Identifying exfiltration outside business hours

Plixer Scrutinizer is able to isolate network activity outside of busines hours, allowing teams to quickly identify data exfiltration attempts and other malicious activity taking place outside business hours.

Workflow

Data exfiltration can be identified proactively within Scrutinizer is by identifying and reviewing traffic leaving your network. The Explore -> Exporters -> By Interface View is a great place to start, as traffic is displayed as inbound/outbound columns.

By default this is sorted so that your most congested interface is displayed at the top. This may be worth reviewing as large amounts of traffic leaving the network may be exfiltration. Even more likely, exfiltration happens in a “low and slow” attack approach where only small amounts of traffic leave the network periodically – avoiding causing spikes in traffic that may cause alarms.

Because inspecting individual interfaces one at a time is inefficient, Plixer Scrutinizer Reports can be used to narrow down the scope of information to be reviewed. This allows for a more streamlined approach to proactively searching for unwanted/suspicious traffic.

The following example uses the Destination Countries with AS report type:

  1. Select Reports -> Run Report -> Select Report Type to start an adhoc report.

  2. Choose Destination Reports -> Countries with AS, add the appropriate device(s), and run the report.

The report is likely to show multiple rows of autonomous systems and the corresponding country they are associated with.

Note

Class A, B, and C addresses are always classified as Uncategorized and will often include internal network addresses. In this scenario, these are likely associated with responses to internal destinations through outbound interfaces.

  1. Help narrow your search by excluding traffic that you expect to see. What remains may be of use in identifying traffic leaving the network to a destination that is unintended.

When you have have a subset of data that is more manageable, e.g., countries your organization does not do business with, you can begin to pivot to other report types. Changing the time frame or “zooming out” can also reveal possible threats in the form of suspicious traffic patterns.

  1. Within your report, with same filters, set the timeframe to Last Seven Days.

Is there a ping every hour beaconing out? Same packet size of data leaving the network following a pattern?

At this point, your report likely has one or more country, AS, or host filters. Switching to another report type or using extended report options like host reputation or geo IP lookups can lead to additional insights.

Tip

Run a report against a core router that is likely to see a majority of your traffic. Alternatively, select ‘All Devices’ to identify top network conversations across the entire network.