What is Data Exfiltration?
Data exfiltration occurs when malware and/or a malicious actor smuggles data from a device. It is also commonly called data extrusion or data exportation. It commonly involves smuggling out data in unexpected ways that are not immediately obvious. The trick to do data exfiltration is to find methods of extraction that are not immediately obvious by either disguising it as normal traffic or by exploiting blind spots. The trick to catch data exfiltration is to look for patterns in unusual behaviors.
Data Exfiltration Examples
The following are some good examples of data exfiltration. You are likely to meet them sometime in the field of cybersecurity or in CTF challenges. However, this list is certainly not exhaustive and should be thought of more as a set of case studies.
Port Knocking
Port knocking is the act of sending requests to closed ports. It can be used to exfiltrate data because the responding server can remember which ports were knocked, decode the sequence of ports that were knocked, and recover the data.
Youtube Upload
When using this method, the attacker embeds the data to be exfiltrated using LSB steganography into each frame of the video, then uploads it to YouTube to publish it. The attack then downloads the video via piracy and extracts the stolen data.
DNS Exfiltration
Because networks often block arbitrary outbound (away from victim) http connections, attackers have resorted to using DNS requests. DNS, standing for Domain Name Resolution, is crucial for associating a domain name like www.google.com
to an IP address like 142.250.72.78
. Without this, your browser wouldn't be able to find this website on the internet. Because of the importance of DNS requests, firewalls don't block them. Hackers use this to make requests to DNS servers they control, asking for subdomains in the format of exfiltrated_data.mydomain.com
. The specially prepared DNS server then records the request and saves the data, allowing it to be exfiltrated.
Fan Sounds
As you may have now gathered, the tighter the security, the more ridiculous the data exfiltration etchniques become. This method is used on airgapped computers, computers intentionally disconnected from the internet. The information is smuggled out locally by increasing and decreasing the fan speed as 1s and 0s, to be picked up by the microphone of a nearby internet connected device also controlled by the attacker, and finally smuggled onto the internet.