Light Dark
June 1, 2016 By Larry Loeb 2 min read

Israel-based security firm SafeBreach conducted an extensive analysis of covert data exfiltration to come up with what they believe is the perfect technique.

In 2015, the researchers began to focus on getting small amounts of sensitive data such as cryptographic keys or passwords from highly secure organizations. They recently presented the results in Amsterdam at the Hack in the Box Conference.

The researchers had a few preconditions to their attack, like the assumption that an external attacker has already managed to insert malware on a device within the targeted organization. They also consider the case of a malicious insider wanting to send out sensitive data without getting caught.

The 10 Commandments of Exfiltration

Following the experiment, the researchers came up with a technique of exfiltration based on their newly established 10 commandments. According to the SafeBreach presentation, these commandments are:

  1. No security through obscurity should be used.
  2. Only Web browsing and derived traffic is allowed.
  3. Anything that may theoretically be perceived as passing information is forbidden.
  4. Scrutinize every packet during comprehensive network monitoring.
  5. Assume TLS/SSL termination at the enterprise level.
  6. Assume the receiving party has no restrictions.
  7. Assume no nation-state or third-party site monitoring.
  8. Enable time synchronization between the communicating parties.
  9. There’s bonus points for methods that can be implemented manually from the sender side.
  10. Active disruption by the enterprise is always possible.

These assumptions imply certain exfiltration techniques, such as using regular browsing, modifying an application and being able to observe the change remotely.

The Ideal Data Exfiltration Method

The researchers came up with an attack that meets all their commandments. According to SecurityWeek, it involves the sender and receiver both agreeing on a popular Web page in a victim’s zone of access and a given time. If the sender doesn’t access the specified page at the specified time, a 0 bit of data is sent. If the sender does make an HTTP request at the specified time, a 1 bit is sent.

The receiver can determine if the sender accessed the page by checking the cache. Did the sender access it to send a 1 bit or was it cached by the receiver’s own visit (the sender did not access it to send a 0 bit)?

Basically, this method allows the attacker and the receiver to send digital Morse code to each other. It is admittedly low-bandwidth and unidirectional, so it’s only useful for small amounts of data.

A proof of concept tool was released by the researchers just to automate the method and show they weren’t fooling around. They have come up with a unique method of exfiltrating data that needs to be appreciated for the principles it demonstrates — and then dealt with on a practical level.

 |  | 
Larry Loeb
Principal, PBC Enterprises

More from

March 4, 2025

FYSA — VMware Critical Vulnerabilities Patched

< 1 min read - SummaryBroadcom has released a security bulletin, VMSA-2025-0004, addressing and remediating three vulnerabilities that, if exploited, could lead to system compromise. Products affected include vCenter Server, vRealize Operations Manager, and vCloud Director.Threat TopographyThreat Type: Critical VulnerabilitiesIndustry: VirtualizationGeolocation: GlobalOverviewX-Force Incident Command is monitoring activity surrounding Broadcom’s Security Bulletin (VMSA-2025-0004) for three potentially critical vulnerabilities in VMware products. These vulnerabilities, identified as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, have reportedly been exploited in attacks. X-Force has not been able to validate those claims. The vulnerabilities…

February 21, 2025

SoaPy: Stealthy enumeration of Active Directory environments through ADWS

10 min read - Introduction Over time, both targeted and large-scale enumeration of Active Directory (AD) environments have become increasingly detected due to modern defensive solutions. During our internship at X-Force Red this past summer, we noticed FalconForce’s SOAPHound was becoming popular for enumerating Active Directory environments. This tool brought a new perspective to Active Directory enumeration by performing collection via Active Directory Web Services (ADWS) instead of directly through Lightweight Directory Access Protocol (LDAP) as other AD enumeration tools had in the past.…

February 14, 2025

Smoltalk: RCE in open source agents

26 min read - Big shoutout to Hugging Face and the smolagents team for their cooperation and quick turnaround for a fix! Introduction Recently, I have been working on a side project to automate some pentest reconnaissance with AI agents. Just after I started this project, Hugging Face announced the release of smolagents, a lightweight framework for building AI agents that implements the methodology described in the ReAct paper, emphasizing reasoning through iterative decision-making. Interestingly, smolagents enables agents to reason and act by generating…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature