Security Chief

Data Exfiltration: What it is and how it affects you

,

Every organization has data that is regulated, needs to be protected, and is crucial to business success. Employees access this data on a regular basis for legitimate purposes to further the business priorities and missions. This data is also a valuable target for threat actors.

Organizations rely on keeping their data secure and accessible by the right entities. This data can contain proprietary information, employee or client records. During cyber incidents, this same data is a high value target for threat actors. This can cause serious harm to companies in several ways:

  • Financial – Regulators can seek damages and fines for unauthorized access to certain types of data, such as personally identifiable information (PII).
  • Reputational – Employees and clients or customers can loose faith in the organization’s ability to secure the data. This can cost business relationships, cause slow growth or valuable employees to seek new employment.
  • Legal – Both regulators and clients can potentially pursue legal ramifications regarding the security incident.

CrowdStrike recently found in 2022 there was a 20% increase in threat actors conducting data theft campaigns without deploying ransomware.1

What is Data Exfiltration?

Proofpoint did a fantastic job on defining data exfiltration. “Data exfiltration is defined as the unauthorized copying, transfer, or retrieval of data from either a server or an individual’s computer. It’s a type of security breach that occurs when individual or company data is illicitly copied, transferred, or retrieved from a device or server without proper authorization, often with malicious intent.”2

In other words, this is data leaving your network that isn’t supposed to.

How does it occur?

Data can be transferred by either internal or external threats, either maliciously or accidently, and can leverage several methods.

With non-malicious intent, end users can upload data to locations that are not supported, protected, or approved by the organization. This can include cloud storage locations (OneDrive, DropBox, Google Drive), AI chat bots (ChatGPT, Copilot), or users storing data on external drives without approvals. The concern here is that those outside applications are not monitored by the organization and there are no contractual obligations agreed upon between the organizations about the security of that data. This puts the data at considerable risk of becoming public, going to competitors, being stolen and sold, or being used to extort the company by threat actors.

From a malicious intent perspective, data exfiltration can occur though phishing links, malware installations, and hacker actions. Threat actors use common tools to compress large amounts of data to quickly exfiltrate from your network using file transfer tools. Typically, once this data is stolen, the threat actor will deploy ransomware to encrypt the data and shut down the systems.

  • Data Compressions Tools:
    • WinRAR
    • WinZip
    • 7-Zip
  • Data Transfer Tools:
    • WinSCP
    • Megasync
    • rclone
Common Questions Received About Ransomware

Threat actors extract data to their own private servers for storage or use a cloud environment like mega.io or temp.sh. Mega.io is a privacy based cloud storage provider. Temp.sh is made for temporary hosting and quick transfer of files and texts. The file size limit on temp.sh is 4GB.

How fast can data be exfiltrated?

Gone are the days where threat actors spend months inside a network, scouring the environment, meticulously finding and exfiltrating sensitive data. With an increased focus on cybersecurity, threat actors needed to change their tactics to be faster and more efficient to lessen their chance of being caught and booted from the network. The thought process has shifted from a slow and steady approach to a more “smash and grab” approach. As a result, their time table got shorter. What started as months soon shifted to weeks, then days. Now, we are seeing it in 2 hours.

Akira, a large and well known criminal ransomware gang that has been around since March 20233, recently took 133 minutes from initial access to data exfiltration.4 According to Palo Alto Networks Unit 42 report, data exfiltration time has decreased significantly over the last 3 years. In 2021, it was roughly 9 days. “In approximately 45% of cases this year (2024), attackers exfiltrated data within a day of compromise.”5 Defenders have less and less time to respond to attacks and security incidents.

How to prevent data exfil?

There is no single plug and play method to prevent data exfiltration, unfortunately. But the risk can be mitigated in several ways. These are large scale concepts that ultimately lead to a defense in depth strategy.

  • Organizational Visibility
  • Zero Trust
  • Network Segmentation
  • Data Loss Prevention
  • Endpoint Detection and Response

Organizational Visibility

You must have an idea of what is going on in the network at all times. Monitoring employee’s activities is crucial in the detection and response of abnormal behavior. Noting any unusual user behavior could indicate something nefarious and should be investigated as such. Take careful note of any file transfer tools found on the system or malicious websites visited. 

Having visibility through an EDR tool on all endpoints and sending the telemetry data to a Security Information and Event Monitor (SIEM)  solution will help give your analysts and security operations center (SOC) the visibility they need to learn the baseline network behavior to help with that anomaly detection. Once this baseline is configured, it will be easier to alert and react to the anomalies.

On the same topic of visibility, organizations should enforce robust logging from external facing applications and devices. Any external facing device such as web servers, firewalls, and anything in a DMZ should have logging enabled and saved for review. These logs should be sent to a syslog server or a Security Information and Event Monitor (SIEM).

Zero Trust

A concept that has been around for several years. This describes an infrastructure in which every action requires authentication and authorization, no inherent trust between an account and an object. Zero trust is built on strong user authentication and verification of user device integrity, applications are not trusted by default, and infrastructure is built with security in mind. Zero trust works under the assumption that threats can be both external and internal to the network. For more information on zero trust check out the NIST website. 6

Network Segmentation

Network segmentation reduces the attack surface by containing security incidents and limiting a threat actors movement around the network. Segmentation works by controlling traffic flows between endpoints. Access control lists, firewalls, and virtual local area networks are used to segment network traffic. Network segmentation supports zero trust by assuming the other devices on the network are untrustworthy. Network segmentation provides:

  • Stronger network security
  • Better performance
  • Decrease compliance scope required by regulators

Data Loss Prevention (DLP)

DLP is a process of identifying and preventing unsafe, improper, or malicious transfer of information. It consists of technology, processes, policies, and people to ensure that data is properly classified and monitored. AI can also play a role in data loss prevention to detect malicious activity based on what is typically normal behavior.

DLP can help meet complex compliance standards by identifying, classifying, and securing data at rest, in motion, and in use.

Endpoint Detection and Response (EDR)

EDR solutions give another layer of protection against data exfiltration by alerting on, blocking, and isolating systems with suspicious behavior. For example, a properly tuned EDR solution can:

  1. Detect malicious executable like megasync
  2. Prevent the file from running by quarantining the executable
  3. Isolate the host it was discovered on

This prevents data exfiltration and the threat actor from attempting other exploits.

An EDR is best deployed and monitored by a competent SOC to review alerts, respond to detections, and monitor all traffic on the end points.

Key Takeaways

  • Data exfiltration happens for several reasons either accidentally or with malicious intent.
  • Threat Actors use many types of open source tools available online to compress and transfer data.
  • Reduce the risk of data exfiltration by implementing:
    • Environment Visibility
    • Zero Trust Architecture
    • Network Segmentation
    • Data Loss Prevention Solutions
    • Endpoint Detection and Response Sensors
  1. https://www.crowdstrike.com/cybersecurity-101/data-loss-prevention-dlp/ ↩︎
  2. https://www.proofpoint.com/us/threat-reference/data-exfiltration ↩︎
  3. https://www.cisa.gov/sites/default/files/2024-04/aa24-109a-stopransomware-akira-ransomware_2.pdf ↩︎
  4. https://www.darkreading.com/endpoint-security/akira-ransomware-lightning-fast-data-exfiltration-2-hours ↩︎
  5. https://www.paloaltonetworks.com/blog/2024/02/unit-42-incident-response-report/ ↩︎
  6. https://www.nist.gov/publications/zero-trust-architecture ↩︎