An Analytical Framework to Address the Data Exfiltration of Advanced Persistent Threats

Detecting and preventing the data exfiltration of advanced persistent threats is a challenging problem. These attacks can remain in their target system for several years while retrieving information at a very slow rate, possibly after reformatting and encrypting the data they have accessed. Tainting and tracking some of the files in the system and deploying honeypots are two of the potentially effective measures against advanced persistent threats. In this paper, we introduce an analytical framework to study the effect of these measures on the amount of files that an attacker can exfiltrate. In particular, we obtain upper bounds on the expected amount of files at risk given a certain ratio of tainted and honey files in the system by using dynamic programming and Pontryagin's maximum principle. In addition, we show that in some cases tainting more of the files does not necessarily improve the security of the system. The results highlight the effectiveness and the necessity of deception for combatting advanced persistent threats.