Data Exfiltration and Red October

Keeping an eye on your network traffic may be your last viable line of defense against toxic

data extrusion.

It seems that new viruses are discovered like clockwork in specific industries, especially those dealing

with sensitive information. Today I read the details on the newly discovered ‘Red October’ virus – it is

eerily reminiscent of the ‘Flame’ worm, and many others that have come before. There are probably

even more that are already making the rounds and have not yet been discovered! The next big virus

is already sneaking around collecting sensitive information and sending it home; by the time it’s

discovered and gets its day in the media sun, it will have been out there for weeks, months, even

years.

The Exfiltration of Encrypted Data

What interests me about the recent batch of worms and viruses is their targeted ability to find and

exfiltrate sensitive documents. In fact, the “Red October” virus specifically searches for deleted files

and files encrypted by “Cryptofiler” which is commonly used in the intelligence community. I doubt

anybody considers this a coincidence.

Toxic Data and Data Breaches

Similarly, I doubt anybody is unconcerned with these viruses that go to great lengths to hide and

exfiltrate your most sensitive, most toxic data. Toxic data is any piece of information that will do

massive damage to your organization’s image and bottom line when its disclosure reaches the public.

Usually this includes medical records, financial records and credit cards, and any personally

identifiable information. Simply the exposure of a data breach is sufficient, irrespective of the actual

content and where the data went.

Using Evidence of Data Exfiltrations

What makes the problem so difficult to tackle is the myriad places inside your computers’ filesystems

where these viruses can hide away. There is no guarantee you will ever find them, and computer

systems are getting ever bigger and more complex, making it easier and easier to hide. It seems the

only safe bet is to search for evidence of the data exfiltrations in the network traffic, which is much

harder to hide.

Be Vigilant of Viruses and Inside Jobs

In my opinion, most organizations spend far too much time searching for viruses on their computers,

and far too little time searching for data exfiltrations over their networks. Keep in mind that it is not

only worms and viruses that may be exfiltrating your most toxic data, it could easily be anyone within

your own walls. In the end, the most important objective is to ensure that no toxic data leaves your

enterprise, and keeping an eye on your network traffic may be your last viable line of defense.

Scalable Traffic Analysis for Complex Environments

FlowTraq is a software product by ProQSys, which specializes in high volume, forensically accurate

network behavioral flow analysis. Our goal is to substantially improve your visibility and insight into

your network infrastructure to understand threats before they become incidents.

ProQSys has 2,600 customers worldwide, including Fortune-500 companies, ISP/MSPs, governments,

schools, and universities. For more information, please visit www.flowtraq.com.