Thanks to Jason Anderson of Lancope for making me aware of a large case of intellectual property theft in Israel. This 29 May story explains how Israeli programmer Michael Haephrati was hired to create Trojan Horses for private investigation companies. Those PI firms then deployed the programs to target companies via "email attachments." The PIs sold what they found to competitors of the targets. For more details, I recommend Richard Steinnon's blog.
I found a detail in this story very interesting:
"The Trojan sent images and documents to FTP servers in Israel, Germany and the US, court documents reveal."
Regular blog readers know what that means. Any victim company practicing Network Security Monitoring could have complete records of the FTP traffic that carried documents or files stolen by the Trojan Horses. NSM practitioners would know when the activity started, what systems were victims, and when the last outbound connection took place. Depending on the form of the FTP transfers and the capture of full content data, NSM pros might even know exactly what was stolen.
Those running a defensible network might have deployed FTP proxies that carry all outbound FTP traffic. That outbound FTP proxy would have logged all of the files that were carried outbound. Of course the file names might have nothing to do with the documents stolen from hard drives, but a record of illegal activity would still exist.
I consider watching outbound activity to be practicing extrusion detection. Supposedly stopping outbound activity is called extrusion prevention, and I already see vendors using these terms. Richard Steinnon prefers the term "intellectual property protection" (IPP). I think IPP is a form of extrusion something, but the idea of IPP assumes that what is being sent outbound has any IP value. For example, I would like to see outbound bot net command and control traffic, even if the bot net owner never touches any sensitive files on my internal victim systems.