When an attacker uses a standard protocol, such as Hypertext Transfer Protocol Secure (HTTPS) or secure copy protocol (SCP), it’s impossible to definitively tell the difference between someone exfiltrating data and someone backing up their laptop’s hard drive. For HTTPS traffic, a common protection in enterprise environments is to enforce the use of proxies, which can then decrypt the traffic and feed it to data leak protection systems. In higher ed environments, standard DLP can be used with traditional administrative data, such as identifying financial or personal information being transferred in bulk. But IT leaders are also concerned about theft of research data or less structured information that a standard DLP may not be able to identify.
On server-side networks, restricting traffic and requiring proxies is easier because servers are more predictable in their connections, although typical “allowed” destinations, such as software update servers, can be very difficult to isolate.
DISCOVER: What is a rapid maturity assessment and how does it relate to zero trust?
A better approach with user-originated HTTPS (and Secure Shell-encrypted traffic, such as SCP) is to look at behavioral information, such as bulk counters, irrespective of encryption. Exfiltrating data usually means gigabytes and terabytes of information being sent out, since attackers want to comb through data slowly and on their own turf instead of trying to identify what is useful while they could be detected.
Most firewalls and intrusion prevention systems have the capability to identify, alert and then block large quantities of data being sent in an anomalous way. Other indicators of compromise and exfiltration (such as connections to IP addresses that are in reputation-based databases or connections, or anomalous network behavior) can be used in newer firewall and IPS products as part of prevention of data exfiltration.
Attackers prefer to use standard encrypted protocols because their traffic is lost in the noise, especially in large campus environments. However, some attackers have used nonstandard protocols and ports to send data off-campus. Higher education IT managers should take a lesson from their enterprise colleagues: simply start blocking nonstandard protocols, uncommon protocols and protocol anomalies on standard ports (such as running HTTPS over the Domain Name System (DNS) port).
These kinds of blocks have all been included in all enterprise firewalls for many years, so this is a simple configuration exercise. On server networks, this is an unremarkable configuration change. On user networks, NAC or identity-based networking can be used to provide exceptions to users who need them, which can be a big cultural change.
The last common approach by attackers seeking to exfiltrate data is using steganography: hiding the data in existing typical protocols, such as DNS, network time protocol or even the “ping” command. IT managers can get a handle on this by blocking or redirecting this type of traffic except to official campus servers. As with nonstandard protocols, users requesting exemptions can be handled by the segmentation and isolation framework in place.
Preventing data exfiltration is difficult at best, and nearly impossible in higher education environments. That said, network segmentation and isolation combined with intelligent use of firewalls, IPSs and DLP tools can reduce the risk of exfiltration while allowing for user exceptions.
#Managing #Data #Exfiltration #Risks #Open #Access #Higher
