Blog

Inside the SOC

Bytesize security: Examining an insider exfiltrating corporate data from a Singaporean file server to Google Cloud  

Bytesize security: Examining an insider exfiltrating corporate data from a Singaporean file server to Google Cloud  Default blog imageDefault blog image
04
Jan 2023
04
Jan 2023

According to the ‘2021 Insider Threat Report’ by Cybersecurity Insiders, the Great Resignation and shift to a remote work culture has seen organizations report a 57% increase in insider-motivated attacks [1]. Insider attacks can be difficult to detect and respond to, (especially those perpetrated by malicious individuals who have privileged access and knowledge of internal business workings) and it is likely that this number is even higher in practice. The same report states that insider threats go unnoticed in 18% of organizations, whilst 31% can only remediate them after the data has already been siphoned out of their environments.  

Given this, visibility and defense against insider attacks needs to be treated as a priority by security teams. If left unchecked theft of critical data can have serious effects on an organization's reputation, competitive edge and business operations, not to mention the possibly resulting legal liabilities. The worst of the consequences are financial costs- according to the Ponemon Institute, the average global cost to remediate insider threat breaches is now estimated to be $15.38 million a year [2].

Darktrace DETECT

Darktrace's product suite has been empowering network defenders to recognize and stop insider threats like data exfiltration, (whether intentional or unintentional) for years. This summer highlighted a notable example. 

In July 2022, while a Singaporean construction corporation was trialling Darktrace DETECT/Network, it observed suspicious connections from a desktop within the corporation's network to an internal file server over the Server Message Block (SMB) protocol and a download of more than 1GB of data. Connections between these devices went on for an hour, ranging from 02:35 to 03:35 UTC in the early hours of the morning (Figures 1 & 2). 

Figure 1: A screenshot showing a spike in data downloaded internally from the breach device.
Figure 2: A zoomed-in view showing the increase in data being downloaded internally.

The files identified during these connections (MS word, pdf, image, etc.) were related to both ongoing projects as well as 3D and 2D designs. It was clear these files were part of critical company property. Around the same time (02:35 - 04:05 UTC), an unusual data transfer of more than 2 GB (Figures 3 & 4) to an external endpoint associated with Google Drive and Sites (clients[N].google[.]com.), as well as SSL connections to Google Drive, Email, and Google Docs domains; these are all related to some of the most common electronic data exfiltration vectors and were seen from the same device (Figure 5).

Figure 3: A screenshot showing a spike in data uploaded externally from the breach device.
Figure 4: A zoomed-in view showing the increase in data being uploaded externally
Figure 5: Around the time of the suspicious external data transfer, SSL connections were seen from the breach device to Google related domains (suggesting the use of Google Drive, Mail and Docs). This is a ranked list of the connected endpoints

Although clients[N].google[.]com was 0% rare for the network, Darktrace model breaches still managed to flag the anomalous increase in the volume of data uploaded externally and downloaded internally by the device. Thanks to an independent investigation by the Cyber AI Analyst feature (Figure 6), this activity was brought to the attention of the company’s management and a subsequent internal investigation was launched into why the device of a now ex-employee was copying data out of the network without authorization. Had Darktrace RESPOND/Network also been active on the deployment, it would have been possible to stop the exfiltration. 

Figure 6: AI Analyst incidents associated with the unusual data transfers.

Conclusion

There are a large range of insiders from departing employees, industrial spies, staff being blackmailed, (or bribed by criminals) compromised contractors and even regular employees with low IT or compliance literacy using unauthorized online data storage services. Each of these can have a devastating impact on businesses if there are no monitoring and prevention capabilities in place to combat data exfiltration, even more so if security teams are understaffed and overworked. As part of the DETECT package, this incident highlights how Darktrace's Cyber AI Analyst autonomously triages unusual activity such as large volumes of data leaving the network without needing to know information like if an employee has handed in their notice. Meanwhile while Darktrace RESPOND has the ability to automatically block abnormal data transfers making it a perfect complement to halt insiders in action. Together Darktrace's technology balances security teams saving them time and ensuring humans can focus on other issues that truly matter.

Appendices

Darktrace Detections

  • Internal Download and External Upload (AI Incident)
  • Unusual External Data Transfer (AI Incident)
  • Unusual Activity /Unusual File Storage Data Transfer (Model Breach)

Primary MITRE technique

Reference List

[1] https://www.cybersecurity-insiders.com/wp-content/uploads/2021/06/2021-Insider-Threat-Report-Gurucul-Final-dd8f5a75.pdf

[2] https://www.blackfog.com/preventing-insider-threats-anti-data-exfiltration/ 

More in this series:

No items found.

Like this and want more?

Receive the latest blog in your inbox
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
INSIDE THE SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
AUTHOR
ABOUT ThE AUTHOR
Signe Zaharka
Senior Cyber Security Analyst
COre coverage
This Article
Bytesize security: Examining an insider exfiltrating corporate data from a Singaporean file server to Google Cloud  
Share
Twitter logoLinkedIn logo

Related Articles

No items found.

Good news for your business.
Bad news for the bad guys.

Start your free trial

Start your free trial

Flexible delivery
You can either install it virtually or with hardware.
Fast install
Just 1 hour to set up – and even less for an email security trial.
Choose your journey
Try out Self-Learning AI wherever you most need it — including cloud, network or email.
No commitment
Full access to the Darktrace Threat Visualizer and three bespoke Threat Reports, with no obligation to purchase.
For more information, please see our Privacy Notice.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Get a demo

Flexible delivery
You can either install it virtually or with hardware.
Fast install
Just 1 hour to set up – and even less for an email security trial.
Choose your journey
Try out Self-Learning AI wherever you most need it — including cloud, network or email.
No commitment
Full access to the Darktrace Threat Visualizer and three bespoke Threat Reports, with no obligation to purchase.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.