Last Updated: 25th December, 2020
Data Exfiltration Attack: An unauthorized attempt to transfer data is a data exfiltration attack. Bots may trigger these attempts, or be orchestrated by human actors. A diverse variety of sources exist, but outbound email, unreliable apps and cloud storage are the most widely used ingenuities.
On numerous occasions, data exfiltration attacks imitate routine behavior. That is why, until any portion of the data has already been transmitted, it is strenuous to detect data exfiltration attacks real time. Organizations need to differentiate between unauthorized and authorized transmission of data to identify data exfiltration effectively. Precisely by using Data Loss Prevention (DLP), UEBA, and SIEM technologies, you can do that as well.
What Is Data Exfiltration?
Data exfiltration constitutes a breach of security through which data is transferred by an unauthorized user from your networks or gadgets. It is frequently also referred to data theft, data export or extrusion of data.
As part of an automated attack, data exfiltration can occur or can be carried out manually and can take place on-site or via a connection to the internet. When this happens, highly classified or sensitive information is usually part of a targeted data exfiltration attack.
While data exfiltration can be detected, it often is not until at least some data has been lost. This is because the illegitimate transfer of data looks very similar to legitimate transfers. To detect it, you need to recognize that the user or service should not be transferring data, that the data being moved is suspicious, or that the size of the transfer is suspicious.
Types Of Data Exfiltration Ingenuities
There are several ways that attackers commonly exfiltrate data. As attackers look for ways around more advanced security tooling, these methods also evolve. Here are some of the most commonly used data exfiltration ingenuities:
- Outbound Email — Used to exfiltrate data from calendars, databases, email, and planning documents. This method can involve attaching documents to emails and sending those emails out or exfiltrating data on email servers that users have legitimately attached.
- Downloads To Insecure Devices — Data are transferred by users from secure, trusted systems to an insecure device. From there, the attacker can infiltrate the device and exfiltrate the data. Insecure devices often include smartphones, cameras, laptops, or external drives.
- Uploads To Cloud Storage — Data can be exfiltrated from cloud storage when information is uploaded to insecure or misconfigured resources. These resources may be purposely misconfigured, by attackers or malicious insiders or accidentally left exposed to the public. Exfiltration may also occur when employees upload data to personal cloud drives from secure systems.
- Unsecured Behavior In The Cloud — Similar to cloud storage, misconfigurations or lack of security in cloud environments can leave pathways for data exfiltration. Another concern is if excessive access is provided cloud services connected to data systems. If these services are compromised, attackers can use service permissions to access and exfiltrate data.
Examples Of Data Exfiltration Attacks
Data exfiltration is one of the most typical types of attacks, particularly on organizations with significant amounts of sensitive data. This data is appealing to attackers because it can frequently be directly employed, sold, or leveraged for personal gain. Underneath set a few examples of some particularly damaging exfiltration attacks.
In 2018, an insider at SunTrust Bank was uncovered after stealing up to 1.5 million customer records. This data included customer names, addresses, phone numbers, and account balances.
The exfiltration was discovered when the bank’s security team noticed “inappropriate access” of data by an ex-employee. This employee was able to use ongoing access to records to steal data. The bank believes they were trying to print records to share with a third-party for personal gain.
Tesla also experienced a data exfiltration attack in 2018. In this data exfiltration attack, an employee altered code in the company’s manufacturing OS and passed sensitive data to an unknown third-parties. The data included a video Tesla’s manufacturing systems, dozens of confidential photos and GBs of data.
It is believed the employee performed this theft for being personally upset about being passed over for a promotion. However, he may also have been working in cooperation with industry competitors.
In 2020, Travelex, a retail currency dealer, was a victim of exfiltration accomplished with ransomware. The attack, performed by a threat actor known as UNKN, used a family of ransomware called Sodinokibi. This ransomware was inserted through an unpatched vulnerability in the company’s Pulse Secure VPN server.
After encrypting Travelex data to make it inaccessible to the company, the attacker demanded $6 million dollars to release the data. The company refused to pay, however, leading UNKN to release 5GB of data to the public. The data contained personally identifiable information (PII) and financial information.
How To Prevent Data Exfiltration Attack
Preventing data exfiltration should be a priority for any organization; especially those dealing with sensitive data. Below are a few tools and practices you can use to ensure your data are and remains as secure as possible.
System information and event management (SIEM) solutions serve as the foundation of many security strategies. These solutions enable teams to ingest and monitor data, from across systems via a centralized dashboard.
SIEM platforms integrate with the various components and tooling in your system to aggregate, analyze and correlate data. If events are determined to be suspicious, the SIEM can alert security teams and provide contextual information for event investigation.
These solutions are incredibly helpful for detecting data exfiltration because SIEMs are able to evaluate and identify trends over an extended period. In many instances, data exfiltration occurs in several more insignificant events. SIEMs can connect these events together and produce a timeline for teams to investigate.
User and entity behavior analytics (UEBA) solutions use machine learning to analyze the behavioral patterns of users and devices (entities). With this analysis, solutions are able to create baselines of normal or expected behavior that recent events can be compared against. If an event does not match the existing patterns, security teams are alerted and provided contextual information to investigate.
UEBA is incredibly useful for detecting and preventing exfiltration because it can identify unusual file access or manipulation. This means that even insiders with valid credentials is detected if they begin exporting or accessing data they aren’t supposed to. You can integrate UEBA with your data loss prevention tools.
Insecure credentials are one of the most common methods attackers use to gain access to a system. These can include default passwords that have not been changed, weak or reused passwords, or passwords that have been inadvertently shared through phishing.
To prevent the abuse of passwords, you should make sure password policies require a certain complexity and that passwords are rotated periodically. You should also consider implementing Multi-factor Authentication (MFA) which uses a secondary method to confirm a user’s identity.
Encrypting your data at-rest and in-transit ensures only those with the appropriate key are able to access it. Encryption is also a requirement of many regulatory compliance and industry standards. To keep your data secure, ensure that all data is encrypted whenever possible. If there are times when encryption is not possible, for example, in paper documents, extra security precautions should be added.
Employee mistakes are a frequent weakness leveraged by attackers. Employees may unsuspectingly retrieve malicious files, share credentials through phishing campaigns, or fail to properly secure personal devices.
To prevent these mistakes, it is significant to periodically discipline your employees on proper security measures. Make sure they understand how to identify suspicious sites, documents, and emails. You should also ensure they distinguish who to report suspicious events to so security teams can take action as soon as possible.
Firewall Egress Filters
Firewalls should be implemented to block unwanted outsiders and prevent the egress data. Egress filters enable you to ensure data are transferred according to protocol, over the appropriate ports and to approved locations. These filters help ensure that even if attackers get in, they are incapable to transmit data out.
Data Exfiltration Protection
DLP solutions are brilliant at monitoring data flows and securing against known threat patterns. However, malicious insiders and sophisticated attackers can act in ways that do not match any known pattern, or cannot be captured by DLP security rules. A category of security tools called user and event behavioral analytics (UEBA) can help.
UEBA tools establish a behavioral baseline for unique users, applications, network devices, IoT devices, or peer groupings of any of these. Using machine learning, they can identify abnormal activity for a specific user or entity, even if it doesn’t match any known threat or pattern. This can complement traditional DLP solutions, alerting security teams of data-related incidents that have slipped past DLP rules.
A SIEM also enhances DLP solutions by aggregating data protection related incidents from around the enterprise and helping security teams correlate different events that could be correlated with the same attempt.