Data Exfiltration Use Case

Summary

Excerpt From SECDEF Memo – Impacts on SCIF/SAPF Security Webinar
Watch the Video Below to Learn About the Data Exfiltration Use Case
CTO Dr. Brett Walkenhorst illustrates a scenario where an insider attempts to extract classified files from a secure facility. The insider enters the building with a hotspot and a Wi-Fi dongle in order to connect and steal information over the cellular network. To get around detection sensors, they turn off the equipment. Once inside, they initiate the hotspot, link the dongle to a protected PC, and move the data. The insider can destroy the equipment to reduce the possibility of being discovered departing the building. Learn more about this explanation in the clip below.

Video Transcript

So let's say that we've got someone who wants to extract some classified files from a network, and this network is inside of a secure facility. We'll say it's a SCIF. What that insider is gonna do, they're gonna carry a Wi Fi dongle and a hot spot into that skiff with the idea that once they connect them, the dongle goes into a secure computer, and they're gonna try to exfiltrate some information directly over the cellular network.

They're gonna do this by powering the devices off to try to bypass any kind of entry mounted detection device such as you see in the lower right. So maybe you've got a sensor that's close to a door and you just wanna make sure that nothing goes in or out.

Well, all I gotta do is power something off and that sensor won't see it. So the insider goes in, fires the things up, plugs the dongle into the target system, fires up the hotspot, connects to the client, and then identifies the files and dumps them to the hot spot.

So it's it's a really straightforward thing. This is this is using technology that's readily available. I've described the hot spot generically, but, you know, you could just use a smartphone. A WiFi dongle is pretty straightforward. Once they've created that chain, all they've gotta do is dump the files and their job is done.

They could literally wipe fingerprints, dispose of the devices somehow. They've left some evidence maybe, but they could just walk out of there to minimize risk that they'll actually be caught leaving the facility with those devices. Right? An alternative to this would be maybe they wanna minimize their footprint a little bit, so they're just gonna use a cell phone inside of the secure space to take photos of the computer screen.

That seems reasonable. Right? All I've got to do is get that device in there without it being detected, take some photos, exfiltrate it over cellular, or if I'm really sketchy, maybe I try not to send any information at all, and I just take some photos so I can take them outside and then send them back after I'm outside.

Right. So there's lots of ways this could go, but let's just focus on the technology of establishing that chain by which we're gonna exfiltrate devices directly from the network.