Data Exfiltration Threats and Prevention Techniques You Should Know
A data exfiltration attack is an unauthorized attempt to transfer data. These attempts may be generated by bots or orchestrated by human actors. There is a wide range of types, but the most commonly used techniques target outbound email, insecure devices and cloud storage.
Data exfiltration attacks often mimic normal activity. This is why it is difficult to detect data exfiltration attacks on time, before some portion of the data was already transferred. To reliably detect data exfiltration, organizations need to distinguish between unauthorized and authorized data transfer. You can do that by leveraging data loss prevention (DLP), UEBA and SIEM technologies.
In this article, you will learn:
- What is data exfiltration
- Types of data exfiltration techniques
- Examples of data exfiltration attacks
- How to prevent data exfiltration
What is data exfiltration?
Data exfiltration is a security breach during which data is transferred from your systems or devices by an unauthorized user. It is sometimes also called data theft, data exportation or data extrusion.
Data exfiltration can occur as part of an automated attack or can be performed manually and can occur on-site or through an internet connection. When it occurs, it is typically part of a targeted attack for sensitive or valuable data.
While data exfiltration can be detected, it often is not until at least some data has been lost. This is because the illegitimate transfer of data looks very similar to legitimate transfers. To detect it you need to recognize that the user or service should not be transferring data, that the data being moved is suspicious, or that the size of the transfer is suspicious.
Types of data exfiltration techniques
There are several ways that attackers commonly exfiltrate data. As attackers look for ways around more advanced security tooling, these methods also evolve. Here are some of the most commonly used data exfiltration techniques:
- Outbound email—used to exfiltrate data from calendars, databases, email, and planning documents. This method can involve attaching documents to emails and sending those emails out or exfiltrating data on email servers that users have legitimately attached.
- Downloads to insecure devices—data is transferred by users from secure, trusted systems to an insecure device. From there, the attacker can infiltrate the device and exfiltrate the data. Insecure devices often include smartphones, cameras, laptops, or external drives.
- Uploads to cloud storage—data can be exfiltrated from cloud storage when data is uploaded to insecure or misconfigured resources. These resources may be purposely misconfigured, by attackers or malicious insiders, or accidentally left exposed to the public. Exfiltration may also occur when employees upload data to personal cloud drives from secure systems.
- Unsecured behavior in the cloud—similar to cloud storage, misconfigurations or lack of security in cloud environments can leave pathways for data exfiltration. Another concern is if excessive access is provided to cloud services connected to data systems. If these services are compromised, attackers can use service permissions to access and exfiltrate data.
Data exfiltration examples: 3 attacks you can learn from
Data exfiltration is one of the most common types of attacks, particularly on organizations with significant amounts of sensitive data. This data is appealing to attackers because it can often be directly used, sold, or leveraged for personal gain. Below are a few examples of some particularly damaging exfiltration attacks.
In 2018, an insider at SunTrust Bank was uncovered after stealing up to 1.5 million customer records. This data included customer names, addresses, phone numbers, and account balances.
The exfiltration was discovered when the bank’s security team noticed “inappropriate access” of data by an ex-employee. This employee was able to use ongoing access to records to steal data. The bank believes they were trying to print records to share with a third-party for personal gain.
Tesla also experienced an exfiltration attack in 2018. In this attack, an employee altered code in the company’s manufacturing OS and passed sensitive data to unknown third-parties. The data included a video of Tesla’s manufacturing systems, dozens of confidential photos, and GBs of data.
It is believed the employee performed this theft due to being personally upset about being passed over for a promotion. However, he may also have been working in cooperation with industry competitors.
In 2020, Travelex, a retail currency dealer, was a victim of exfiltration accomplished with ransomware. The attack, performed by a threat actor known as UNKN, used a family of ransomware called Sodinokibi. This ransomware was inserted through an unpatched vulnerability in the company’s Pulse Secure VPN server.
After encrypting Travelex data to make it inaccessible to the company, the attacker demanded $6 million dollars to release the data. The company refused to pay, however, leading UNKN to release 5GB of data to the public. The data contained personally identifiable information (PII) and financial information.
How to prevent data exfiltration
Preventing data exfiltration should be a priority for any organization; especially those with sensitive data. Below are a few tools and practices you can use to ensure that your data is and remains as secure as possible.
System information and event management (SIEM) solutions serve as the foundation of many security strategies. These solutions enable teams to ingest and monitor data from across systems via a centralized dashboard.
SIEM platforms integrate with the various components and tooling in your system to aggregate, analyze and correlate data. If events are determined to be suspicious, the SIEM can alert security teams and provide contextual information for event investigation.
These solutions are particularly helpful for detecting data exfiltration because SIEMs are able to evaluate and identify trends over an extended period. Often, data exfiltration occurs in several smaller events. SIEMs can connect these events together and produce a timeline for teams to investigate.
User and entity behavior analytics (UEBA) solutions use machine learning to analyze the behavioral patterns of users and devices (entities). With this analysis, solutions are able to create baselines of normal or expected behavior that new events can be compared against. If an event does not match the existing patterns, security teams are alerted and provided contextual information to investigate.
UEBA is particularly useful for detecting and preventing exfiltration because it can identify unusual file access or manipulation. This means that even insiders with valid credentials are detected if they begin exporting or accessing data they aren’t supposed to. You can integrate UEBA with your data loss prevention tools.
Insecure credentials are one of the most common methods attackers use to gain access to a system. These can include default passwords that have not been changed, weak or reused passwords, or passwords that have been inadvertently shared through phishing.
To prevent the abuse of passwords you should make sure that password policies require a certain complexity and that passwords are rotated periodically. You should also consider implementing multi-factor authentication (MFA) which uses a secondary method to confirm a user’s identity.
Encrypting your data at-rest and in-transit ensures that only those with the appropriate key are able to access it. Encryption is also a requirement of many regulatory compliance and industry standards.
To keep your data secure, ensure that all data is encrypted whenever possible. If there are times when encryption is not possible, for example in paper documents, extra security precautions should be added.
Employee mistakes are a frequent weakness leveraged by attackers. Employees may unsuspectingly download malicious files, share credentials through phishing campaigns, or fail to properly secure personal devices.
To avoid these mistakes it is important to periodically train your employees on proper security measures. Make sure that they understand how to identify suspicious sites, documents, and emails. You should also ensure that they know who to report suspicious events to so security teams can take action as soon as possible.
Firewall egress filters
Firewalls should be implemented to block unwanted outsiders and prevent the egress of data. Egress filters enable you to ensure that data is transferred according to protocol, over the correct ports and to approved locations. These filters help ensure that even if attackers get in, they are not able to send data out.
Data exfiltration protection with Exabeam
DLP solutions are great at monitoring data flows and securing against known threat patterns. However, malicious insiders and sophisticated attackers can act in ways that do not match any known pattern, or cannot be captured by DLP security rules. A category of security tools called user and event behavioral analytics (UEBA) can help.
UEBA tools establish a behavioral baseline for individual users, applications, network devices, IoT devices, or peer groupings of any of these. Using machine learning, they can identify abnormal activity for a specific user or entity, even if it doesn’t match any known threat or pattern. This can complement traditional DLP solutions, alerting security teams of data-related incidents that have slipped past DLP rules.
A SIEM also augments DLP solutions by aggregating events related to data security from across the organization and helping security teams correlate multiple events that may be related to the same attempt.
For an example of a next-generation SIEM system with built-in UEBA, which can help prevent data exfiltration, learn more about the Exabeam Security Management Platform.
Want to learn more about DLP?
Have a look at these articles:
What is DLP? Data Loss Prevention for Critical Business Information
Data Loss Prevention Policy Template
Data Loss Prevention Solutions: Making Your Choice
Understanding UEBA: From Raw Events to Scored Events
Exabeam Alert Triage with Dynamic Alert Prioritization Now Available in Exabeam Fusion and Exabeam Security Investigation
Building a UEBA Risk Engine
Subscribe today and we'll send our latest blog posts right to your inbox, so you can stay ahead of the cybercriminals and defend your organization.
See a world-class SIEM solution in action
Most reported breaches involved lost or stolen credentials. How can you keep pace?
Exabeam delivers SOC teams industry-leading analytics, patented anomaly detection, and Smart Timelines to help teams pinpoint the actions that lead to exploits.
Whether you need a SIEM replacement, a legacy SIEM modernization with XDR, Exabeam offers advanced, modular, and cloud-delivered TDIR.
Get a demo today!