In the wake of recent cyber attacks targeting governmental agencies, the need for robust cybersecurity measures has never been more pressing. Most recently, the hacking group R00tK1T has been in the spotlight for its sophisticated campaigns against the cybersecurity infrastructure of Malaysia. In the face of these evolving threats, governmental agencies must prioritise defending against data exfiltration—a critical aspect of cybersecurity.
One of the most notable attacks by R00TK1T on Malaysian entities was the access and exfiltration of 27TB worth of data from the National Population and Family Development Board of Malaysia (LPPKN). The group has since publicised their results via social media, showing screenshots of the files and folders as evidence of their successful attack. For governmental agencies, protecting classified data is paramount, and the consequences of data breaches can be severe, ranging from compromised national security to the exposure of citizens’ personal information.
One of the primary objectives of cybercriminals, like R00TK1T, is data exfiltration—the unauthorised extraction of sensitive information from targeted systems. Aside from the recommendations by the Malaysian National Cyber Coordination and Command Centre (NC4), here are some key strategies to defend against data exfiltration:
Out of the box, LogRhythm has more than 2000+ rules that can be used for different use cases. In this example, let’s go through how LogRhythm can monitor, detect, and protect against data theft and exfiltration:
In the use case, sensitive and confidential files are defined along with the approved handling process. Should it deviate, LogRhythm will be able to alert the SOC team on who’s trying to exfiltrate what kind of data.
Similar to the above, sensitive and confidential files are defined along with the approved process or application. In this case, LogRhythm will give indication of abnormal activity if there are new processes trying to access these files, and if there are attempted deletions of the files.
LogRhythm Network Traffic Analysis is able to monitor network protocols typically associated with malicious intents such as tunnelling applications, as they can be used by attackers to bypass security control to transfer confidential/sensitive information.
We can also monitor suspicious Top Level Domain traffic that resembles beacons from the attacker.
Another use case relevant is monitoring for known attacks such as ransomware traffic. Here, we are monitoring for Eternal Blue/WannaCry.
LogRhythm comes with the Deep Packet Inspection (DPI) engine, giving you a deep understanding of your network activity in an easy-to-access format. It identifies and categorises more than 3500 applications at wire speed and populates thousands of metadata fields. With Deep Packet Inspection (DPI) rules and analytics, LogRhythm able to monitor if confidential/sensitive information is being transferred over network traffic.
For example, in this screenshot we can see LogRhythm revealing that credit card information is being transferred through the network.
LogRhythm provides the capability to monitor user behaviour without additional hardware. Here, the LogRhythm UEBA monitored and highlighted accounts that could have been maliciously taken over.
You can then drill down to show detailed views on the user, giving you more information on when it has shown signs of abnormalities and malicious intent.
In conclusion, attacks against governmental agencies will not lessen with time, demanding a proactive and multifaceted approach to cybersecurity. Governmental agencies must leverage advanced technologies to prevent data exfiltration attempts. LogRhythm is a ready to be a partner in making security easy for you. To learn more on how we can help equip your agency with deep visibility and rapid threat detection and response capabilities, arrange a consultation with us today.
Security strategies are evolving; driven by regulatory requirements, customer expectations around data privacy and AI-driven…
In our April 2024 quarterly release, LogRhythm Axon showcases new enhancements from its two week…
In our April 2024 quarterly release, LogRhythm SIEM introduces new enhancements to bring you faster…