S.I.G.M.A. Network s.r.l. | Via Clelia, 60 – 00181 Roma | P.IVA/C.F. IT05255401001
Registro Imprese Roma – R.E.A. RM-870189 | Capitale sociale i.v. €10.200,00
|cookielawinfo-checkbox-analytics||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".|
|cookielawinfo-checkbox-functional||11 months||The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".|
|cookielawinfo-checkbox-necessary||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".|
|cookielawinfo-checkbox-others||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.|
|cookielawinfo-checkbox-performance||11 months||This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".|
Detecting Data Leak
Detecting Data Leaks
This month I had the opportunity to work with a customer that wanted to use our malware incident response system fordetecting data leaks. I put together a solution that met the customers goals and thought it would make a good reference for anyone who needs a solution for detecting data leakage.
Detecting Data Leaks – Saved Report
The first step was to create a saved report in Scrutinizer called “Exceeded 5 MB in 5” Below you can see that I excluded a bunch of traffic to efscloud.net as I knew it would trigger an indicator of compromise event and ultimately lead to false positives. I later added a few more exclusions; one of which was an autonomous system.
Also in the above, I specified traffic:
The above made sure that we were only looking at internal traffic headed to the Internet. In the bottom left of the above, you will see a threshold of 5M Bytes. This saved report runs every 5 minutes and any host that sends greater than 5MBs in 5 minutes will trigger an indicator of compromise (IOC) event. The IOCs will be counted by a 2nd process.
Detecting Data Leakage – Scheduled Process
The above saved report is going to create a lot of IOCs – and you want that. They won’t however, by themselves trigger a Security Event alarm. I wrote a simple program in perl that I scheduled to execute every 5 minutes. Here is what it does:
In short, the above detects end users uploading > 100MB to an unapproved Internet host(s) within a 24 hour period. Below you can see that there have been 105 events where the saved report with a threshold named “Exceeded 5 MB in 5” was exceeded by 19 different internal hosts. These 105 events are what is counted by the scheduled process. If the above criteria is met, a “Data Leak” Security Event is posted. Notice that 5 hosts had triggered it. I tested this by simply uploaded files from the 5 end systems displayed.
Regardless of whether they upload the data in 15 minutes or 15 hours, the above setup detects and alerts on it and it is customizable!
Detecting Data Exfiltration
There are many ways that electronic data can be leaked out of your company. DNS is a big risk for data leaks which is why our FlowPro Defender looks at Fully Qualified Domain Name (FQDN) requests, monitors NXDomain messages and considers several other factors often indicative of data exfiltration. My point is, we have to go about detecting data leakage several different ways.
Here’s the code for the scheduled process:
IMPORTANT NOTE: The above code does not include my latest update which is to make sure that the same event doesn’t continuously get posted to the Alarm tab. I had to add more complicated logic to accomplish this. Also, the script above looks at IP pairs, Source and Destination, however it can be easily modified to look at a single source with multiple destinations or multiple sources with a single destination. Just contact our team for the latest code or if you need help setting this up.
Ciao mondo!20 Settembre 2022
Improving Your Technology13 Novembre 2019
Apply These 5 Secret Techniques13 Novembre 2019