On-Device Data Exfiltration Prevention

Data is often referred to as organizations’ “crown jewels.” Regardless of how a threat actor attacks an organization, the ultimate target is (generally) data — data theft, data destruction, data manipulation, or something else nefarious related to data. With all the recent ransomware attacks making headlines, it’s easy to fall into a trap of thinking that endpoint protection must revolve around devices and access: If you prevent threat actors from exploiting endpoints and prevent them from unauthorized access to systems, files, and services, you can prevent a ransomware scenario. If your company has thorough, timely backups, even if prevention efforts fall short and the attacker succeeds at accessing and encrypting your data, you don’t have to pay the ransom and are therefore immune to ransomware attacks.

Nonetheless, in a large portion of ransomware attacks, attackers are exfiltrating your data as their own “backup” — backup plan, that is. They want “insurance” in case a company decides not to pay. The attacker can then go sell the stolen data and still make a profit. It’s also not unthinkable that an attacker would sell the data regardless of the company’s decision to pay or not to pay. They’re criminals. Their integrity is obviously in question.

However, looking at ransomware as a simple matter of inaccessible data is a mistake, one which Darren Williams, founder and CEO of BlackFog, is hoping he can help companies avoid. Founded in 2015, BlackFog, based out of Cheyenne, WY, is just emerging on the cyber security scene. The company’s goal is to prevent data from leaving endpoint devices by using proprietary behavioral analysis techniques that identify anomalous behavior indicative of data-focused attacks, in particular, ransomware attacks.

It’s not about your “locks”

Why not just make the “locks” stronger, i.e., harden endpoints and data access to prevent unauthorized and/or malicious users from getting to the data in the first place? “Because we’ve seen how threat actors get around those obstacles,” Williams said during a recent briefing with TAG Cyber analysts. He continued, “Endpoint detection and response tools have their place, and we’re not trying to supplant them, but we know they don’t always work — businesses need ways to prevent data from leaving the organization.” What’s more, he pointed out, data doesn’t sit on a corporate network anymore. Instead, it’s scattered all over — in cloud environments, in third-party tools, on personal and unmanaged devices. Protecting data with a firewall-like solution alone isn’t going to prevent attackers from succeeding in today’s operating environments.

So what does BlackFog do? The company’s enterprise edition detects attempts at data exfiltration. Deployed at the kernel level on endpoint devices, BlackFog sits at the lowest level in the network stack — on the network driver (layer 3) — and watches every packet that attempts to leave the device. The technology also incorporates behavioral analysis; BlackFog measures 25-30 different parameters of data movement, including processes running on the device, communications and connections to and from the device, and protocols. With this method, the solution can prevent the data exfiltration that happens after a threat actor has penetrated endpoints, crawled for sensitive data, and stealthily tries to remove data from the corporate environment.

Seeing the signs of malicious exfiltration

Because data exfiltration is notoriously hard to detect, traditional antivirus, malware detection, and data loss prevention tools routinely miss the signs of malicious exfiltration. In contrast, BlackFog uses a multi-layered approach to malicious data exfiltration prevention by monitoring the data attempting to leave the device. The solution looks for evidence of suspicious IP addresses, malvertising, spyware, malware, and cryptojacking. It also looks at processes to identify when programs are being used maliciously, for example, PowerShell, a common so-called dual-use technology that can be used for both good and bad. BlackFog also monitors dark web forums and social media for indications of attack plans, and monitors application gateways for unusual usage. It can also prevent attackers from collecting browsing and behavioral data as users search the internet and apply geofencing to prevent user data from being sent to countries that house known and identified organized criminal gangs.

This approach to data exfiltration prevention is also beneficial for data privacy, whether a company is merely meeting regulatory mandates or is incorporating data privacy into their overall customer success strategy (TAG Cyber recommends the latter, for the record). By preventing malicious data exfiltration and keeping data out of the hands of threat actors, companies can avoid costly audits and compliance fines. Further, because we live in a world of remote and hybrid work, since BlackFog sits on endpoint devices and not on a central server, offsite, mobile employees can be protected wherever and whenever they’re working.

We’ve yet to see BlackFog in action, but the briefing with Darren and team left the TAG analyst team intrigued. Any technology that can prevent data loss —without the hassle and inaccuracy of traditional DLP or allow listing — is worth a look. BlackFog is a small company and so they will have an uphill market battle against some entrenched and well-known data protection, endpoint detection and response, and device security companies. Yet, the price point, geared toward small and medium-sized businesses, makes the solution attractive. Plus, BlackFog offers a 7-day trial to demonstrate the tool’s efficacy. There’s not much to lose — especially your data.