On Coffee Rings And Data Exfiltration

The poet TS Eliot had a great analogy in his poem “The Love Song of J. Alfred Prufrock” wherein he measured out the course of life with coffee spoons. In a blatant attempt to co-opt that analogy I’m going to suggest a variation. Coffee rings as they relate to data exfiltration. As I sat here this morning grinding my way through my email in nine different accounts, a coffee ring on the table caught my eye. After releasing the requisite expletive laden outburst a thought struck me. I had not bumped the table. I had not knocked the cup. Oddly I didn’t have a clear understanding as to how this could have transpired. This resonated with me as I thought back to every single company I had ever worked for and ever will. Data leaks or data exfiltration happen and often there is no clear understanding as to how. Data exfiltration is a blanket term for the movement of data from one computer or network to an external party with the inference being that said transfer is unauthorized.

This was one of the most frustrating aspects of any job I have had in the past. I would wake up in the morning, grab a coffee, fire up the laptop and…there it was staring back at me.

A data leak. Enter, the grief.

Be it an internal road map, source code or an email from the C-Suite there is no way to jam the genie back into the bottle once your intellectual property is splattered across social media and Pastebin. Invariably we hear the battle cry of the Internet, “the data wants to be free”. Which is all well and good unless that data is your company’s intellectual property and several thousand people rely on it for their livelihood.

The non-scientific approach that I use to categorize these events has been by counting the number of head shaped dents in the desks and keyboards where I have worked. There have been no shortage of these I’m afraid.

Once the anger/frustration/anxiety/embarrassment (circle one) passes, then you find yourself blankly looking at the monitor. Not at anything in particular, just trying to accept that the company has been violated on your watch. And let’s be honest, every security practitioner internalizes this sort of thing. Then the bargaining kicks in. You struggle to find meaning in the breach. Why me? Why our company? Never a good conversation to have with yourself after a breach. You’re better served having that conversation in advance. Finally, we reach the acceptance. The inevitable updating of the resume and removing personal belongings from the office in the off chance that you might get walked over the incident. 

Now that you’ve run through the cycle where do you begin?

Follow through your incident response plan. You’ve accepted that your operation is hemorrhaging information. You need to understand how data can be removed from your network. Do users have access to webmail such as Gmail, Outlook and Yahoo? Can users simply access an FTP or SSH system externally? Shocking how often that works. Can users tunnel data over open ports such as SSH over HTTP? Do users have the ability to encrypt data? Or is a user just using a hex editor to hide information in an mp3 or jpg? Do your users have local admin privileges on their systems? Do you monitor your printers and the documents that are sent to them? Think through the possible scenarios no matter how far fetched the might be. Work with your team to brainstorm possible ways you could remove data from your network. 

Once you have gone through the exercise, discuss what can you do to address it. What is the way forward? For starters, review the controls that you have in place such as intrusion detection/prevention (IDS/IPS), data loss prevention (DLP), malware protection and logging. Have they been tested? Are they working? I’ve seen several shops where they had the expensive “machine that goes ping” installed with a default configuration. Other shops had logging enabled but were only collecting failed logins and nothing else. Many organizations have a large amount of shelf-ware that has been purchased and not installed or properly deployed. There is gold in them thar hills. Go find it.

There are a number of steps that you can employ for monitoring external sites from hiring a company that specializes in brand protection to creating customized Google search alerts. There has been many occasion where I have been working for a company where we had little to no security budget. A frustrating situation that I see repeated in many companies. But, rather than to rail against it you need to learn to adapt and think beyond the confines of your budgetary woes. The simple approach that I have found to have a great deal of return for no capital investment is by creating a Google alert. Also, check out tools such as Maltego from Paterva. A relatively low cost option for searching out data that may have escaped your perimeter.

One war story that I’ll share was regarding an outsourced provider. They had a staffer who thought himself/herself smarter than the average bear. Using their mobile phone they took a picture of some intellectual property and posted it to an external website. Pretty clever. They managed to bypass any of the controls on the network. Too bad they forgot about the exif data in the image file. 

Remember to check your controls. Test them as often as is feasible. Actively search for data leaks and have a plan of action and communication in place to deal with the inevitable data loss.

Data exfiltration happens, comport yourselves accordingly. 

(Image used under CC from trophygeek)