TrendLabs

2 | TrendLabs Security in Context Paper

Data exfiltration is the final stage of a targeted attack campaign
where threat actors steal valuable corporate information while
remaining undetected.
1

Threat actors use a variety of legitimate and malicious tools to
extract specific information and mimic normal network traffic. For
instance, the EvilGrab malware, which is related to a targeted attack
campaign, uses a Windows filter to grab audio and video files.
2

Other techniques include using backdoor malware to upload
gathered files, file transfer protocol (FTP) to transfer files without
consent, and WMI (Windows Management Instrumentation) to
monitor and capture recently opened files, and web applications to
open browsers.

Figure 1: Targeted Attack Campaign Diagram
Preventing the exposure of confidential information is a top
challenge for most (71%) enterprises.
3
Given the introduction of the
mobile platform and the sophistication of targeted attacks,
enterprises need to step up to protect its intellectual property, trade
secrets, and other sensitive information.

1
Trend Micro Incorporated. A TrendLabs Security in Context Paper. Data Exfiltration: How Do Threat
Actors Steal Your Data? Last updated on: September 2013. Accessed on: November 2013.
http://about-threats.trendmicro.com/cloud-content/us/ent-
primers/pdf/how_do_threat_actors_steal_your_data.pdf
2
Trend Micro Incorporated. A TrendLabs Report. 2Q Report on Targeted Attack Campaigns. Last
updated on: July 2013. Accessed on: November 2013. http://about-threats.trendmicro.com/cloud-
content/us/ent-primers/pdf/2q-report-on-targeted-attack-campaigns.pdf
3
International Data Corporation. An IDC Infographic Sponsored by Trend Micro. Keeping Corporate
Data Safe. Last updated on: 2013. Accessed on: November 2013.
http://apac.trendmicro.com/apac/enterprise/security-suite-solutions/esdp-suite/infographic/index.html
43%
of most serious
threats to the
companys
enterprise IT
infrastructure are
from external
sources.
3 | TrendLabs Security in Context Paper
Figure 2: Potential Data Threats in an Enterprise Network

Data breach and data loss are the most obvious outcomes of a
successful targeted attack. However, the following shows real-world
consequences that come right after:
These include all the monetary costs and resources needed for
a company to gauge the amount of damage, find the nature of
data stolen, and track all possible traces of the attack.
These involve fines incurred by organizations following strict
regulations, as those running industrial control systems (ICS).
This is the amount that organizations already invested into
intangible assets such as research and development advances
and trade secrets, the theft of which can decrease their
competitive advantage.
Data theft from a trusted organization can easily translate to
decrease in confidence from the industry it belongs.
4 | TrendLabs Security in Context Paper

Detecting targeted attacks at the data exfiltration stage is very
challenging for enterprises. We recommend that enterprises assume
compromise, enforce preventive measures, and use an airtight
custom defense strategy that can detect threats in real time. We have
stressed that securing the network infrastructure is the first step in
the fight against targeted attacks.
4
This time, we present these key
points as the next vital step: protecting valuable data
5
:
Every department or business unit should classify the crown
jewels, the release of which can negatively affect an
organization, from normal day-to-day documentation. These
include government information, scientific research, and
pharmaceutical formulas. Sharing and downloading them
must require privileged access. They can be spread across the
network to prevent threat actors from getting the whole
information.
PCs, mobile devices, and removable devices should be
secured by encrypting files, disk, and removable media.
Identity-based encryption solutions can be used to protect
emails. Data should also be encrypted when using cloud
applications, public or private cloud infrastructure, and virtual
environments.
A protected infrastructure requires multi-tiered access, where
top-level information pieces are in a disconnected network,
second-level ones require a special two-factor authentication
process, while third-level ones are on regular file servers.

4
Trend Micro Incorporated. A TrendLabs Security in Context Paper. Securing Your Network
Infrastructure Against Targeted Attacks. Last updated on: 2013. Accessed on: November
2013.http://about-threats.trendmicro.com/cloud-content/us/ent-primers/pdf/the-enterprise-fights-back-
p01.pdf
5
Trend Micro Incorporated. A Trend Micro Research Paper. Suggestions to Help Companies with
the Fight Against Targeted Attacks. Last updated on: 2013. Accessed on: November 2013.
http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-suggestions-
to-help-companies-with-the-fight-against-targeted-attacks.pdf

Trend Micro Incorporated, a global leader in security software, strives to
make the world safe for exchanging digital information. Our innovative
security solutions for consumers, businesses and governments protect
information on mobile devices, endpoints, gateways, servers and the cloud.
For more information, visit www.trendmicro.com
2013 by Trend Micro, Incorporated. All rights reserved. Trend Micro and
the Trend Micro t-ball logo are trademarks or registered trademarks of Trend
Micro, Incorporated. All other product or company names may be trademarks
or registered trademarks of their owners.

TREND MICRO LEGAL DISCLAIMER
The information provided herein is for general information and educational purposes only. It is not intended and should not be construed to constitute legal
advice. The information contained herein may not be applicable to all situations and may not reflect the most current situation. Nothing contained herein
should be relied on or acted upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing herein should be
construed otherwise. Trend Micro reserves the right to modify the contents of this document at any time without prior notice.
Translations of any material into other languages are intended solely as a convenience. Translation accuracy is not guaranteed nor implied. If any questions
arise related to the accuracy of a translation, please refer to the original language official version of the document. Any discrepancies or differences created
in the translation are not binding and have no legal effect for compliance or enforcement purposes.
Although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein, Trend Micro makes no warranties or representations of
any kind as to its accuracy, currency, or completeness. You agree that access to and use of and reliance on this document and the content thereof is at your
own risk. Trend Micro disclaims all warranties of any kind, express or implied. Neither Trend Micro nor any party involved in creating, producing, or delivering
this document shall be liable for any consequence, loss, or damage, including direct, indirect, special, consequential, loss of business profits, or special
damages, whatsoever arising out of access to, use of, or inability to use, or in connection with the use of this document, or any errors or omissions in the
content thereof. Use of this information constitutes acceptance for use in an as is condition.