As a cybersecurity company established in the Maldives, we have seen growing trends of organizations facing accidental employee data exposure or information leaks to unauthorized parties. Safeguarding sensitive company data has become crucial. Organizations are increasingly investing their resources in strengthening their cybersecurity defences against both external and internal threats. The complexity of these threats requires robust measures and constant vigilance to ensure data integrity and security.
In this article, we delve into how we correlated raw event data to detect the source of data leakages. By understanding the behaviour and access patterns of employees, organizations can pinpoint vulnerabilities and address them proactively. Effective cybersecurity strategies not only protect against external attacks but also mitigate risks from within, ensuring that sensitive information remains secure and confidential.
As the leading Cyber Security solutions provider in the Maldives and the regional Managed Security Services Provider (MSSP) for SentinelOne for the SAARC region and Incident Response Partner for Maldives, we focus on bringing innovation to enable secure digital transformation and agile software development. With a decade of expertise in software architecture design and implementation, we work closely with our clients to support their digital journey. We believe in continuous learning and evolution, always striving to improve and build an innovative ecosystem that provides top-notch enterprise solutions to our clients. At OXIQA, we're committed to staying ahead of the curve.
The Case: Your Confidential Document Winds Up on the Internet.
The detections engineering team at OXIQA recently encountered a particularly challenging data leakage incident that required some ingenuity and tested the capabilities of even the most advanced Extended Detection and Response (XDR) systems. No unauthorised access or exfiltration of the documents in question were noted at first. However, through clever correlation of events and study of user behaviour, we had found clues to how the leakage may have happened. This incident underscores the importance of not only having a state-of-the-art XDR platform but also having a proficient security partner to interpret the multitude of events generated by daily operations.
The Challenge: Unseen Data Exfiltration
We discovered that sensitive files were being exfiltrated in an unexpected way, despite the organization's multiple state-of-the-art XDR solutions. Instead of traditional methods, the files were being screenshotted or captured as pictures of documents displayed on screens. This sneaky approach bypasses many standard data protection mechanisms, making it particularly tricky to detect.
When we dug into the XDR logs, we spotted events where processes for common screenshot utilities were being created. However, the reporting often showed system processes like explorer.exe or runtimebroker.exe as the parent process, which seemed odd at first. We realized this quirk stems from user behaviour - when employees use the Snipping Tool on Windows through the Start menu or the Win+Shift+S shortcut, it's handled by system processes.
Processes like RuntimeBroker and Explorer don't give much in the way of hints for what was screenshotted.
Our Plan: Dissecting the challenge using S1 – Skylight AP
To better correlate these screenshot events with actionable data, we devised a comprehensive plan utilizing SentinelOne's powerful Skylight API. Here's how we tackled the problem:
- Query Process Creations: We used the Skylight API to check for snippingtool.exe processes creations as well as API hooks via explorer.exe. This gave us a real-time view of potential screenshot activities across our endpoints.
- Document Detection: For each endpoint where we spotted the Snipping Tool, we ran another query to find documents opened right before the screenshot was taken. We looked for specific file extensions (pdf, xls, doc, ppt) in the command line parameters of process creations to get a clue about which documents might have been targeted.
- Event Deduplication: We noticed some programs spawn multiple processes (like Adobe Acrobat launching separate processes to render PDF files), so we deduplicated the events to avoid flooding ourselves with redundant alerts.
Cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\Test\Desktop\Confidential.pdf", Event
Time: 1718890804317
Cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\Test\Desktop\Confidential", Event Time:
1718890805033
Cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\Test\Desktop\Confidential", Event Time:
1718890808010
Cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\Test\Desktop\Confidential.pdf", Event Time:
1718890808034
Cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" --type=renderer /prefetch:1
"C:\Users\Test\Desktop\Confidential.pdf", Event Time: 1718890809197
Cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\Test\Desktop\Confidential.pdf", Event Time:
1718890809748
Cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\Test\Desktop\Confidential.pdf", Event Time:
1718890830999
Cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\Test\Desktop\Confidential.pdf", Event Time:
1718890844964
Cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\Test\Desktop\Confidential.pdf", Event Time:
1718890845348
Cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\Test\Desktop\Confidential.pdf", Event Time:
1718890849733
Cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\Test\Desktop\Confidential.pdf", Event Time:
1718890850254
Cmdline: "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\Test\Desktop\Confidential.pdf", Event Time:
1718890850287Noisy logs need careful de-duplication to ensure the sanity our and our customer's analyst :)
- Concise Messaging: We then packaged up the correlated data in a clear, easy-to-understand format for our security team and the customer's IT teams to act on quickly (See the next image).Continuous Monitoring: Finally, we set this process to repeat, keeping a watchful eye out for any further exfiltration attempts.
- Continuous Monitoring: Finally, we set this process to repeat, keeping a watchful eye out for any further exfiltration attempts.
Results and Analysis
This approach allowed us to zero in on the exact moments when screenshots were taken and link them to potentially sensitive documents. Not only did this help us nip the immediate threat in the bud, but it also gave us valuable insights into user behaviour and system interactions.
What really made this solution shine was SentinelOne Singularity's API-first architecture. It allowed us to create these real-time custom correlation alerts on the fly. The powerful API enables and empowers us security engineers to write powerful detection rules and correlate events fluidly. This level of flexibility and control is a game-changer, allowing us to adapt quickly to new threats and create custom solutions tailored to our specific needs. Our customers can breathe easy knowing they have up-to-the-minute visibility into what's happening with their documents.
This experience underscores the importance of having powerful, flexible tools at our disposal. It's not just about having an XDR solution in place; it's about having one that empowers security teams to innovate and create custom solutions as new challenges arise. With SentinelOne, we're well-equipped to face whatever new threats may come our way.
Quick Summary
The detections engineering team at OXIQA discovered that sensitive files were being exfiltrated in an unexpected way, bypassing the organization's state-of-the-art XDR solutions. Instead of traditional methods, the files were screenshotted or captured as pictures of documents displayed on screens. This crafty approach evaded many standard data protection mechanisms, making it particularly challenging to detect.
As data exfiltration methods become more sophisticated and often slip past traditional security measures, the need for adaptive security strategies becomes clear. By leveraging SentinelOne's Skylight API and thinking creatively, the team was able to identify and respond to this subtle yet significant data leakage threat. This experience underscores the importance of continually innovating our approach to cybersecurity.
Be part of IQ.
Our team is always looking to refine our detection strategies and push the boundaries of what's possible in cyber security. If you are passionate about cyber security and eager to tackle challenging problems like the one, we have described here, we want to hear from you. We are always on the lookout for talented individuals to join our team and contribute to innovative threat and anomaly detection research.
Whether you are an experienced professional or just starting your career in cyber security, if you are excited about the prospect of working on innovative solutions to complex security challenges, we encourage you to reach out. Join us in our mission to build a more secure digital world and be part of a team that is shaping the future of cyber security in the Maldives and beyond.
Stay vigilant, keep innovating, and let us work together to stay one step ahead of evolving cyber threats.
