undefined | Better HN

0 pointsbrentjanderson7y ago0 comments

There are two approaches to detecting exfiltration that I consider state of the art:

* Network traffic capture for deferred analysis * Egress analysis (including decrypting SSL/HTTPS)

The first approach is, IMO, more realistic. Although you can't prevent the exfiltration, you can detect it lazily after it's happened, including where it went, what was sent, etc. Although I'm sure several companies support this, [Eastwind Networks](https://www.eastwindnetworks.com/) does a great job for Cloud and on-prem workloads.

The second option, while more thorough, requires big boxes to run, doesn't scale well, is hard to install on clients (the only way I know to "break" HTTPS is to install a custom CA on all clients and MITM all public traffic, which would break for sites using HSTS and HTTP Public Key Pinning). It's only vaguely feasible, and is fraught with issues.

0 comments

1 comments · 1 top-level

hermitdev7y ago

My company utlizes Corvill appliances and network taps on the switches to monitor activity. We mostly use it for metrics, but no reason it couldn't monitor exfil. Onky problem is it only has enough storage for about 3-4 days of network traffic.

j / k navigate · click thread line to collapse