In Plain Sight: The Perfect Exfiltration


In this session, we will reveal and demonstrate perfect exfiltration via indirect covert channels (i.e. the communicating parties don’t directly exchange network packets).

This is a family of techniques to exfiltrate data (low throughput) from an enterprise in a manner indistinguishable from genuine traffic. Using HTTP and exploiting a byproduct of how some websites choose to cache their pages, we will demonstrate how data can be leaked without raising any suspicion. These techniques are designed to overcome even perfect knowledge and analysis of the enterprise network traffic.

Characteristics of the approach includes the following:

– Ability to stand to network monitoring: no traffic anomaly is allowed, at all traffic levels: protocols, IP addresses, hosts, ports, TCP handshake, packet structure, SSL, application level traffic, etc.

– SSL termination should be assumed.

– Full Host/IP information (incl. reputation) is available to the enterprise.

– No obvious “possibly suspicious” activities (e.g. emails, Google docs, forum posts, etc.)

Code will also be released during the talk.

Location: Track 1 Date: May 27, 2016 Time: 2:00 pm - 3:00 pm Itzik Kotler Amit Klein