Obviously, this is a potentially noisy route, especially for lots of data, but it will do in a pinch.
Are there misconfigured mail relays on site? Can you relay to external addresses by spoofing internal ones? (This is also a good one for internal phishing that bypassess message hygiene filters, but that’s a story for another day!). Can you get to one of the main webmail providers – Gmail, etc? This is made more likely if, again, your target organisation has outsourced to Office 365 or GSuite (check their MXs or mail headers). Can you compromise one of these and use it as a staging post? Perhaps your organisation hosts its own web servers, accessible from the internet. Are Flickr and YouTube accesible? Relatively large files can be staged using these services, including using steganography. 
Many categorisation systems allow you to suggest your own appropriate category and so with a little pre-planning an attacker can stage their own healthcare site ready to bypass the filters.
Even if something like Websense is enabled, many categories aren’t enabled for full TLS inspection – things like financial and medical – for employees’ privacy.Spin up a custom domain somewhere, coupled with LetsEncrypt, and you’re away. Often TLS interception (man-in-the-middle) isn’t enabled.If there is proxying and filtering you may need to work a little harder, but many common sites like Dropbox, Google Drive and Box are permitted, especially if an organisation outsources to shared cloud services.Github is often permitted in many technical organisations. Anon paste sites like pastebin or even github offer an easy exfiltration channel.
Many organisations don’t have any kind of web proxying in place, and if that’s the case your work is likely done. It’s by no means exhaustive, so if we’ve missed something let us know and we’ll be happy to credit you! Index Most of the techniques described relate to direct internal to external data exfiltration, although in many cases an organisation’s network segmentation will require an attacker to aggregate data to a staging point before this can take place. This could also be used as a crib sheet for fellow pen testers who are asked to check an organisation for ease of exfiltration. Whilst many excellent papers and tools are available for various techniques this is our attempt to pull all these together. 
Data exfiltration is the last stage of the kill chain in a (generally) targeted attack on an organisation.
0 kommentar(er)
