Data exfiltration is defined as when an authorized person extracts data from the secured systems where it belongs, and either shares it with unauthorized third parties or moves it to insecure systems. Authorized persons include employees, system administrators, and trusted users. Data exfiltration can occur due to the actions of malicious or compromised actors, or accidentally. It can be conducted by outsiders, who penetrate the network in order to steal user credentials, intellectual property and company secrets. Outsider attacks usually start with the injection of malware onto an endpoint such as a computer or mobile device that is connected to the corporate network. The malware exfiltrates the data to an external server controlled by the outsider, who may then sell it or publish it. Data exfiltration may also occur when an insider moves data outside of the network, such as by emailing it to a non-corporate email address or copying it to an unsecured cloud storage service or software-as-a-service (SaaS) product. These actions are often performed with benign intent by employees just trying to do their jobs, but they are exposing the data to risk by removing it from the oversight of the security team and corporate policies
Data Exfiltration Techniques:
1. Social Engineering
It is one of the most common methods of exfiltrating data. An adversary tricks a user into sharing sensitive data or credentials by posing as a legitimate employee or partner. For example, an adversary may pose as a help desk agent to ask a user for sensitive information, such as username and password.
One common type of social engineering attack is phishing. In phishing attacks, the attacker sends users an email that appears to be from a legitimate source, such as the human resources department. The email will ask the user to click on a link, which will send victims to a false site that looks exactly like the official human resources portal. This false site may be set up exclusively to harvest credentials, or the site’s code may contain a malicious script that installs a keylogger or other malware that will then be used to execute the next stage of the phishing attack.
2. Human Error
Careless insiders commonly download sensitive company data from their secure company-issued devices to personal devices that are not protected by their employers’ network security solutions or policies. Instead, the data is either entirely unprotected or protected only by the basic level of consumer security tools. In this situation, data exfiltration may not be limited to the movement of files ,it could include photos of monitor screens taken with smartphones, recordings of conversations made with smartphones, etc.
3. Insider Threat Uploads to External Device
Malicious insiders are less common than their careless co-workers, but a malicious insider can do a great deal more damage. A malicious insider is able to use legitimate credentials to conduct nefarious activities for an extremely long period of time before detection occurs if it ever occurs. Because this user’s credentials are legitimate, their data exfiltration attack will not be noticed unless they are moving large amounts of valuable data or trying to access parts of systems that are beyond their level of privilege. During their period of activity, malicious insiders usually download data from a trusted device onto a personal device or thumb drive, and then upload it to an external device, such as a storage service on the dark web, before selling it or disseminating it.
Examples of data exfiltration
1. In February 2021, Tallos Intelligence researchers discovered a new variant of the “Masslogger” Trojan. Masslogger is a perfect example of how cybercriminals can use malware to exfiltrate data from online accounts. This new Masslogger variant arrives via a phishing email with “a legitimate-looking subject line” containing a malicious email attachment. The Trojan targets platforms like Discord, Outlook, Chrome, and NordVPN, using “fileless” attack methods to exfiltrate credentials
2. Over the course of 9 months, an employee at Anthem Health Insurance forwarded 18,500 members records’ to a third-party vendor. These records included Personally Identifiable Information (PII) like social security numbers, last names, and dates of birth.
How to Prevent Data Exfiltration
To prevent data exfiltration and consequences such as financial loss, compliance issues, and reputational damage, companies must identify and mitigate potential risks without harming user productivity. Anything less can leave them exposed. The following sections delve into some best techniques used to prevent data exfiltration.
1. Detect and Stop Phishing Attacks
Phishing is a successful means of attack because cybercriminals know how to take advantage of human error and how to bypass insufficient security solutions. Some organizations use some less-effective and traditional schemes such as blocking domains, Security Email Gateways (SEGs), and Rule-Based solutions. These signature-based methods cannot protect against highly personalized, low-volume, targeted attacks that do not include any identifiable malicious content
2. Deploy Data Loss Prevention (DLP) Strategies
Data loss prevention (DLP) is a set of business policies and technologies designed to ensure end-users cannot send sensitive or confidential data outside the organization. This type of system scans all outbound emails, monitoring them for pre-determined patterns that might indicate a person is transmitting sensitive information, such as a credit card number or social security numbers. Depending on the policy, if an email contains text that matches this format, the program automatically encrypts the data or blocks it from being sent.
3. Disable Unauthorized Channels and Protocols
It’s essential for an organization to keep track of which users have access to their sensitive data, revoking access to any partner or employee after terminating a business relationship with them. Allowing someone to keep access even for one more day could lead to a security breach with severe productivity, reputational, or monetary consequences.
4. Implement Backup and Data Encryption Processes
If a security breach occurs, it is vital to be prepared and frequently back up all data so it’s available for quick restoration. Failing to regularly back up data can lead to significant loss, should the worst happen. Data backup is a cybersecurity standard requirement.
In addition, establishing encryption policies helps keep data safe while in transit. Cybercriminals cannot intercept or tamper with encrypted messages. Once confidential data is transformed into ciphertext, it needs a unique key to be unlocked.
