Data Transfer Size Limits

Information

• Name: Data Transfer Size Limits

• ID: T1030

• Tactics: TA0010

Introduction

Data Transfer Size Limits (MITRE ATT&CK Technique ID: T1030) is a technique used by adversaries to evade detection and defenses by limiting the size of data packets or transfers during exfiltration. Attackers intentionally fragment or segment stolen data into smaller chunks, making it harder for network monitoring tools and security systems to identify the activity as malicious. This technique is categorized under the Exfiltration tactic within the MITRE ATT&CK framework, highlighting adversaries' strategies to covertly transfer sensitive data out of compromised networks without triggering alerts or raising suspicion.

Deep Dive Into Technique

In technical terms, the Data Transfer Size Limits technique involves deliberately restricting the volume or size of data packets transmitted during exfiltration. Attackers typically:

• Segment sensitive data into smaller, less noticeable chunks.

• Limit data transfer rates and sizes to blend in with normal network traffic patterns.

• Perform data exfiltration slowly over extended periods to avoid detection by threshold-based monitoring solutions.

Mechanisms commonly employed include:

• Rate Limiting: Attackers impose strict bandwidth limitations to ensure data transfers remain below thresholds that might trigger alerts or security policies.

• Packet Fragmentation: Breaking large files into smaller packets, sending them intermittently, and reassembling at the destination.

• Protocol-Based Restrictions: Using protocols designed to transfer smaller payloads (e.g., DNS queries, HTTP requests, ICMP packets) to carry smaller data chunks, making it difficult for security tools to detect anomalies.

Real-world procedures of this technique include:

• Exfiltrating data via DNS tunneling, where sensitive data is encoded into DNS requests or responses, inherently limiting the size of each data chunk.

• Using HTTP POST requests or GET parameters to send small amounts of data per transaction to evade detection systems monitoring large data transfers.

• Employing ICMP echo requests (ping packets) to exfiltrate data in minimal increments, making it challenging for network monitoring tools to detect exfiltration activities.

When this Technique is Usually Used

Attackers typically leverage Data Transfer Size Limits in the following scenarios and stages:

• Data Exfiltration Stage: Primarily used after successfully compromising a system and identifying valuable data, attackers limit transfer sizes to evade detection during the sensitive exfiltration phase.

• Long-Term Persistence and Advanced Persistent Threats (APTs): Attackers aiming to maintain long-term access and stealth may continuously exfiltrate small data increments over extended periods.

• Highly Monitored Environments: In networks with stringent security monitoring, attackers use this technique to remain undetected by avoiding obvious large-volume data transfers.

• Sensitive Targets: When targeting organizations with critical infrastructure, government agencies, or highly secure environments, attackers prefer subtle exfiltration methods to minimize detection risk.

• Initial Reconnaissance and Testing: Attackers may initially test detection capabilities by transferring small data packets to gauge monitoring thresholds and adjust their exfiltration strategy accordingly.

How this Technique is Usually Detected

Detection of Data Transfer Size Limits technique involves a combination of methods, tools, and indicators of compromise (IoCs):

Detection Methods

• Behavioral Analysis: Monitoring network traffic for abnormal patterns, such as regular small data transfers to external IP addresses, unusual DNS queries, or frequent ICMP packets.

• Protocol Analysis: Inspecting DNS, HTTP/S, ICMP, and other protocols for anomalies, such as unusually encoded payloads or irregular packet frequencies.

• Traffic Volume and Frequency Monitoring: Identifying consistent low-volume transfers to external hosts, especially those occurring outside normal business hours or to unfamiliar destinations.

• Endpoint Monitoring: Using endpoint detection and response (EDR) solutions to detect unauthorized data access and suspicious outbound network connections initiated by compromised hosts.

Tools

• Network Intrusion Detection Systems (NIDS) such as Snort, Suricata, or Zeek for traffic analysis.

• Security Information and Event Management (SIEM) tools like Splunk, IBM QRadar, or LogRhythm for correlating logs and network activity.

• Endpoint Detection and Response (EDR) solutions like CrowdStrike Falcon, Microsoft Defender for Endpoint, or Carbon Black to detect suspicious endpoint behavior.

• DNS security solutions and anomaly detection tools to identify potential DNS tunneling activities.

Indicators of Compromise (IoCs)

• Unusual DNS queries with long, encoded subdomains.

• Frequent small-sized outbound HTTP/S requests to unknown or suspicious IP addresses.

• Regular ICMP packets originating from internal hosts to external IP addresses.

• Persistent low-volume data transfers to external hosts at regular intervals.

• Endpoint logs indicating unauthorized access to sensitive data followed by small incremental network transfers.

Why it is Important to Detect This Technique

Detecting Data Transfer Size Limits is crucial due to the following potential impacts:

• Sensitive Data Loss: Undetected exfiltration of proprietary, confidential, or personally identifiable information (PII) can lead to severe financial, legal, and reputational damages.

• Extended Adversary Dwell Time: Attackers using this stealthy technique can remain undetected for extended periods, increasing the potential damage and complexity of remediation.

• Operational Disruption: Compromise of sensitive data can disrupt business operations, lead to regulatory penalties, or impact critical infrastructure.

• Increased Risk of Future Attacks: Successful exfiltration encourages attackers to revisit or escalate their activities, potentially leading to further compromises or attacks.

• Reduced Effectiveness of Security Controls: Failure to detect subtle exfiltration techniques highlights gaps in existing security monitoring and controls, undermining trust and effectiveness of cybersecurity investments.

Early detection allows organizations to:

• Minimize data loss and mitigate potential damages.

• Quickly respond and remediate compromised systems.

• Strengthen security posture by identifying and addressing gaps in monitoring and detection capabilities.

• Maintain compliance with regulatory standards and avoid costly fines or penalties.

Examples

Real-world examples illustrating the use of Data Transfer Size Limits include:

• APT32 (OceanLotus):

  • Scenario: Conducted espionage campaigns targeting Southeast Asian governments, corporations, and journalists.

  • Tools Used: DNS tunneling techniques and custom malware to exfiltrate small data packets.

  • Impact: Successfully exfiltrated sensitive political, economic, and strategic information without immediate detection.

• FIN7 (Carbanak Group):

  • Scenario: Targeted financial institutions and retail businesses to steal financial data.

  • Tools Used: HTTP POST requests with limited payload sizes to transfer stolen credit card data incrementally.

  • Impact: Millions of dollars in financial losses due to prolonged, undetected data exfiltration.

• Operation Sharpshooter:

  • Scenario: Targeted critical infrastructure, defense contractors, and energy companies globally.

  • Tools Used: Used HTTP and DNS protocols with small-sized data transfers to evade detection during exfiltration.

  • Impact: Exfiltrated sensitive intellectual property, proprietary data, and strategic documents without triggering immediate security alerts.

• ICMP Tunneling Attacks:

  • Scenario: Attackers used ICMP echo requests (ping) to exfiltrate data in small increments, bypassing firewall and network monitoring solutions.

  • Tools Used: Custom scripts and malware leveraging ICMP packets for covert data transfers.

  • Impact: Successful exfiltration of sensitive corporate data, including credentials and internal documentation, without detection by traditional monitoring tools.

These examples highlight the effectiveness and stealth of Data Transfer Size Limits, underscoring the importance of robust detection and monitoring capabilities.