Nearly 80 percent of all ransomware attacks in the first half of 2021 involved the threat of leaking exfiltrated data. Exfiltration is a popular pressure tactic as it introduces the threat to publish stolen sensitive data to a threat actor extortion website if a ransom payment is not received. Our team currently tracks over 40 threat actor extortion websites, with new sites belonging to new ransomware groups emerging each week.
With exfiltration tactics growing in popularity and sophistication, and with its consequences potentially leading to costly regulatory and reputational damage, it’s imperative that lawyers are abreast of how such attacks are investigated and how to efficiently partner with digital forensics professionals to fully understand the real scope of incident.
Exfiltration is not always a “smoking gun” in an environment and often relies on what can be called circumstantial evidence. The best evidence to “see” the data leave the environment would be from the network layer, typically from firewall logs. Firewall logs allow forensic examiners to determine where the data was flowing to (egress IP), and size or number of bytes that were being transferred in or out of the network. There are a few issues, however, to be aware of with these logs:
Laptops, workstations and other user-controlled devices can also provide a potential source to investigate exfiltration attacks. Forensic investigators can create a baseline of the environment to understand what can be considered normal vs. abnormal given standard or consistent work patterns. Patterns such as a user logging into the system from a different country, at an unusual time of day, can then point to other red flags. Below are some of the fact patterns examiners review to determine if a host may be at risk of exfiltration:
Cloud storage websites where data can be uploaded and synced to for access anywhere (including the attacker’s computer).
When deciding whether a host is at risk or not, we typically need to see a combination of the above fact patterns to give a degree of confidence on whether exfiltration occurred or not. The more hits on the fact patterns, the higher the degree of confidence.
Unfortunately, there is a caveat because some groups are sophisticated enough to use advanced threat frameworks, such as Metasploit, Cobalt Strike or Empire in their attack. These frameworks run on memory and write very little to disk, minimizing the footprint of the attack and creating additional obstacles for forensic investigators. However, such tools do not have user-friendly interfaces to allow attackers to easily view files and folders prior to exfiltration, which usually gives examiners enough clues.
If your client is involved in an incident where exfiltration seems to have occurred, consider the following tips to protect the integrity of your investigation and maximize the impact of your digital forensics team:
If you are dealing with an exfiltration incident, consider the following questions for your forensic examiner:
In your experience with the threat actor group do they exfiltrate data or is there language alluding that they exfiltrated data from the environment.
Exfiltration attacks can lead to complex investigations, reinforcing the need for tighter collaboration between corporate and external counsel with in-house and outside incident response investigators.
The outline provided here should help counsel better understand the key steps in the investigation, but it’s highly recommended to review log coverage, retention policies and rehearse exfiltration incidents in specific tabletop exercises to build the right behaviors in the event of a real attack.
This article was originally published by The Lawyer's Daily, (www.thelawyersdaily.ca) a division of LexisNexis Canada.
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.
Kroll’s ransomware preparedness assessment helps your organization avoid ransomware attacks by examining 14 crucial security areas and attack vectors.
Kroll's expertise establishes whether data was compromised and to what extent. We uncover actionable information, leaving you better prepared to manage a future incident.
Kroll's cyber risk assessments deliver actionable recommendations to improve security, using industry best practices & the best technology available.
You learn today that your organization is facing some kind of cyber incident. Could be ransomware, highjacked O365 email account, PII or PHI exfiltrated, misconfigured network settings exposing data, etc. What do you do first?