Dave Palmer, Director of Technology, Darktrace, explains why data exfiltration presents the security community with such a formidable challenge
From hacked IoT devices, to cryptojacking in corporate infrastructures and automated ransomware, novel and sophisticated cyber-attacks are notoriously hard to catch. It is no wonder that defending against these silent and never-seen-before threats dominate banks’ security agendas. But while we grapple with the old and very well-known challenge of detecting data exfiltration, it doesn’t command nearly the same amount of attention. Yet it happens – and it happens by the gigabyte.
As attackers improve their methods of purloining the sensitive data we trust our organisations to keep safe, one critical question remains: why does data exfiltration present the security community with such a formidable challenge?
Also of interest: Refusing to invest in cyber security: is the NHS making a big mistake?
Gigawatts and Hidden Tunnels
All data exfiltration attacks share one common trait: the early warning signs of anomalous activity on the network were present but traditional security failed to catch them. Regardless of level of subtlety, or the number of devices involved, perimeter tools missed the window of opportunity between initial entry and unauthorised data transfer – allowing for hundreds of gigabytes of data to be exfiltrated from the organisation.
In the financial services industry, exfiltration techniques are rife. Digging hidden tunnels in already compromised systems, cybercriminals are able to camouflage their activity amongst the backdrop of legitimate traffic. A crisis of trust occurs for security teams when the activity within these tunnels presents itself like normal web traffic, such as sending out data packets to the company’s email server.
As such, sizeable data exfiltration often goes undetected for months, or even years – only to be discovered when the data had already long been lost. And the financial services industry is no stranger to it: take the Panama Papers, where allegedly 2.6 terabytes of data were leaked, caused reputational damage to some of the world’s most recognisable public figures.
When we look at the cycle of stealthy and silent data breaches, we have to ask ourselves: how can such tremendous amounts of data leave our corporate networks without raising any alarms?
Also of interest: Are we learning from our cyber security mistakes?
Modern Networks: Living Organisms
The challenge in identifying indicators of data exfiltration lies partly in the structure of today’s networks. As our businesses continue to innovate, we open the door to increased digital complexity and vulnerability – from BYOD to third party supply chains, organisations significantly amplify their cyber risk profile in the name of optimal efficiency.
Against this backdrop, our security teams are hard-pressed to identify the subtle telling signs of a data exfiltration attempt in the hope to stop it in its tracks. To add to the complexity, they need to find the proverbial needle in an ever growing haystack of hundreds of thousands of devices on their network that they did not build, install, or even know existed.
Networks today are much like living organisms: they grow, they shrink, and they evolve at a rapid rate. If we think about a network as a massive data set that changes hundreds, if not thousands, of times per second, then we have to realise that no security team will ever be able to keep up with which actions are authorised versus which actions are indicative of data exfiltration.
Also of interest: Worried about cryptojacking? Here’s what you need to know
The Old Approach Needs Victims Before it Can Offer Solutions
Compounding the challenge of today’s labyrinthine networks, stretched security teams are always on the offense – fighting back-to-back battles against the latest form of unpredictable threat. So how can security teams cut through the noise and discern the subtle differences between legitimate activity and criminal data exfiltration campaigns?
Five years ago, we relied on historical intelligence to define tomorrow’s attack. But the never-ending cycle of data breaches have taught us that these approaches were just as insufficient then as they are now. Identifying data exfiltration should be a low-hanging fruit for security teams, but to do so, we need to rely upon technologies that make no assumptions on what ‘malicious’ activity looks like.
Organisations are increasingly turning to AI technology for the answer, capable of identifying subtle deviations from normal network activity. By understanding the nuances of day-to-day network activity, self-learning technology correlates seemingly-irrelevant pieces of information to form a comprehensive picture of what is happening within our network borders. Consequently, AI spots the subtle indicators of exfiltration as it’s happening – giving security teams valuable time to mitigate the crisis before it becomes a headline.
To break the cycle of high-profile data breaches, we must embrace AI technologies that evolve with our organisations, strengthen their defenses over time, and identify data exfiltration tactics before our sensitive information is long past the network perimeter. Attackers seeking to leak our most sensitive data are evolving to keep up with our defenses – are we evolving too?