Advanced persistent threats (APTs) typically infect a system with intent of data exfiltration. These threats reside on a system as processes and can either be hidden or appear to the user as legitimate processes. Some malware reside in a system as modules loaded into genuine operating system processes. Though organizations can identify data exfiltration using traditional network monitoring and analysis tools, they may not be able to identify exactly what data was taken and, accordingly, what business value the leaked data might have. This is because most APTs transport stolen data in an encrypted format to command and control servers operated by the attackers, which typically cannot be analyzed by conventional network monitoring tools.
The assessment of stolen data is normally an estimate based on criticality of the attacked or of an infected asset. “What a machine contains,” usually drives the investigation of what data can potentially be leaked by a malware attack. If, for example, a host containing source code is compromised, it is assumed that entire source code can be stolen. This makes it difficult to accurately assess the true loss of business value resulting from the breach. As a result, forensics experts investigating a breach do not have a complete picture of what data might be stolen from an attacked host. Thus, the need is apparent for techniques by which risk is determined from what a suspect process or module read and the true business value of potentially leaked data.