-based solutions. And that is really one of the best places to put such tools because there you can generally still see the data BEFORE it's encrypted.

I was specifically referring to firewall-based or network-based tools in my earlier reply as that is how I interpreted the OP's question. It's much more difficult at that level due to the encryption and also the magnitude of data flow.