Security Experts:

Researchers Devise "Perfect" Data Exfiltration Technique

Perfect exfiltration at HITB

AMSTERDAM - HACK IN THE BOX - Researchers at Israel-based security firm SafeBreach have conducted an extensive analysis of covert data exfiltration techniques and devised what they believe to be a perfect method.

SafeBreach researchers set out in 2015 to find the perfect method for stealing small amounts of sensitive data from highly secure organizations. While malicious actors often exfiltrate gigabytes of files from the companies they breach, key pieces of information can also be highly valuable — for example, cryptographic keys, passwords, and words or sentences that could expose an individual or a strategic decision.

The data exfiltration methods analyzed and devised by the security firm focus on a highly targeted attack scenario where an external attacker has already managed to plant a piece of malware on a device within the targeted organization, or where a malicious insider wants to send out sensitive data without getting caught or detected by security.

Requirements and conditions for perfect exfiltration

In a presentation at the Hack in the Box (HITB) conference in Amsterdam last week, Itzik Kotler, CTO and co-founder of SafeBreach, and Amit Klein, the company’s VP of security research, described the factors involved in creating a perfect exfiltration method.

The experts have detailed what they named the “10 commandments” — the requirements and conditions that need to be met to achieve perfect exfiltration.

The first and one of the most important rules for perfect exfiltration is that the technique needs to be scalable and secure. In the experts’ opinion, it should adhere to Kerckhoff’s principle, which says “a [crypto] system should be secure even if everything about the system, except the key, is public knowledge.” This makes it both secure and scalable because the same algorithm can be used for different keys over and over.

Other requirements include only using common web traffic (e.g. HTTP, DNS or TLS), and not leveraging any resources that could be classified as passing information (e.g. emails, forum posts, encrypted texts, or file sharing services) to avoid raising any suspicion.

When developing a data exfiltration method, the attacker should assume that the enterprise they are targeting has perfect network monitoring systems in place, including for anomaly detection, packet analysis on all protocol levels, and reputation-based mechanisms. If reputation and statistics systems are used to detect outbound traffic to malicious IPs and hosts, direct communication between the sender and the recipient of the stolen data should be avoided. Attackers must also assume that TLS communications are decrypted by the organization at the gateway and inspected.

In the attack scenario described by Kotler and Klein, the receiving party has no restrictions and its own activities are not monitored by anyone.

One other important requirement for any silent exfiltration method is that the time needs to be almost perfectly synchronized on the sender and the recipient devices.

Almost perfect exfiltration

Over the past years, researchers have described several methods that can be leveraged to exfiltrate single bits of data (0 or 1) without raising too much suspicion. These types of exfiltration methods are only efficient for small amounts of data, such as passwords and cryptographic keys, since the attacker needs to send out 8 bits to transmit a single character.

For example, a single bit can be exfiltrated using the type of service (ToS) field in the IPv4 header. However, on Windows workstations the value of the ToS is set to 0 and changing it to 1 could raise some red flags. Furthermore, organizations could easily block such an attack by setting the ToS to 0 at the firewall for all outgoing packets.

A more efficient technique involves the use of web counters. For instance, URL shorteners such as provide statistics on how many times a URL has been accessed. Attackers can use this to send out a 0 or a 1 bit by visiting a certain URL at a specified time. The receiver checks the URL count, then waits for the sender to access (1) or not access the URL (0) at the specified time, and then once again views the counter to determine if it has been incremented.

This method doesn’t generate a lot of noise, but it could be easily disrupted by intercepting requests, obtaining the original URL by appending a “+” sign to the link, and serving the original URL directly instead of the shortned link. This prevents the counter from increasing, making the attack useless.

Web counters from websites such as YouTube and StackOverflow could also be used to transmit bits of data — e.g. a 1 or a 0 bit are transmitted if the counter of an unpopular video or a topic has changed or has not changed at a specified time. However, experts noted that websites like YouTube might be blocked by some enterprises.

Perfect exfiltration

SafeBreach researchers have found what they believe to be a perfect method. Kotler and Klein have described a method that relies on a process called HTTP server-side caching.

The attacker first needs to find a popular website that has a lot of web pages that are cached on the fly. E-commerce websites could be ideal, but in order to avoid raising suspicion the site should fit the profile of the targeted organization.

Many websites cache HTML pages to improve performance and a page’s caching time can usually be obtained from the HTTP response header. In the attack scenario described by Kotler and Klein, the sender and receiver agree on a web page — one that is not popular to avoid interference from the site’s regular users — and a time. If the sender doesn’t access the specified page at the specified time, a 0 bit is sent, and if they do make an HTTP request to the page at the specified time, a 1 bit is sent.

The receiver can determine if the sender accessed the web page by checking if it was cached recently. If they access the page 10 seconds after the specified time, they can determine if the page was cached recently (the sender accessed it to send 1) or if it was cached by the receiver’s own visit (the sender did not access it to send 0).

There are numerous websites that could be used to conduct such attacks. Researchers have provided as an example the websites of IKEA, the low-cost airline carrier EasyJet, and the Israeli e-commerce website

SafeBreach has released a PoC tool that automates this attack, including obtaining caching time information, and accessing the pre-defined URLs at a specified time to determine if the sender is transmitting 0 or 1. Of course, this method can also be carried out manually by a malicious insider.

According to Kotler and Klein, this could be classified as a perfect exfiltration method because it meets all ten “commandments.” For instance, different URLs referencing different domains can be used for each bit that is sent out, which prevents defenders from blocking the attack even if they identify the previously used URLs.

This exfiltration method is also highly efficient because it only uses normal web traffic, no extra software is required, network monitoring systems are unlikely to find anything suspicious if the requests are made at long and irregular time intervals, and the sender doesn’t communicate directly with the recipient. In order to ensure the integrity of the exfiltrated data and avoid disruptions caused by network outages and other factors, the sender can send out the “01” sequence for a 0 bit and the “10” sequence for a 1 bit.

While this could be considered a perfect exfiltration method, researchers noted that there are some factors that need to be taken into consideration. For instance, websites change all the time so it would be ideal to have a mechanism in place for updating URLs. For this attack to work, time synchronization between the sender and the receiver are very important.

The attacker must also ensure that the website they leverage for exfiltration and the time when it’s accessed blend in with the targeted organization’s regular traffic. Researchers noted that the attack might not work if a website uses multiple cache servers or if it relies on Geo-IP distribution.

According to the researchers, one possible way of detecting and disrupting such an attack would be to intercept every HTTP request and delay it by a certain number of seconds to see if the targeted page was accessed by the receiver. However, this method has a negative impact on user experience as every request would have to be delayed (e.g. if the receiver accesses the page after 10 seconds, every request would need to be delayed by at least 11 seconds).

When asked about concerns that the method could be abused by malicious actors now that its details and even a PoC tool have been released, Kotler and Klein explained that their goal is to help defenders come up with ways to detect and block exfiltration techniques. They argued that attackers could always come up with these types of methods on their own.

SafeBreach has challenged the industry to come up with a perfect exfiltration method that can be used for larger amounts of data, and to find an efficient way to defeat the company’s perfect exfiltration proposal.

view counter
Eduard Kovacs is an international correspondent for SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.