Host based Detection Mechanism against Advanced Persistent Threat Data Exfiltration

Abstract

In the recent days of digital world, Advanced Persistent Threats (APTs) have evolved as a major security threat. APTs are not only a primary weapon cur- rently used by attackers in cyber warfare, but it is also biggest threat to the organizations that acquire, store or process sensitive data as their Intellectual property or in any other form. Unlike computer viruses and worms which are usually non-targeted malicious software, APTs are highly targeted at- tacks launched against a specific target and the attacker is motivated enough persist until the objective is achieved. The motivations behind APTs can be numerous but usually divided into two major categories. They are either launched for the destruction of the target or to acquire the sensitive data stored at a particular place. APT is an organized activity consisting of 3 major lifecycle phases. In the first phase, the attacker gathers intelligence about the vulnerabilities of the target that can help in entering targets premises which, in usual case, is the network of the organization protected by perimeter security devices such as firewalls and IDS/IPS. These vulnerabilities are taken into account in the second phase and the attacker develops and launches the mechanisms, mostly in the form of specialized malware, and compromises the security measures of the target. Once the attacker has entered into the premises, it steps into the completion of its objective which can either be destruction of the target or exfiltration of sensitive data. In our research, we feature the APTs which are launched against organiza- ii iii tions to acquire their sensitive data. This corresponds to the last phase of APT Lifecycle which leads to the fact that organizations should devise mech- anisms to protect their sensitive data from unauthorized exfiltration. Cur- rently, deployed security devices including Firewalls and Intrusion Detection Systems (IDSs) are unable to prevent against data exfiltration because once the attacker has penetrated inside the network, he is undoubtedly well aware of the weaknesses of these security devices and easily able to adopt legitimate methods to search and steal sensitive data. Furthermore, organizations usu- ally employ access control mechanisms against unauthorized access which, in case of APTs, are also defeated through privilege escalation. Specific to data exfiltration, we present a host based approach that is able to detect the unauthorized leakage of the data. Our mechanism makes the use of techniques like DLL Injection and API Hooking to monitor actions performed by all running processes in the system. These actions specifically include certainWindows APIs that are necessary to be called if an exfiltration attempt is in progress. We monitor the API calls performed by the processes by injecting a custom made DLL into them. Our DLL is capable of hijacking the sensitive API calls and stop the execution of a process if an exfiltration activity is observed. Our system successfully detects the data exfiltration activity on real-time basis, does not require any learning phase, puts very low computation overhead and is independent of the network characteristics, such as protocol used for exfiltration.