Most people are aware that there is a seemingly infinite sea of hackers out there whose goal in life is to steal sensitive data from corporate networks. And while tomes have been written about the various ways in which attackers infiltrate systems and networks, the methods by which they actually remove the data they wish to steal are not as well-known.
Not surprisingly, it’s all quite logical. First, an attacker will gain access to a network through a phishing email containing a corrupted PDF or Word document – that’s their foothold into one system on the network. From there the attacker will find other vulnerabilities to jump from system to system in search of valuable data – spreadsheets, documents, financial information or anything else the attacker deems valuable.
Once that data is identified, it’s time to begin the exporting process. It must be staged somewhere, and generally an attacker will choose a particular desktop system on a network, as opposed to a server, to use as the staging ground. According to Ryan Kazanciyan and Sean Coyne of information security firm Mandiant, that’s because most users don’t pay much attention to the amount of storage being used on their machines but ideally network administrators are more on top of that kind of thing and would notice a spike in storage on a server.
Some attackers accumulate the data they wish to steal on the corrupted staging machine and then pull it off in one fell swoop. More commonly, however, attackers pull off the data bit by bit – even though there is a higher risk of detection with the latter method. And while some hackers steal specific data, others will steal anything they can get their hands on – the telltale mark of a large operation that has the manpower to sift through all of that data to find the valuable bits.
The key to dealing with hackers isn’t to fix the vulnerability once it’s been exploited, but to proactively make sure your network is always protected as well as possible to ward off such heists in advance.
“The impact of these data thefts is hard to quantify because the value of a lot of that data has yet to be realized,” Coyne says. “In many of the cases that we worked on, the attackers were inside for months or years. If all of your effort is on remediation after the fact, it’s too little too late.”