Encoding to Evade DLP:
- Encoding (e.g., Base64) transforms data into a format that may bypass data loss prevention (DLP) tools.
- DLP solutions often look for specific patterns (e.g., sensitive keywords, file headers) and may not recognize encoded data.
1. Core Definition: The “Data Guard”
Data Loss Prevention (DLP) is a suite of tools, policies, and processes designed to ensure that sensitive data is not lost, misused, or accessed by unauthorized users. Defensively, it is used for regulatory compliance (HIPAA, PCI-DSS) and protecting intellectual property or classified information in cleared environments.
From an offensive/pentesting perspective, DLP is the primary adversary during the Exfiltration phase of an engagement. It is the system actively looking for patterns—like credit card numbers, password hashes, or proprietary code—leaving the network.
2. The Three States of Data (DLP Coverage)
DLP solutions monitor data across three distinct states. As an attacker, you must know which layer you are trying to bypass:
-
Data in Use (Endpoint DLP): Agents running directly on workstations or servers. They monitor local user actions, such as copying files to a USB drive, printing, taking screenshots, or copy/pasting sensitive text into a web browser.
-
Data in Motion (Network DLP): Inspects traffic actively leaving the network via firewalls, proxies, or mail relays (email, web traffic, FTP). It intercepts and analyzes packets for sensitive payloads.
-
Data at Rest (Storage DLP): Scans file shares, databases, and cloud storage environments to locate exposed sensitive data and enforce access policies.
3. How DLP Identifies Sensitive Data
To bypass DLP, you need to understand how it flags data. It typically relies on a mix of these detection engines:
-
Regular Expressions (Regex) / Pattern Matching: Looking for standardized strings (e.g.,
\b(?:\d[ -]*?){13,16}\bfor credit cards or standard SSN formats). -
Exact Data Matching (EDM): Comparing outgoing data against a hashed database of known sensitive records (like a protected customer database).
-
File Fingerprinting: Hashing sensitive files and blocking any outbound file with a matching hash.
-
Keyword Lexicons: Blocking documents containing specific strings like “Confidential,” “Internal Use Only,” or classified project code names.
4. Pentesting Focus Areas: DLP Evasion Techniques
When you reach the exfiltration phase, your goal is to break the signatures and heuristics DLP relies on by making the sensitive data look benign or hiding it within allowed traffic.
A. Encryption & Obfuscation
-
Technique: Altering the payload before transmission so network DLP only sees random ciphertext or unparseable strings.
-
Methods: * AES encryption.
-
Custom XOR encoding.
-
Base64 encoding (Note: Modern DLPs often automatically decode Base64, so it should be combined with other techniques).
-
B. “Living Off the Land” (Protocol/Service Abuse)
-
Technique: Exfiltrating data through channels the organization must allow for normal business operations, blending in with standard noise.
-
Methods:
-
DNS Tunneling: Encoding data into DNS queries (e.g., sending queries for
[base64_encoded_data].attacker-domain.com). DLP rarely inspects DNS traffic deeply. -
ICMP Tunneling: Packing data into Ping echo requests.
-
Cloud Storage: Exfiltrating via HTTPS to legitimate services like Google Drive, GitHub, or AWS S3, assuming the corporate proxy doesn’t perform SSL inspection on those specific domains.
-
C. Steganography
-
Technique: Hiding the data within seemingly innocent, commonly transferred files.
-
Methods: Embedding a dump of credentials inside an image file (
.jpg) or a benign PDF that the organization frequently emails outward. The file looks and behaves normally to a DLP scanner.
D. Traffic Shaping (Low and Slow)
-
Technique: Bypassing threshold-based DLP alerts (e.g., “Alert if > 50MB of data is sent to an unknown IP”).
-
Methods: Breaking large files (like a database dump) into tiny chunks and exfiltrating them slowly over days or weeks to stay under the volumetric detection radar.