As you might have noticed from the first blog, I started this discussion with alerting for extrusion attacks at the node level and went through the network, which brings us to the perimeter. If the data goes out beyond this point you’re officially screwed! Being notified that someone’s in your network and attempting to push data out of you network sucks, but successfully getting data out of your network sucks even more! Here are a few things to review in your IPS or firewall in attempts to stop or alert on this malicious activity.
One way of alerting on sensitive material, like merger and acquisitions info, is to look for keywords on the data itself. I’ve seen people hide certain phrases or words in documents while creating an IPS rule to search for these keywords. This isn’t a failsafe method, but it can help.
Review the signatures on your IPS to make sure they’re reviewing protocols for exfiltration. A few of the protocols to review are DNS and SMTP, which will allow information leakage out of by adding or padding the protocols packets with additional information. This is a sneaky way to walk right past an IPS.
Read the rest of my article here: http://blog.algosec.com/2013/06/tips-to-improve-network-security-part-2-of-2.html