Developing the perfect exfiltration technique
At SafeBreach, one of our major research areas is exfiltration (sending sensitive data out of the corporate network). In one of our research projects in late 2015, we set out to find the perfect exfiltration technique. At that time, we didn’t quite know what it would encompass, but we were determined to find out.
Now, when considering exfiltration data from an enterprise, it makes sense to look for covert channels. Otherwise the security policy (implemented through security products) is likely to detect/prevent the exfiltration. Our obvious move then was to start looking at the state of the art techniques in covert channels (for example, A survey of covert channels and countermeasures in computer network protocols, Covert Channels in TCP/IP Protocol Stack and Covert timing channels using http cache headers).
With each covert channel technique we reviewed, we found counter attacks, meaning, ways to detect the covert channel, and/or eliminate it. During this long phase of review and rejection, we slowly came up with a list of constraints which the perfect exfiltration technique must fulfill. This in itself was a very educational exercise. Below is an example.