THREAT ADVISORY
i³ Threat Advisory: Defending Against a Persistent Exfiltration Vector – Unauthorized Printing
- Organizations that still allow printing should have policies on safe data handling, transfer, and destruction.
- Correlating an individual’s usual hours of activity and when they are printing could indicate a pattern of concerning behavior particularly in an office environment.
- Corporate printing devices should enable auditing of what is being printed. Peripheral devices should be prevented or considered rogue devices.
INTRODUCTION
There are many ways insiders can exfiltrate data, and the list of methods is growing each year, particularly with new innovations, AI, and file-sharing websites. While our attention is drawn to new and emerging threats it is important to stay protected against older methods of exfiltration through monitoring, detection, and taking a holistic approach to insider risk management.
The case of Gokhan Gun underscores the risk of data exfiltration through printing. Gon, a dual-citizen electrical engineer employed by the US Air Force, was charged, and detained for printing and unlawfully removing over 150 pages of classified material.
From the article, “In court papers, prosecutors say he printed out classified documents at his office, often late in the day when co-workers had left, and took them home.” This occurred over a period of May 10 to August 7, 2024, where the largest batch of 82 pages marked “Top Secret” had been printed out two days before an alleged fishing trip to Mexico.
While this story pertains to a military organization where data is classified based on sensitivity to national security and need-to-know principles, it is even more important for commercial organizations to take notice. This is because commercial organizations often have fewer physical controls around data handling. It’s not uncommon for many organizations to either not classify the crown jewels of their corporate data or to fully understand what data is sensitive to their organization.
EARLY DETECTION AND MITIGATION
The DTEX i3 team recommends organizations implement the following controls to detect, deter, and disrupt insider risk activity associated with exfiltration via printing.
Implement safe data handling (including destruction guidelines)
Implementing safe data handling guidelines is highly recommended, and there are multiple military guidelines (such as this one from the US Department of Defense) to draw from. Guidelines for all organizations could include:
- A clear desk policy for end of day to prevent unauthorized individuals from reading sensitive information. This can range from other employees without a need-to-know or even building cleaners if in an office environment.
- Establish requirements for maintaining an audit log for any items leaving a secure area, such as an office, and for all information printed by remote employees.
- Provide guidelines for destroying printed material after it has served its purpose. If an audit log is maintained, it should include the name of the responsible person, witness, date, and method of destruction, all of which should be notarized.
Monitor hours of activity
Even on non-standard workdays, employees often display patterns that can be baselined over time. Any deviations from these patterns may indicate suspicious behavior. In the aforementioned case, the engineer (Gokhan Gun) was engaged in printing activities after his peers and other employees had finished their workday and left the office. Other examples could include if a user suddenly started working over lunch while other users in the same office had locked their endpoints while they stepped away.
This activity could be monitored as a cyber indicator using insider risk management technology. Alternatively, it could be tracked through reporting mechanisms established in an insider risk management program, along with providing education to employees on recognizing suspicious signs.
Audit corporate printing devices
Most corporate printing devices have built-in capabilities to track and audit user accounts and their printing activities. Conducting regular audits to identify who is printing sensitive information should be part of a documented procedure, especially if data handling guidelines mandate the proper destruction of printed materials once they are no longer needed.
Monitor for unauthorized printing devices
Printers come in various sizes, including compact models that can easily fit into an employee’s backpack. For example, the image below shows an A4 wireless printer equipped with a battery. While this particular printer uses a WiFi connection, many other models on the market connect via USB, Bluetooth, or mobile phone apps.
The use of a device like this could raise suspicions especially if the organization has a corporate printer. Many organizations already have policies for reporting unauthorized devices plugged into unused network ports. Extending these policies to include reporting suspicious printing devices could further reduce an organization’s risk profile.
DTEX InTERCEPT: DETECT AND INVESTIGATE
Detecting sensitive information leaving your organization first requires knowledge of which data is considered sensitive. Documents should have labelled classifications within and more importantly as part of the filename itself. This allows the document to carry a classification within its metadata and not need file inspection as part of monitoring and detection.
The advantage of first classifying sensitive information is that investigations can follow standard workflows within your organization. If no guidelines for safe data handling exist, these profiles will help assess the current risk landscape and guide informed decisions on implementing risk-based controls. Depending on your organization’s context, these profiles can be fine-tuned for more accurate reporting or even expanded to create new ones for specific use cases.
The following section explores how you could investigate this activity within your organization or start to profile the risk that your organization may be exposed to.
This content is classed as “limited distribution” and is only available to approved insider risk practitioners. Login to the customer portal to access the indicators or contact the i³ team to request access.
IEXF-AL-POIPRT-I5025 – Exfiltration – Person of Interest – Printing I5025
This requires the person of interest named list to be populated and then it will look for any PrintJobIssued activity and then will filter out any of the following:
- Source_File_Name for FedEx Ship Manager – Print, Microsoft Outlook – Memo Style, DYMO Label print out
- Printer_Details.Name for ChemStation PDF, Waters PDF Generator, Adobe PDF, DYMO LabelWriter, ZebraZT, followmeprint, microsoft print to pdf.
Here we may be interested in tracking printing activity even when it is one of the approved printers so the profile may be left as is.
IEXF-AL-PRNTNM-I5007 – Exfiltration – Printing Sensitive Document Name I5007
This will look for any PrintJobIssued and if the Source_File_Name contains any of the following words: social, security, agreement, audit, confidential, portfolio, customer, finance, password, classified, secret, sensitive, credit, scope.
To improve the accuracy, the organization may already have a named list of how documents are classified which could be added to the profile.
IEXF-AL-SNSPRT-I5055 – Exfiltration – Sensitive – Printing I5055
This will look for any PrintJobIssued and if any field in the activity document contains the following words: social, security, agreement, audit, confidential, portfolio, customer, finance, password, classified, secret, sensitive, credit, scope.
To improve the accuracy, the organization may already have a named list of how documents are classified which could be added to the profile.
IEXF-AL-UPRINT-I5016 – Exfiltration – Print Job Issued I5016
This looks for any PrintJobIssued activity and then will filter out any of the following:
- Source_File_Name for FedEx Ship Manager – Print, Microsoft Outlook – Memo Style, DYMO Label print out
- Printer_Details.Name for ChemStation PDF, Waters PDF Generator, Adobe PDF, DYMO LabelWriter, ZebraZT, followmeprint, microsoft print to pdf.
To improve the accuracy, we could also filter out for the approved named list of printers that was previously created.
CONCLUSION
As insider threats continue to evolve with new technologies and methods, it remains crucial for organizations to stay vigilant and proactive in their approach to stopping data exfiltration. The case of the dual-citizen engineer who physically printed classified documentation underscores the relevance of monitoring traditional methods of data exfiltration.
To safeguard against both new and old techniques of insider threats, organizations must implement a comprehensive strategy encompassing monitoring and detection, safe data handling practices, and oversight of corporate resources. This includes enforcing clear desk policies, maintaining thorough audit logs, monitoring unusual work hours, and auditing corporate printing devices. Additionally, organizations should be proactive in identifying and managing unauthorized printing devices that could potentially be used for illicit purposes.
By adopting a holistic approach to insider risk management, organizations can better protect their sensitive information and mitigate the risks posed by both modern and traditional data exfiltration methods.
INVESTIGATIONS SUPPORT
For intelligence or investigations support, contact DTEX i3 team. Extra attention should be taken when implementing behavioral indicators on large enterprise deployments.