I’m a MSSP , my client sent me a issues that their DLP vendor said their solution can only detect data is tried to exfiltrate by http get methods.
I can find Browsing HTTP/HTTPS this channel is using http get response to exfiltrate data to Cymulate.
But, what about other channels?
In attack logs , I can see onedirve、github ,these channels are using API call : PUT https://xxxx.xxxxx
It seems using http put methods , right?
Could you help me to clarified for what http methods will be used in each channels?
That’s my client and their DLP vendor wondering to know , then they will try to optimize their solution.
Best answer by ShirazView original
We use GET only for HTTP Browsing and HTTPS Browsing
The rest of the exfiltration methods uses PUT or POST (depends on the API).
Thanks for your explanation.
Base-on this question , there are a lots of content-type in each exfiltration methods ,like word, pdf, string, etc. , For example , in OneDrive channel uses PUT methods , I wondering to confirm PUT method will be used for all content-type in OneDrive channel whether will mix POST methods for some specific content-type?
That’s an example , we saw some of content-type is blocked ,rest of them is penetrated from the report.
If all of content-type are used PUT method, that their DLP should not have ability to detect and block.
So, we wondering to confirm that whether each channel uses PUT/POST/GET one of them only for all content-type.