Blog

Einblicke in das SOC-Team

Bytesize security: Examining an insider exfiltrating corporate data from a Singaporean file server to Google Cloud  

Bytesize security: Examining an insider exfiltrating corporate data from a Singaporean file server to Google Cloud  Standard-BlogbildStandard-Blogbild
04
Jan 2023
04
Jan 2023

According to the ‘2021 Insider Threat Report’ by Cybersecurity Insiders, the Great Resignation and shift to a remote work culture has seen organizations report a 57% increase in insider-motivated attacks [1]. Insider attacks can be difficult to detect and respond to, (especially those perpetrated by malicious individuals who have privileged access and knowledge of internal business workings) and it is likely that this number is even higher in practice. The same report states that insider threats go unnoticed in 18% of organizations, whilst 31% can only remediate them after the data has already been siphoned out of their environments.  

Given this, visibility and defense against insider attacks needs to be treated as a priority by security teams. If left unchecked theft of critical data can have serious effects on an organization's reputation, competitive edge and business operations, not to mention the possibly resulting legal liabilities. The worst of the consequences are financial costs- according to the Ponemon Institute, the average global cost to remediate insider threat breaches is now estimated to be $15.38 million a year [2].

Darktrace DETECT

Darktrace's product suite has been empowering network defenders to recognize and stop insider threats like data exfiltration, (whether intentional or unintentional) for years. This summer highlighted a notable example. 

In July 2022, while a Singaporean construction corporation was trialling Darktrace DETECT/Network, it observed suspicious connections from a desktop within the corporation's network to an internal file server over the Server Message Block (SMB) protocol and a download of more than 1GB of data. Connections between these devices went on for an hour, ranging from 02:35 to 03:35 UTC in the early hours of the morning (Figures 1 & 2). 

Figure 1: A screenshot showing a spike in data downloaded internally from the breach device.
Figure 2: A zoomed-in view showing the increase in data being downloaded internally.

The files identified during these connections (MS word, pdf, image, etc.) were related to both ongoing projects as well as 3D and 2D designs. It was clear these files were part of critical company property. Around the same time (02:35 - 04:05 UTC), an unusual data transfer of more than 2 GB (Figures 3 & 4) to an external endpoint associated with Google Drive and Sites (clients[N].google[.]com.), as well as SSL connections to Google Drive, Email, and Google Docs domains; these are all related to some of the most common electronic data exfiltration vectors and were seen from the same device (Figure 5).

Figure 3: A screenshot showing a spike in data uploaded externally from the breach device.
Figure 4: A zoomed-in view showing the increase in data being uploaded externally
Figure 5: Around the time of the suspicious external data transfer, SSL connections were seen from the breach device to Google related domains (suggesting the use of Google Drive, Mail and Docs). This is a ranked list of the connected endpoints

Although clients[N].google[.]com was 0% rare for the network, Darktrace model breaches still managed to flag the anomalous increase in the volume of data uploaded externally and downloaded internally by the device. Thanks to an independent investigation by the Cyber AI Analyst feature (Figure 6), this activity was brought to the attention of the company’s management and a subsequent internal investigation was launched into why the device of a now ex-employee was copying data out of the network without authorization. Had Darktrace RESPOND/Network also been active on the deployment, it would have been possible to stop the exfiltration. 

Figure 6: AI Analyst incidents associated with the unusual data transfers.

Schlussfolgerung

There are a large range of insiders from departing employees, industrial spies, staff being blackmailed, (or bribed by criminals) compromised contractors and even regular employees with low IT or compliance literacy using unauthorized online data storage services. Each of these can have a devastating impact on businesses if there are no monitoring and prevention capabilities in place to combat data exfiltration, even more so if security teams are understaffed and overworked. As part of the DETECT package, this incident highlights how Darktrace's Cyber AI Analyst autonomously triages unusual activity such as large volumes of data leaving the network without needing to know information like if an employee has handed in their notice. Meanwhile while Darktrace RESPOND has the ability to automatically block abnormal data transfers making it a perfect complement to halt insiders in action. Together Darktrace's technology balances security teams saving them time and ensuring humans can focus on other issues that truly matter.

Appendices

Darktrace Detections

  • Internal Download and External Upload (AI Incident)
  • Unusual External Data Transfer (AI Incident)
  • Unusual Activity /Unusual File Storage Data Transfer (Model Breach)

Primary MITRE technique

Reference List

[1] https://www.cybersecurity-insiders.com/wp-content/uploads/2021/06/2021-Insider-Threat-Report-Gurucul-Final-dd8f5a75.pdf

[2] https://www.blackfog.com/preventing-insider-threats-anti-data-exfiltration/ 

More in this series:

Keine Artikel gefunden.

Sie mögen das und wollen mehr?

Erhalten Sie den neuesten Blog per E-Mail
Vielen Dank! Ihre Anfrage ist eingegangen!
Huch! Beim Absenden des Formulars ist etwas schief gelaufen.
EINBLICKE IN DAS SOC-Team
Darktrace Cyber-Analysten sind erstklassige Experten für Threat Intelligence, Threat Hunting und Incident Response. Sie bieten Tausenden von Darktrace Kunden auf der ganzen Welt rund um die Uhr SOC-Support. Einblicke in das SOC-Team wird ausschließlich von diesen Experten verfasst und bietet Analysen von Cyber-Vorfällen und Bedrohungstrends, die auf praktischen Erfahrungen in diesem Bereich basieren.
AUTOR
ÜBER DEN AUTOR
Signe Zaharka
Senior Cyber Security Analyst
share this article
ANWENDUNGSFÄLLE
COre-Abdeckung
Dieser Artikel
Bytesize security: Examining an insider exfiltrating corporate data from a Singaporean file server to Google Cloud  
Teilen
Twitter-LogoLinkedIn-Logo

Verwandte Artikel

Keine Artikel gefunden.

Gute Nachrichten für Ihr Unternehmen.
Schlechte Nachrichten für die Bösewichte.

Starten Sie Ihren kostenlosen Test

Starten Sie Ihren kostenlosen Test

Flexible Lieferung
Sie können es entweder virtuell oder mit Hardware installieren.
Schnelle Installation
Nur 1 Stunde für die Einrichtung - und noch weniger für eine Testversion der E-Mail-Sicherheit.
Wählen Sie Ihre Reise
Testen Sie selbstlernende KI dort, wo Sie sie am meisten brauchen - in der Cloud, im Netzwerk oder für E-Mail.
Keine Verpflichtung
Voller Zugriff auf den Darktrace Threat Visualizer und drei maßgeschneiderte Bedrohungsberichte, ohne Kaufverpflichtung.
For more information, please see our Privacy Notice.
Vielen Dank! Ihre Anfrage ist eingegangen!
Huch! Beim Absenden des Formulars ist etwas schief gelaufen.

Demo anfordern

Flexible Lieferung
Sie können es entweder virtuell oder mit Hardware installieren.
Schnelle Installation
Nur 1 Stunde für die Einrichtung - und noch weniger für eine Testversion der E-Mail-Sicherheit.
Wählen Sie Ihre Reise
Testen Sie selbstlernende KI dort, wo Sie sie am meisten brauchen - in der Cloud, im Netzwerk oder für E-Mail.
Keine Verpflichtung
Voller Zugriff auf den Darktrace Threat Visualizer und drei maßgeschneiderte Bedrohungsberichte, ohne Kaufverpflichtung.
Vielen Dank! Ihre Anfrage ist eingegangen!
Huch! Beim Absenden des Formulars ist etwas schief gelaufen.

Check out this article by Darktrace: Bytesize security: Examining an insider exfiltrating corporate data from a Singaporean file server to Google Cloud