Abstract

Network-based attacks and their mitigation are of increasing importance in our ever-connected world. Often network-based attacks address valuable data, which the attacker either encrypts to extort ransom or steals to make money reselling, or both. After the infamous WannaCry and NotPetya ransomware attacks in 2017, companies stepped up their cyber defenses. More emphasis was placed on backup and recovery processes so that even when files were destroyed, organizations had copies for quick recovery. However, cyber criminals have also adapted their methods. Instead of simply encrypting files, double extortion ransomware now exfiltrates the data first, before encrypting it. As a consequence, the early detection and prevention of data exfiltration is one of today’s major challenges of institutions connected to the Internet. If attempts to illegal data exfiltration are successfully detected, the attacked institution should address a probable subsequent encryption attack step as well. In particular, valuable business assets must be checked for unauthorized access and need to be protected. However, due to the bulk of network traffic and persistent data, automation is a key requirement to successfully defend contemporary threats. The main goal of this article is to present a concept and its initial evaluation to achieve automation of data exfiltration mitigation in a targeted manner. Our concept consists of two main steps. Based on recognized international approaches used in cyber threat intelligence, an automatic procedure on the base of the MITRE Adversarial Tactics, Techniques Common Knowledge (ATT&CK) framework for deriving current threats with respect to data exfiltration is presented in the first place. In the spirit of the Digital Threats: Research and Practice (DTRAP) forum, a practical approach is chosen in addition to the theory in this manner. Our evaluation reveals that we are able to automatically identify the most relevant recent risks of unauthorized data exfiltration. In our second step, we present the design of a simulation gear based on the attacks extracted from the MITRE ATT&CK framework. The aim is to simulate the greatest threats before they actually occur in the operational environment. The strict focus on the threats of data exfiltration characterizes our solution and makes our approach an ideal addition to existing solutions. We provide an evaluation of this initial simulation concept and its underlying technology for the implementation to show that we are on the right track.

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.