Data Theft Via the Cloud: You Don't Need Flash Drives Any More

News stories worldwide have related stories of individuals illicitly copying data from governments and private organizations. Sometimes that's called data theft, but the term data exfiltration is more accurate. There are other exfiltration vectors, and all are threats to confidentiality.

Most of the stories I have read about data exfiltration (of stored data) involve some sort of flash storage. Thumb drives are the most common, it seems (leading to the term "thumbsucking), both in fiction and in reality. Other options include the storage in smartphones, the small flash drives used in cameras and other devices, along with media players and IoT devices.

storage devices

Bleeping Computer recently reported on an individual convicted of exfiltrating data via a different path: the cloud. According to the story, the individual uploaded confidential and proprietary information to his Dropbox account.

Many sites prohibit bringing in or taking out flash drives of any sort to prevent people from copying and removing data. I think they will now block access to external file sharing cloud services such as Dropbox. That blocking would be too late for the case reported in the article but may help some places. It is another case of reacting to an attack rather than being pre-emptive.

It is difficult to be pre-emptive in cases such as this. Yes, ideally a security policy for an organization with confidential and proprietary information would already block file sharing sites either via blacklisting or whitelisting. The latter would be based on the sound principle of "everything not explicitly permitted is prohibited". Unfortunately, that is difficult at best where engineers may need to search the internet for design information as in the case reported in Bleeping Computer.

Another approach might be to inspect data at the point of egress to ensure it does not contain information to which the organization desires to restrict access. This could be defeated by encrypting data (but not using, say, HTTPS).

Data exfiltration is not limited to directly downloading. Other attack methods may be deployed depending on whether the data are at use, at rest, or in transit.

Faheem Ullah, et al do an excellent job of analyzing and explaining exfiltration attacks and countermeasures. The paper is long, and the analysis is comprehensive. It contains copious links to other research.

Data theft is a huge problem for governments and private organizations. It is difficult to stop and equally difficult to detect. Yes, there are techniques for detection and prevention, but many are limited to specific applications or protocols, e.g. HTTP/HTTPS or in phishing attacks. Prevention of data loss via phishing attacks requires different techniques than preventing direct theft by employees or contractors. This is an area of ongoing research.

I do not know of a universal way to prevent data exfiltration by malicious insiders. I doubt that there is one within the bounds of current technology. Theft for personal gain or perceived social gain is not new. Theft of data for those goals is not new, either. Our best approaches may be to limit access to the vectors used to copy the data.

Chat With Us