In our Collection post, we examined how attackers collect valuable information within a compromised environment. Once adversaries have gathered their loot, the next crucial step is to smuggle it out. This brings us to the MITRE ATT&CK tactic of Exfiltration. Let’s explore how various threat actors, from cyber criminals to nation-state operatives, execute this critical phase of their operations.

The Importance of Exfiltration

Exfiltration is often the culmination of an attacker’s efforts. It’s the point where they transform their hard work into tangible gains, whether that’s stealing intellectual property, obtaining sensitive personal information, or acquiring valuable intelligence. Maybe they decide to sell the data. The attackers may be interested in seeding their own future operations. They may even be using the stolen information to gain or nullify competitive advantages or exert pressure. No matter the motive, without successful exfiltration, many cyber operations would be fruitless.

Exfiltration in Historical Context

During World War II and the early Cold War era, one of the most significant exfiltration operations revolved around the United States’ top-secret Manhattan Project. While the US dedicated unprecedented resources to beat Germany to producing atomic weapons, Communist sympathizers were furious that the developments were not being shared with the Soviet allies. Unbeknownst to the US, a high-placed researcher worked to even the field. This operation saw the transfer of critical nuclear weapons research to the Soviet Union, dramatically altering the balance of power in the post-war world.

Dr Klaus Fuchs collected the sensitive informaiton for later exfiltration. (Photo by Keystone/Getty Images)

At the heart of this operation were several key figures: Klaus Fuchs, a German-born British theoretical physicist, Ursula Kuczynski, codenamed “Sonya,” a German-born Soviet spy, and Harry Gold, a Swiss-born American chemist. Their collaboration resulted in one of the most consequential information exfiltrations in history.

Setting up the caper

Klaus Fuchs, who worked on nuclear technologies for years prior to joining the Manhattan Project from 1944 to 1946, had access to crucial information about the design and functionality of the atomic bomb. Ursula Kuczynski, already an experienced Soviet intelligence operative, served as his handler and the critical link to Moscow. While in New Mexico, Fuchs also added Gold as another outlet to provide courier deliveries to the Soviets.

The Trinity Test Site after the infamous test shows the sheer stakes of the atomic race and the reasons for Soviet interest in leveling the field. (AP Photo)

The exfiltration was carried out through a series of clandestine meetings. Fuchs would memorize or prepare notes on the latest developments, which he would then pass to Kuczynski or Gold, depending on the time and his location. Kuczynski would photograph the documents or transcribe the information, then transmit it to Moscow via radio or diplomatic pouch. Gold leveraged more ‘batch’ like payloads, carrying documents directly to his handlers.

Essential aspects of any successful Exfiltration

The exfiltration process showcased several key aspects that remain relevant in modern cyber operations:

  • Insider Access: Fuchs’ position within the Manhattan Project provided him with legitimate access to highly classified information, bypassing many security measures.
  • Stealth and Tradecraft: Kuczynski, Gold and Fuchs used sophisticated espionage techniques to avoid detection. They employed dead drops, coded messages, and limited face-to-face meetings to exchange information.
  • Persistence: The operation spanned several years, demonstrating the long-term nature of high-value intelligence gathering and exfiltration.
  • High-Value Targets: The focus on nuclear secrets represented a strategic prioritization of the most critical information.
  • Diversified Communications Paths: The success of the operation hinged on multiple paths, methods, and assets.

The value and impact

This operation had profound consequences. The information Fuchs provided significantly accelerated the Soviet nuclear weapons program, leading to their first successful atomic bomb test in 1949, years earlier than Western intelligence had anticipated. The eventual discovery of this breach in 1950 sent shock waves through Western intelligence communities. It highlighted critical vulnerabilities in personnel security and the challenges of safeguarding information in collaborative scientific environments. And it uncovered parallel, redundant Collection and Exfiltration networks like that run by Julius and Ethel Rosenberg.

This historical example underscores several key points about exfiltration that remain relevant in the digital age:

  1. The critical importance of insider threat mitigation.
  2. The need for layered security measures that go beyond access controls.
  3. The potential for seemingly small security breaches to have massive geopolitical consequences.
  4. The enduring value of human intelligence in facilitating complex exfiltration operations.

Exfiltration in Modern Cyberspace

As we transition to discussing modern cyber exfiltration techniques, it’s worth noting how many of these principles remain the same. Today’s attackers must find ways to access high-value information, extract it without detection, and transmit it securely to their handlers or command and control servers. While the technical methods have evolved dramatically, the fundamental challenges of exfiltration – and the high stakes involved – remain constant.

In today’s digital landscape, exfiltration techniques have evolved to overcome sophisticated defense mechanisms. Attackers employ a variety of methods to sneak data past firewalls, intrusion detection systems, and data loss prevention tools. They might compress and encrypt data to avoid detection, use legitimate cloud services as exfiltration points, or leverage command and control channels to slowly trickle out information.

If there is a significant difference between the historical and cyber-based exfiltration, it must be the investment and life stakes. Threat actors may fret over losing a vital exfiltration path, but rarely do they invest the same time and trust in developing that path and rarely do they need to consider losing a human asset.

Exfiltration Techniques

The MITRE ATT&CK framework lists 9 techniques and 9 sub-techniques under the Exfiltration tactic (TA0010). Keep in mind – these are wide-open techniques, and adversaries create a lot of opportunities for themselves within these bounds.

Exfiltration may look more compact than other tactics, but its consequences are often the greatest.

Core techniques

Let’s break these down logically. The most straight-forward path is likely one the adversary already has, which is the case of Exfiltration Over C2 Channel (T1041) or likely Exfiltration Over Web Service (T1567). The main question here is whether they want to burn that path and risk detection or not. Unlike historical exfiltration, threat actors in the cyber realm can justify high-turnover of paths if they have faith that those or other techniques can be used again with success. We services are a persistent issue: they are hard to do without (Saas-delivered storage and tools) but ripe for abuse. Exfiltration Over Another Network Medium (T1011) is another option, and relies on the fact that things like Bluetooth, Zigbee, cellular, and other alternatives are likely forgotten parts of a SOC’s responsibilities.

TinyTurlaNG, a campaign run by Russian APT Turla, uses the existing C2 channel to post collected information on the C2’s compromised WordPress servers so that the attacker can retrieve them in anonymity. (from our session BRKSEC-3026)

Threat actors who value their C2 may opt to conduct Exfiltration Over Alternative Protocol (T1048), helping maintain some separation and avoiding having to reestablish lines of communication. At the other extreme, adversaries may have to resort to Exfiltration Over Physical Medium (T1052) like USB or other drive. This risks getting caught. Depending on the stakes, it could mean disciplinary action and the exposure of the operation, but in extremes it can trigger jail time, execution, or diplomatic extremes. Attackers use that one sparingly!

Enhancement techniques

The last category is a lot like the dead drops and trade craft of old. Using Scheduled Transfer (T1029), and adversary leverages a visibility gap in the defenses or lapse in observation to move the data patiently without arousing suspicion. Data Transfer Size Limits (T1030) improves the odds further. No matter the mechanism of transfer, it helps avoid thresholds for detection and lie under the radar. In any case, hiding what the adversary thinks is of value from the defender is very useful. Data Obfuscation (T1001) does exactly that, usually through encoding, encryption or some other means.

Automated Exfiltration (T1020) occurs as part of a scripted or automated Collection technique. Data is found, parsed for value, and offloaded in one go. Interestingly, it’s lone sub-technique, Traffic Duplication (T1020.001) actually sees adversaries use taps, mirrors, or redirection of traffic to an adversary controlled receiver. Most Cloud Service Providers offer these features for legitimate uses, so it is reconfigured without the victim taking note.

IcedID uses rclone to schedule and manage exfiltration jobs, in effect using several techniques from this Tactic. (from The DFIR Report’s excellent article on IcedID)

How Can We Mitigate Exfiltration?

Preventing and detecting exfiltration requires a multi-layered approach. Here are some key strategies:

  • Network Segmentation and Monitoring: Implement strict controls on outbound traffic and monitor for anomalous data flows.
  • Data Loss Prevention (DLP): Deploy DLP tools to identify and block unauthorized data transfers.
  • Encryption: Ensure sensitive data is encrypted at rest and in transit, making it harder for attackers to exfiltrate meaningful information.
  • User Behavior Analytics: Establish baselines for normal data movement and alert on unusual patterns.
  • Egress Filtering: Implement strict egress filtering rules to limit the protocols and destinations that can be used for outbound connections.
  • Regular Security Audits: Conduct frequent audits of your network architecture and data flows to identify potential exfiltration routes.
  • Incident Response Planning: Develop and regularly test incident response plans that include procedures for detecting and responding to data exfiltration attempts.

As with every other set of detections and mitigations, there is a lot of overlap here. That is good! Use it to your advantage and look for mitigation approaches or detection capabilities that offer the best bang-for-the-buck.

Conclusion

Exfiltration represents the home stretch for attackers, but it’s also a critical point of vulnerability. By understanding the techniques adversaries use to extract data and implementing robust defenses, organizations can significantly reduce the risk of successful data theft. Remember, it’s not just about preventing initial compromise – it’s about making sure that even if an attacker gets in, they can’t get out with your crown jewels.

As we’ve seen throughout this series, the key to effective defense is a comprehensive understanding of attacker tactics and techniques. By aligning our security strategies with frameworks like MITRE ATT&CK, we can build more resilient systems and better protect our valuable data assets. We have one last tactic to tackle, so let’s wrap up this series next week!

Thank you for reading this entry in our ATT&CK series. Feel free to share your thoughts and experiences in the comments below!