<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2815180&amp;fmt=gif">
Alienvault USM Anywhere Logo
Skip to content

Custom UEBA Rules Give Public Sector Security Teams an Edge Against Data Exfiltration & Ransomware Attacks

Blog

July 11, 2023

Data exfiltration is a critical step in many ransomware attack tactics. UEBA platforms enhanced with custom rules are ideally suited to detect exfiltration techniques. 

Ransomware continues to present serious risks to unprepared organizations. While the days of large, headline-making ransomware disruptions appear to be behind us, threat actors continue to come up with new ways to extort victims’ data for financial gain. 

The rise in double extortion attacks against smaller organizations is one of the most alarming trends happening in the cybersecurity industry. Many of these organizations are healthcare providers, K-12 school districts, and government agencies that serve small population centers throughout the United States. 

Read More

Commonwealth Charter Academy Case Study

Small public sector targets like State, Local, Tribal, and Territorial (SLTT) organizations are particularly vulnerable to these attacks because they rarely command the resources of enterprise-level organizations. Ransomware threat actors see them as low-risk, high-reward targets, especially when using double extortion tactics. 

Double Extortion: It’s Not Just a Ransom Anymore 

Traditional ransomware attacks begin with a phishing email or a technical exploit that gives cybercriminals access to the victim’s network. From there, they launch malware, escalate privileges, and move laterally across the network until they find valuable data to encrypt. 

Double extortion attacks follow a similar structure, but with one key difference: Instead of simply encrypting victims’ data, threat actors exfiltrate the data so they have a copy for themselves. 

This gives threat actors considerably higher leverage against victims. First, they demand a ransom for decrypting the impacted files, then demand additional money to avoid publishing sensitive data publicly. 

Even if the organization successfully repels the ransomware attack, threat actors can still achieve a significant payday.  

However, double extortion attacks don’t work if threat actors can’t exfiltrate sensitive data for themselves. From a security perspective, manipulating network resources to encrypt sensitive data and sending that data to an external source are two very different things. 

How Attackers Exfiltrate Data 

Before threat actors can threaten to publish sensitive data, they must acquire that data somehow. The MITRE ATT&CK Framework lists several different ways attackers achieve that goal: 

  • Automated Exfiltration. Attackers use software tools like Attor or CosmicDuke to automatically send data to an external source. These tools may use a wide variety of methods to send data, from illicit traffic duplication to commercial FTP vendors. 
  • Data Transfer Size Limits. Attackers send data to an external source in discrete packets of limited size. This keeps overall traffic low, which helps prevent detection from traditional security tools that scan for high-volume traffic spikes. 
  • Exfiltration Over C2 Channel. This is where attackers steal data by transferring it through an existing command and control channel. The data is encoded into normal traffic using the same protocol.  
  • Exfiltration Over Alternative Protocol. Hackers don’t have to use the existing command and control channel to exfiltrate data. They may opt for alternate channels like FTP, HTTP, DNS, or many others. Many platforms let users do this directly through the command-line console. 
  • Exfiltration Over Other Network Medium. Threat actors may exfiltrate data through Wi-Fi connections, Bluetooth connections, or other radio frequency channels they might gain access to. This often bypasses many Internet-centric security rules that aren’t routed through the same devices. 
  • Scheduled Transfers. Some data exfiltration methods only occur during specific times of day, or at special pre-defined moments. This helps blend the outgoing data with normal, expected traffic expected to occur at the same time. 

Many of these attack techniques are designed to bypass traditional security controls. By throttling exfiltration speed, masking outgoing traffic, and sending data through unexpected channels, attackers can avoid the detection rules that most default SIEM configurations focus on. 

Deploy Custom UEBA Detection Rules to Catch Exfiltration Early 

UEBA-enhanced SIEM platforms give security teams the ability to detect unauthorized activity based on how users, servers, and other assets behave during routine operations. When an asset starts acting in an unusual way – like transmitting multiple gigabytes of encrypted data over Bluetooth – the UEBA platform triggers alerts that respond dynamically to the risk that behavior represents. 

But default UEBA configurations don’t always have the context they need to appropriately measure and report risk. Custom rules allow organizations to contextualize suspicious behaviors, improving security event prioritization and incident response. This ensures security analysts can investigate the highest-priority security events first. 

Castra has spent developing 1800+ custom rules for UEBA platform users, giving its customers a significant advantage when addressing complex attack techniques like double extortion. This amplifies and extends the capabilities that small security teams can offer to public sector organizations struggling against sophisticated threats. Schedule a demo to discover how Castra’s custom rules can improve your security posture.