How to Detect Data Exfiltration (Before It's Too Late)

Edward Kost
Edward Kost
updated Aug 11, 2022

A data exfiltration attack involves the unauthorized transfer of sensitive data, such as personal data and intellectual property, out of a target system and into a separate location.

These transfers could either occur internally, through insider threats, or externally, through remote Command and Control servers.

Every cyberattack with a data theft objective could be classified as a data exfiltration attack.

Data exfiltration usually occurs during stage 6 of the cyber-attack kill chain, when a connection is established between a compromised system remote cybercriminal servers.

Understanding the malicious processes that commonly precede data exfiltration is the key to mitigating these attacks. They offer opportunities for the implementation of security controls leading up to a final data loss event to significantly obfuscate the attack sequence.

Though data exfiltration usually accompanies a data breach, data theft has a greater security severity classification because valuable data is already in transit.

Some intrusion detection and threat intelligence systems can intercept hackers after they've breached sensitive resources and before any data loss.

Such an intercept would need to occur before permission escalation, a stage preceding sensitive resource access, and therefore, data exfiltration.

the cyber attack lifecycle

How to Detect Data Exfiltration

Data exfiltration is not easy to detect because the events usually hide behind legitimate daily processes.

Each of the detection options below provides a unique vantage point for network traffic analysis. When used collectively, a multi-dimensional analysis can be achieved to increase the efficacy of security operations.

1. Use an SIEM

A Security Information and Event Management System (SIEM) can monitor network traffic in real-time. Some SIEM solutions can even detect malware being used to communicate with Command and Control servers.

2. Monitor all Network Protocols

Monitor all open port traffic to detect suspicious volumes of traffic, usually in the order of 50GB+.

Such discoveries should lead to more targeted analysis since they could just be legitimate business-related connections.

See our list of the top 5 free open port checking tools.

3. Monitor for Foreign IP address Connections

Corporate connections to uncommon IP addresses could be indicative of data exfiltration. Security teams should keep an up-to-date log of all approved IP addresses connections to compare against all new connections.

4. Monitor for Outbound Traffic Patterns

Malware needs to regularly communicate with C&C servers to maintain a consistent connection. These regular bursts of communications, known as beaconing, present an opportunity for detecting data exfiltration within commonly used ports like HTTP:80 and HTTPS:443.

Keep in mind that some advanced Malware and Ransomware strains, like SUNBURST, randomize delays between C&C communications.

How to Prevent Data Exfiltration in 2022

The key to data exfiltration prevention is to implement security solutions that address all of the common vectors for a data exfiltration attack ANCHOR LINK TO BELOW

This can be achieved with the following list of controls.

1. Implement a Next-Generation Firewall (NGFW)

Without a firewall, outbound connections are not monitored, allowing C&C connections to be established seamlessly.

Next-Generation firewalls moderate all outbound traffic across all traffic protocols. These filters sometimes also integrate signature-based malware detection from an antivirus, allowing known C&C Malware behavior to be intercepted and blocked.

The caveat, however, of signature-based threat detection is that it requires antivirus software to be kept up-to-date. If an update is missed or delayed, a new malware variant could slip through during this time and establish a C2 server connection without detection.

Because of this, signature-threat detection should only be used as an additional safety net alongside behavioral-based blocking strategies that analyze traffic in real-time, such as an SIEM.

2. Implement an SIEM

An SIEM can analyze data in all states:

  • In rest
  • In use
  • In transit

This makes it possible to detect and block unauthorized transmissions, even from endpoints like laptops.

Read more about SIEM

3. Implement a Zero-Trust Architecture

A Zero-Trust Architecture enforces strict user verification before any data transfers are permitted.

The downside, however, to firewalls and Zero Trust architectures is that endpoint performance could be negatively impacted because all outbound connections need to be continuously inspected before connecting to laptops. But the benefits of sensitive data loss greatly outweigh these temporal inconveniences.

Read more about the Zero-Trust Architecture.

4. Shut Down All Suspicious Sessions

When a suspicious session is identified, such as data transfer to an unapproved IP address, connections should be immediately severed by either disabling the Active Directory Account ID for the user or disconnecting the user's VPN session.

You should also immediately review and shut down all access control linked to the compromised user account to prevent the threat actor from switching to another user account after their connection is disrupted.

To learn how to do this, refer to the AccessEnum tutorial by Microsoft.

5. Implement Data Loss Prevention Solutions

Data Loss Prevention (DLP) solutions map all data transfers against pre-existing policies to detect suspicious activity. DLP technology also analyzes the contents of all data transfers to check for sensitive information.

Learn more about Data Loss Prevention

6. Detect and Shut Down All Data Leaks

Data leaks are overlooked sensitive resource exposures. When they're discovered by cybercriminals, they make the process of breaching an IT perimeter much easier and faster.

A data leak detection solution will help you discover and shut down each of these data leaks before they facilitate the injection of data exfiltrating malware.

Ideally, such a solution must be capable of addressing not just internal, but also all third-party, data leaks.

Learn how to prevent data leaks.

7. Remediate All Software Vulnerabilities

Software vulnerabilities facilitate malware injections but the ever-expanding attack surface makes these exposures very difficult to manage.

All cybersecurity programs should include an attack surface monitoring solution. This will help you rapidly remediate all internal and third-party vulnerabilities before they're exploited by cybercriminals.

An attack surface monitoring solution capable of also addressing the third-party vendor network will help security teams address exposures in the supply chain to mitigate breaches from supply chain attacks.

Data Exfiltration Attack Techniques

Digital transformation is expanding the attack surface, offering cyberattacks a plentiful selection of vectors for data exfiltration.

At a high level, these options can be separated into two categories, insider and external cyber threats.

  • Insider Threats - Malicious insiders are usually disgruntled employees seeking to inflict harm on their employer. They could exfiltrate data either through physical vectors, like flash drives, or digital vectors, by diverting network traffic to cloud storage services.
  • External Threats - Cybercriminals prefer external data exfiltration methods because these attacks can be launched remotely from anywhere in the world. This also allows data transfer attacks to be automated and rapidly scaled.

The top 6 external data exfiltration threats are listed below.

1. Command and Control Servers

Command and Control server connections are the most common external data exportation threat.

Remote attacks require the establishment of a communication channel between the compromised system and the attacker's server - known as a command-and-control server (also called a C&C or C2 server).

The establishment of such a connection is usually initiated by malware from inside the compromised network.

C&C malware could be injected through any of the other attack vectors listed below - FIX UP.

These connections can be established through three protocols - DNS, HTTP, and FTP.

Domain Name System (DNS)

The DNS protocols convert domain names into IP addresses so that each computer, resource, and service connection to the internet can be differentiated and identified.

Data exfiltration works with this protocol through a process known as DNS tunneling. This is when data is transferred to C2 servers through DNS queries and responses.

DNS tunneling is a popular data exfiltration technique when all other ports are being monitored.

Hypertext Transfer Protocol (HTTP)

The HTTP application protocol is used to transfer data from users to the internet. It is the most common communication channel, which makes it a prime target for data extrusion.

When the HTTP protocol isn't secured, threat actors can transfer sensitive data among voluminous HTTP traffic without detection.

File Transfer Protocol (FTP)

The FTP protocol is used to transfer large files to a web server over the internet. In order for a cyberattacker to compromise this protocol, authentication to an external FTP server must occur from inside the corporate network.

2. Phishing Attacks

Before a data exfiltration backdoor can be established, the malware that makes this connection possible must be injected into the targeted system.

This occurs during stage 3 in the cyber attack kill chain.

the cyber attack lifecycle

Phishing has long been a favorite initial attack vector for malware injection among cybercriminals.

The phishing strategy is based on the ancient trojan horse attack method.

During these attacks, a seemingly innocuous email with infected links is sent to a victim. When these links are clicked, victims are either sent to a credential-stealing decoy website, or a clandestine malware installation process is initiated.

Here's an example of a phishing email posing as an important message about COVID-19 from the CDC.

COVID-19 themed phishing email - Source: purplesec.us
COVID-19 themed phishing email - Source: purplesec.us

Social engineering is another form of phishing that could facilitate perimeter compromise for malware injection.

These attacks could occur via phone, email, or social media.

During these attacks, malicious actors contact a target pretending to be an acquaintance, like a client or customer. They then attempt to trick the victim into divulging internal sensitive information to access an organization's network.

3. Outbound Emails

Any sensitive information residing on email systems can easily be exfiltrated via an outbound email.

This data could include:

  • Calendar events
  • Databases
  • Images
  • Intellectual property documentation

4. Software Vulnerabilities

Digital transformation connects the digital surfaces of organizations and their partners. Because of this, software vulnerabilities impact all of the entities networked to a compromised party. This impact could permeate to third, and even fourth-party attack surfaces.

A compromised third-party vendor could result in all of its partners suffering a data breach, an attack strategy known as a supply chain attack.

Free

UpGuard logo in white
UpGuard free resources available for download
Learn more

Download our free ebooks and whitepapers

Insights on cybersecurity and vendor risk management.
UpGuard logo in white
eBooks, Reports & Whitepapers
UpGuard free resources available for download
UpGuard customer support teamUpGuard customer support teamUpGuard customer support team

See UpGuard In Action

Book a free, personalized onboarding call with one of our cybersecurity experts.
Deliver icon

Sign up to our newsletter

Get the latest curated cybersecurity news, breaches, events and updates in your inbox every week.
Free instant security score

How secure is your organization?

Request a free cybersecurity report to discover key risks on your website, email, network, and brand.
  • Check icon
    Instant insights you can act on immediately
  • Check icon
    Hundreds of risk factors including email security, SSL, DNS health, open ports and common vulnerabilities
Website Security scan resultsWebsite Security scan rating