Blog

A l'intérieur du SOC

Bytesize security: Examining an insider exfiltrating corporate data from a Singaporean file server to Google Cloud  

Bytesize security: Examining an insider exfiltrating corporate data from a Singaporean file server to Google Cloud  Default blog imageDefault blog image
04
Jan 2023
04
Jan 2023

According to the ‘2021 Insider Threat Report’ by Cybersecurity Insiders, the Great Resignation and shift to a remote work culture has seen organizations report a 57% increase in insider-motivated attacks [1]. Insider attacks can be difficult to detect and respond to, (especially those perpetrated by malicious individuals who have privileged access and knowledge of internal business workings) and it is likely that this number is even higher in practice. The same report states that insider threats go unnoticed in 18% of organizations, whilst 31% can only remediate them after the data has already been siphoned out of their environments.  

Given this, visibility and defense against insider attacks needs to be treated as a priority by security teams. If left unchecked theft of critical data can have serious effects on an organization's reputation, competitive edge and business operations, not to mention the possibly resulting legal liabilities. The worst of the consequences are financial costs- according to the Ponemon Institute, the average global cost to remediate insider threat breaches is now estimated to be $15.38 million a year [2].

Darktrace DETECT

Darktrace's product suite has been empowering network defenders to recognize and stop insider threats like data exfiltration, (whether intentional or unintentional) for years. This summer highlighted a notable example. 

In July 2022, while a Singaporean construction corporation was trialling Darktrace DETECT/Network, it observed suspicious connections from a desktop within the corporation's network to an internal file server over the Server Message Block (SMB) protocol and a download of more than 1GB of data. Connections between these devices went on for an hour, ranging from 02:35 to 03:35 UTC in the early hours of the morning (Figures 1 & 2). 

Figure 1: A screenshot showing a spike in data downloaded internally from the breach device.
Figure 2: A zoomed-in view showing the increase in data being downloaded internally.

The files identified during these connections (MS word, pdf, image, etc.) were related to both ongoing projects as well as 3D and 2D designs. It was clear these files were part of critical company property. Around the same time (02:35 - 04:05 UTC), an unusual data transfer of more than 2 GB (Figures 3 & 4) to an external endpoint associated with Google Drive and Sites (clients[N].google[.]com.), as well as SSL connections to Google Drive, Email, and Google Docs domains; these are all related to some of the most common electronic data exfiltration vectors and were seen from the same device (Figure 5).

Figure 3: A screenshot showing a spike in data uploaded externally from the breach device.
Figure 4: A zoomed-in view showing the increase in data being uploaded externally
Figure 5: Around the time of the suspicious external data transfer, SSL connections were seen from the breach device to Google related domains (suggesting the use of Google Drive, Mail and Docs). This is a ranked list of the connected endpoints

Although clients[N].google[.]com was 0% rare for the network, Darktrace model breaches still managed to flag the anomalous increase in the volume of data uploaded externally and downloaded internally by the device. Thanks to an independent investigation by the Cyber AI Analyst feature (Figure 6), this activity was brought to the attention of the company’s management and a subsequent internal investigation was launched into why the device of a now ex-employee was copying data out of the network without authorization. Had Darktrace RESPOND/Network also been active on the deployment, it would have been possible to stop the exfiltration. 

Figure 6: AI Analyst incidents associated with the unusual data transfers.

Conclusion

There are a large range of insiders from departing employees, industrial spies, staff being blackmailed, (or bribed by criminals) compromised contractors and even regular employees with low IT or compliance literacy using unauthorized online data storage services. Each of these can have a devastating impact on businesses if there are no monitoring and prevention capabilities in place to combat data exfiltration, even more so if security teams are understaffed and overworked. As part of the DETECT package, this incident highlights how Darktrace's Cyber AI Analyst autonomously triages unusual activity such as large volumes of data leaving the network without needing to know information like if an employee has handed in their notice. Meanwhile while Darktrace RESPOND has the ability to automatically block abnormal data transfers making it a perfect complement to halt insiders in action. Together Darktrace's technology balances security teams saving them time and ensuring humans can focus on other issues that truly matter.

Appendices

Darktrace Detections

  • Internal Download and External Upload (AI Incident)
  • Unusual External Data Transfer (AI Incident)
  • Unusual Activity /Unusual File Storage Data Transfer (Model Breach)

Primary MITRE technique

Reference List

[1] https://www.cybersecurity-insiders.com/wp-content/uploads/2021/06/2021-Insider-Threat-Report-Gurucul-Final-dd8f5a75.pdf

[2] https://www.blackfog.com/preventing-insider-threats-anti-data-exfiltration/ 

More in this series:

Aucun élément trouvé.

Vous aimez ça et en voulez plus ?

Recevez le dernier blog dans votre boîte de réception
Merci ! Votre soumission a été reçue !
Oups ! Un problème est survenu lors de la soumission du formulaire.
DANS LE SOC
Darktrace sont des experts de classe mondiale en matière de renseignement sur les menaces, de chasse aux menaces et de réponse aux incidents. Ils fournissent une assistance SOC 24 heures sur 24 et 7 jours sur 7 à des milliers de clients Darktrace dans le monde entier. Inside the SOC est exclusivement rédigé par ces experts et fournit une analyse des cyberincidents et des tendances en matière de menaces, basée sur une expérience réelle sur le terrain.
AUTEUR
à propos de l'auteur
Signe Zaharka
Senior Cyber Security Analyst
share this article
CAS D'UTILISATION
Couverture de base
Cet article
Bytesize security: Examining an insider exfiltrating corporate data from a Singaporean file server to Google Cloud  
Partager
Twitter logoLinkedIn logo

Articles connexes

Aucun élément trouvé.

Bonne nouvelle pour votre entreprise.
Mauvaise nouvelle pour les méchants.

Commencez votre essai gratuit

Commencez votre essai gratuit

Livraison flexible
Vous pouvez l'installer virtuellement ou avec du matériel.
Installation rapide
Une heure seulement pour la mise en place - et encore moins pour un essai de sécurité du courrier électronique.
Choisissez votre voyage
Essayez Self-Learning AI là où vous en avez le plus besoin - y compris dans le cloud, sur le réseau ou par courriel.
Aucun engagement
Accès complet à Darktrace Threat Visualizer et à trois rapports sur mesure sur les menaces, sans obligation d'achat.
For more information, please see our Privacy Notice.
Merci ! Votre soumission a été reçue !
Oups ! Un problème est survenu lors de la soumission du formulaire.

Obtenez une démo

Livraison flexible
Vous pouvez l'installer virtuellement ou avec du matériel.
Installation rapide
Une heure seulement pour la mise en place - et encore moins pour un essai de sécurité du courrier électronique.
Choisissez votre voyage
Essayez Self-Learning AI là où vous en avez le plus besoin - y compris dans le cloud, sur le réseau ou par courriel.
Aucun engagement
Accès complet à Darktrace Threat Visualizer et à trois rapports sur mesure sur les menaces, sans obligation d'achat.
Merci ! Votre soumission a été reçue !
Oups ! Un problème est survenu lors de la soumission du formulaire.

Check out this article by Darktrace: Bytesize security: Examining an insider exfiltrating corporate data from a Singaporean file server to Google Cloud