How to Catch Data Exfiltration With a Single Tshark Command – Video Blog
Video – Catching Data Exfiltration With a Single Tshark Command
Command Used
tshark -r data-exfil.pcap -T fields -e ip.src -e ip.dst -e ip.len ip.src == 192.168.0.0/16 or ip.src == 10.0.0.0/8 or ip.src == 172.16.0.0/12 | sort | datamash -g 1,2 sum 3 | sort -k 3 -rn | head
Video Transcript
(00:00)
Hey folks, I’m Chris Brenton and today I’m going to show you how to identify which of your internal systems are sending the largest amount of data out to the internet using a single TShark command.
(00:12)
Now, first, a couple of caveats. Number one, this does not work as a live capture, meaning I can’t sniff the traffic off the network live in order to get this information, I need to read it out of a capture file. The longer the capture file, the better. Preferences like 24 hours collected off of the internal interface of the firewall. That way you’re seeing all the internal systems as they go out to the internet.
(00:34)
Another caveat here, this is slow. I did another video on how to do exactly the same thing as Zeek. If you’re going to be doing this on a regular basis, I highly recommend you use Zeek instead, but if you’ve got a pcap file and you’re in a pinch, here’s an easy way to go through and do that.
(00:51)
The third caveat I have is that the amount of data that I’m going to display as being sent out is not 100% accurate. It’s also going to include the IP header in each packet, which is 20 bytes. So we’re going to see a little bit more data transfer it out than what was actually in the payloads. But when you start looking at comparing it to other systems, it’s still apples to apples.
(01:18)
So those are the caveats. With that said, here’s what we’re doing. We’re using TShark’s ability to go in and extract out certain fields. We’re pulling out the source IP, the destination IP, and the size of the IP packets. We’re then going in and creating a filter that says, “Only show me the data that was transmitted by my systems on the internal network.”
(01:38)
We’re sorting the data, we’re running it through Datamash. Datamash is going to go through and add up multiple sessions between the same two IP addresses and give us a sum total so we can see the total number of bytes. And then we’re just sorting it out from highest to lowest. Looking at our top 10, and the result is what we get here. Now I’m noticing a couple of patterns. I’m noticing that 10.55.100.111 seems to be sending the most amount of data out to a bunch of different IP addresses out on the internet. So where should I begin my investigation? That would be the system I’d go after first. That’s it. Hope you found this video useful.
Chris has been a leader in the IT and security industry for over 20 years. He’s a published author of multiple security books and the primary author of the Cloud Security Alliance’s online training material. As a Fellow Instructor, Chris developed and delivered multiple courses for the SANS Institute. As an alumni of Y-Combinator, Chris has assisted multiple startups, helping them to improve their product security through continuous development and identifying their product market fit.