Skip to content

SenseOn SOC Playbook: Data Exfiltration

The following process is how managed providers of SenseOn should extend the investigation of incidents in end customer estates and contains best practice guidance for additional manual threat hunting and containment.

Process Flowchart

Malware flowchart

Identification

Assess what data has been exfiltrated

Joint action for customer and provider of SenseOn MDR

Assess all logs within the SenseOn platform and available in third party tools including end device logs and to find what has been exfiltrated.

Assess the method of data exfiltration

Joint action for customer and provider of SenseOn MDR

Find the method that was used to exfiltrate the data from the estate, this will likely fall under one or more of the following exfiltration method categories.

  • Cloud - O365, Dropbox, MegaUpload etc.
  • Physical - Removable media like disks and drives.
  • Network - SSH, SFTP, FTP etc.

Review the raw telemetry

Action for provider of SenseOn MDR

Use Hunt lab to query raw process and network telemetry to observe what had taken place in the run up to the exfiltration of data.

Simple process telemetry query

SELECT 
_time_observed, _hostname, username, parent_id, id, parent_name, name, command, parent_path, path
FROM 
endpoint_process 
WHERE 
lower(_hostname) = lower('<place_hostname>')
AND _time_observed >= <place_time_in_unix_ms>
ORDER BY _time_observed ASC

Simple network telemetry query

SELECT
  _time_observed,_hostname, source_hostname, source_ip, dest_hostname, dest_ip, source_process_username, source_process_parent_id, source_process_id, source_process_parent_name, source_process_name, source_process_command, source_bytes_sent, dest_bytes_sent, *
FROM
  network_flow
WHERE
_time_observed >= (<place_time_in_unix_ms>-300000)
AND (
source_ip = '<place_host_IP_here>' 
OR lower(source_hostname) like lower(<place_hostname_here>%)
)
ORDER BY
  _time_observed ASC

Review the raw telemetry continued

Action for provider of SenseOn MDR

From assessment of the prior steps that aimed to ascertain what was exfiltrated and the method that was used, IOCs should have become apparent. These IOCs should be used to find the scope of the exfiltration.

For example, was this confined to one user and host, or were multiple hosts and user accounts implicated in the exfiltration. The IOCs determined could be used to assess the wider estate using hunt lab to find if other users and hosts were involved.

Intelligence and enrichment

Action for provider of SenseOn MDR

It is advised that the external destination of the data be assessed. This assessment may yield crucial information regarding why and to where the data has been exfiltrated. Some tools that could be used to assess the external destination are:

  • VirusTotal - VirusTotal is a threat intelligence platform for files and network destinations.
  • GreyNoise - A database of internet scanners that aims to cut out the noise
  • ThreatTox - An IOC database.
  • Shodan - A search engine for internet connected devices.

Identify the type of data that was exfiltrated

Joint action for customer and provider of SenseOn MDR

The type of data that was exfiltrated should be assessed. Some examples of this are stated below:

  • Personal identifiable information (PII)
  • Financial information
  • Health related data
  • Credit/Debit card information

Identify any regulations or legislation to be aware of

Joint action for customer and provider of SenseOn MDR

⚠ End customer notification: End customers and their Data Privacy Officers (DPOs) must be informed of a likely or suspected data breach as soon as practicable to engage with their legal counsel and meet potential reporting deadlines.

In instances where sensitive data has been exfiltrated / stolen, the related to legislation should be reviewed to understand how standards and government regulatory bodies expected such a breach to be handled. As an example, in the UK the information commissioner's office must be notified of a breach having taken place. Some regulations and legislation are outlined below. * DPA / GDPR - The data protection act is in place to help protect people’s data in the UK, (GDPR Europe) and it is used to regulate what an organisation must do in the event of a data breach.

⚠ Notification period: In the UK, organisations must notify the ICO of a personal data breach within 72 hours of becoming aware of it. If the breach is likely to pose a high risk to individuals, the organization must also inform those individuals as soon as possible.

Identify any regulations or legislation to be aware of continued

Joint action for customer and provider of SenseOn MDR

  • HIPAA - The Health Insurance Portability and Accountability Act is a piece of American legislation that aims to better protect people’s medical and personal identifiable information in the healthcare sector to better control any transfer of such data.
  • SOX - The Sarbanes-Oxley act is a piece of American legislation that aims to better protect financial information in relation to its recording and reporting, as well as it’s transfer and storage.
  • PCI/DSS - The Payment Card Industry / Data Security Standard is standard used to major banking card companies like Visa and American express as some examples. This standard aims to better protect the payment and banking information of people globally.

Containment

User account actions

Action for customer

  1. On-premise user accounts should be locked so that they cannot be accessed.
  2. Cloud user accounts should also be locked, via Azure AD for example.
  3. Passwords of impacted accounts should then be reset along with revoking any current sessions and / or multiple factor authentication (MFA) codes.
  4. Following this, newly added MFA methods should be removed.

Isolation

Joint action for customer and provider of SenseOn MDR

Isolate devices that have been involved in the data exfiltration from the network to prevent any further occurrences until the incident has been fully remediated.

Eradication

Joint action for customer and provider of SenseOn MDR

  1. SenseOn MDR Provider: Remove any programs or scripts that were used as part of the data exfiltration.
  2. Customer: Restrict the potential for the same method to be used again. This could be done by putting firewall rules in place, however, further control measure should be assessed.
  3. Customer: Run an antivirus scan of any hosts implicated in the exfiltration.
  4. SenseOn MDR Provider: Any custom software that was installed during the compromise window should be removed.
  5. SenseOn MDR Provider: Any software added to startup during the compromise window should be removed.
  6. SenseOn MDR Provider: Any service added during the compromise window should be removed.
  7. Customer: Remove any user accounts that were added during the window of compromise.
  8. Customer: Remove any firewall rules added during the compromise window.
  9. SenseOn MDR Provider: Remove any remote management solutions added during the compromise window.

Recovery

Joint action for customer and provider of SenseOn MDR 1. SenseOn MDR Provider: Remove device network isolation so that the device can connect normally to the network. 2. Customer: Unlock any locked on-premise or cloud user accounts. 3. SenseOn MDR Provider: Set up a monitoring plan for users and devices to monitor for further suspicious signs or unwanted activity. 4. Customer: Review regulations and legislation to assess whether anyone must be notified of the data being exfiltrated. This will be reliant on how sensitive the data was as previously discussed in the identifications section.