What is Data Exfiltration

The illegal transfer of data from a device is referred to as data exfiltration (or “data extrusion”). Data can be transferred manually by anyone with physical access to the device or automatically by malware over a network. According to a recent DNS protection survey, 46% of respondents had been victims of data exfiltration, and 45% had been exposed to DNS tunneling—often used as a form of data exfiltration—via DNS port 53. Since hackers are using DNS to get past next-generation firewalls, intrusion detection systems, and intrusion prevention systems, security teams must turn their attention to DNS—a pathway that is often left open but can be seen as a perfect point for trying to thwart data exfiltration attempts.

Malicious actors use data exfiltration as a means of identifying, storing, and transferring classified information. Data exfiltration can be performed remotely or manually, and it’s often difficult to identify because it looks like legitimate (or “normal”) network traffic. Financial records, consumer details, and intellectual property/trade secrets are some of the most commonly targeted products. Unfortunately, an attacker does not need to use exceptionally sophisticated techniques to penetrate a network, exfiltrate data, and avoid detection; this is true for both APT groups and less sophisticated threat actors, and especially for malicious insiders. Without the use of endpoint agents or external network equipment, DNS threat analytics can detect and automatically block data exfiltration attempts using DNS. For real-time monitoring, aggressive blocking, and insight into compromised computers and rogue workers, a DNS threat analytics system could include streaming analytics technologies.

Different Types of Data Exfiltration

Data exfiltration can be achieved in a variety of ways, and techniques are getting more advanced as hackers continue to stay ahead of data security solutions. Here are some of the most popular data exfiltration techniques and how they operate.

Outbound Email — Outbound email can be used to exfiltrate email, databases, schedules, planning documents, images, and virtually every other object stored on an outbound mail server. This information may be sent to a third party by email, text message, or file attachment. Email data exfiltration can be avoided by the use of email security tools.

Downloads to insecure Devices — this may happen when users access sensitive information from a trustworthy computer using an authorized channel and then pass the data to an insecure local system. A tablet, notebook, camera, or hard drive may be used to steal the information. Data exfiltration is a high risk for any file transmitted to an insecure or unmonitored computer.

Uploads to External Devices — Equivalent to how data is exfiltrated from an insecure computer download, uploads to external devices can pose a danger. A disgruntled employee with a thumb drive might be the culprit.

Cloud Behavior That Isn’t Secure — Working in the cloud has a lot of advantages and opportunities, but it also comes with a risk of data exfiltration. A third party could modify virtual machines, make malicious requests to the cloud service, and deploy malicious code if an authorized cloud user accesses cloud services in an insecure manner.

How Data Exfiltration can be detected

Keep an eye on legal business tools

Attackers are adapting to techniques that rely on tools that are already in use, such as remote access tools (RATs). While many RATs can be legitimately used, they are frequently designed to actively circumvent network controls, making it difficult to see who is communicating with whom, when, and how. As a result, security teams must now detect malicious intent that blends with business-justified activity, a task that most analysts find both tedious and difficult. This ability to remain undetected is appealing to both malicious insiders and outside attackers interested in stealing data.

Keep an eye on encrypted traffic

While the network has historically been a valuable source of insight that enabled effective detection and response, as more data on the network is encrypted, it has become increasingly opaque. As attackers use techniques like encryption to evade traditional detection methods, security teams will lose visibility into this powerful data source. When it comes to detecting and stopping data exfiltration attempts, knowing is half the battle. TLS fingerprinting can be used to identify what applications are on the network when the majority of traffic is encrypted. TLS fingerprinting makes use of the non-encrypted metadata in TLS traffic to tell security teams what kind of application is causing the traffic. This type of data is extremely useful in the investigation of data exfiltration. For example, while a large upload from a browser might not be alarming, a similar upload from Python could be.

Know who has permission to access data and keep an eye on what’s going on

It can be even more difficult to detect data exfiltrated by an authorized employee than if it was done by an outsider. To avoid insider data exfiltration attempts, security teams should have a complete, real-time understanding of who has access to sensitive information and then closely monitor accounts for changes in behavior. While the amount of data being exfiltrated may appear insignificant and inconsistent, the activity may be persistent and one-of-a-kind, raising its risk score and prompting a closer examination.

How data exfiltration can be prevented

Preventing your users from downloading unknown or suspicious applications is a proactive preventative measure that companies should take because data exfiltration frequently relies on social engineering techniques to gain access to protected company networks. However, effectively blocking the download of these malicious applications without restricting access to applications your users require is difficult. The malware must, however, be able to communicate externally with a command or control server to receive instructions or exfiltration of data to effectively compromise an endpoint. As a result, detecting and blocking unauthorized communication becomes a viable method of preventing data exfiltration.