Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.
Web service providers also commonly use SSL/TLS encryption, giving adversaries an added level of protection.
| ID | Name | Description |
|---|---|---|
| S0622 | AppleSeed | |
| G0007 | APT28 | |
| S0547 | DropBook |
DropBook has used legitimate web services to exfiltrate data.[3] |
| S0508 | Ngrok |
Ngrok has been used by threat actors to configure servers for data exfiltration.[4] |
| ID | Mitigation | Description |
|---|---|---|
| M1057 | Data Loss Prevention |
Data loss prevention can be detect and block sensitive data being uploaded to web services via web browsers. |
| M1021 | Restrict Web-Based Content |
Web proxies can be used to enforce an external network communication policy that prevents use of unauthorized external services. |
| ID | Data Source | Data Component |
|---|---|---|
| DS0017 | Command | Command Execution |
| DS0022 | File | File Access |
| DS0029 | Network Traffic | Network Traffic Content |
| Network Traffic Flow |
Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. User behavior monitoring may help to detect abnormal patterns of activity.