1. 4

Data Exfiltration is arguably the most important target for a security researcher to identify. The seemingly endless breaches of major corporations are done via channels of various stealth, and an endless array of methods exist to communicate the data to remote endpoints while bypassing Intrusion Detection Systems, Intrusion Prevention Systems, firewalls, and proxies. This research examines a novel way to perform this data exfiltration, utilizing port knocking over User Datagram Protocol. It focuses specifically on the ease at which this can be done, the relatively low signal to noise ratio of the resultant traffic, and the plausible deniability of receiving the exfiltration data.


  2. 2

    Isn’t the reasonable solution to enforce a restrictive outbound firewall policy?

    1. 2

      Indeed. That’s the obvious reasonable solution, but implementing this is predicated on reasonable expectations on things like unfettered access to the Internet via a NAT gateway. A lot of network operators simply won’t go with it, and a lot of systems administrators simply don’t want to maintain a proxy server for those times when you need/want to, e.g., download updates from the Internet.

      The only institutions I know of presently that do this are banks, and even then, not all banks do it.

      1. 1

        I’ve heard of places that use “kiosk” terminals that are shared computers with full access to the internet and all the real computers are air gapped on an isolated network. Updates/downloads/information is sneaker netted to the real network via USB drive or write once CD/DVD. And of course there is “Stallman Net”.