INVITATION TO CYBERSECURITY 86 In most cases, the hacker will not only view data but will also want to obtain a copy of it. This is called data exfiltration or exfil for short. It is essentially stealing data, but unlike in physical space where stealing entails taking it away from the victim, in cyberspace exfiltration means copying data from a victim to the attacker. This usually occurs over a computer network—in other words, the attacker downloads the data. It could also occur locally—the attacker copies the data onto a USB stick. Once this happens, the data is outside of the victim’s control. In some cases the data may be used to extort the victim. The attacker may threaten to publish the data unless the victim pays him money. The scary thing for the victim is that even if he gives into the hacker’s demands, he can never really be sure that the threat will go away—there is no way to ensure that the hacker’s copy (or more likely, copies) of the data will be permanently deleted. The hacker could potentially come back later with another extortion demand. Hackers may also want to exfil data to sell it on the black market. As we saw in Chapter 3, personally identifiable information (PII) and intellectual property (IP) have market value. To avoid detection, hackers may try to exfil data using a covert channel. A covert channel is a hidden communication path. Covert channels usually involve steganography—the art and science of hiding information in plain sight (covered in more depth in Section 7.3). An example of a covert channel for exfiltrating data is using flag bits and other fields in network protocol headers. These headers are only supposed to contain metadata, not payload data, and therefore can potentially pass out of a network undetected. The data may also be broken up between several messages and spread out over time to avoid arousing suspicion. What using covert channels costs in efficiency it gains in maintaining cover. In a doxxing attack the attacker publishes exfiltrated data to embarrass or otherwise harm the victim. The Sony Pictures hack in 2014 was a doxxing attack. Sony Pictures is a major American film studio. The hackers gained unauthorized access to Sony’s network and exfiltrated as much data as they could and then published it on the Internet. The published data included everything from not-yet-released films to employee PII to internal emails. The emails exposed sensitive business dealings and private communications that embarrassed Sony executives. The United States government attributed the attack to North Korea, and the motive was to financially harm Sony Pictures for producing a satirical film making fun of North Korea. 4.1.4.2 Alteration In many cyber attacks hackers modify data. In this context, modifying encompasses creating, altering, and deleting data. Defacing a website falls into this category. Hackers gain access to a web server and modify the victim’s website to advance the cause of the hacker or cause reputational harm to the victim. In watering hole attacks, hackers gain access to web servers so they can install malware that targets website visitors—this is another example of an alteration attack.
RkJQdWJsaXNoZXIy MTM4ODY=