In today’s digitally driven era, data is the most critical component of a business. Companies are collecting more data than ever before, and constantly enhancing their operations through data-driven decisions. As a result, data leaks are a serious concern for companies of all sizes; if one occurs, it may put them out of business permanently.
A data leak is defined as the inadvertent exposure of sensitive information to unapproved parties. Under the EU’s General Data Protection Regulation (GDPR), data leaks can incur fines of up to €20 million or 4 percent of annual global turnover, and damage reputations and trust.
Many data leaks are the result of data exfiltration or the illegal transfer of data from a device containing sensitive information to unauthorized parties. Also known as data exportation, data extrusion or simply data theft, data exfiltration is one of the final stages of the cyber kill-chain and the most important objective of advanced persistent threats (APTs).
Usually, an attacker’s main objective for stealing sensitive data from an organization is monetary. They get paid either by ransoming the data back to the organization or selling it to malicious buyers on the Dark Web. Now, let’s take a deeper look at how these threat actors execute data exfiltration.
How Does Data Exfiltration Occur?
Broadly speaking, data exfiltration can occur in two ways: Via insider threats or outsider attacks. Both can prove to be catastrophic if left undetected.
Insider attacks are usually manual and carried out by someone with physical access to an organization’s systems. Most of the time, malicious insiders are disgruntled employees who are looking to inflict harm on an organization for their own gain. Insiders can also automate the data-exfiltration process through malicious programming over the network.
Most outsider attacks begin with a simple initial attack vector, such as a phishing email or injecting malware into the victim’s device. Once initial access to the victim’s system has been attained, the data-discovery stage is established, during which hackers escalate privileges and move laterally across the network, looking for sensitive data. A remote server, which acts as a command-and-control server (C2), waits for an incoming connection from the victim’s network. Once the critical data and assets are discovered, data-exfiltration techniques are initiated to transfer the data to the threat actor’s C2 server.
The exfiltrated data may contain usernames, passwords, financial documents, strategic confidential information or personally identifiable information (PII). In some cases, hackers transfer all the data they can access, and they later analyze the stolen data to check if there is anything valuable that can be used for nefarious purposes.
Different Protocols Used for Data Exfiltration
While there are various techniques to execute the actual transfer of data, the most common method is to establish a shell — a communication channel that enables remote interaction between the compromised host and the attacker’s C2 server.
The C2 server is configured online to listen for a connection using a predetermined protocol. Using this protocol on both ends of the connection, the data transfer is initiated from the victim’s device to the attacker’s server. Once the data transmission is complete, the attackers take the server offline to evade detection and move the stolen data to an offline repository.
Below are some common protocols used for data exfiltration.
Hypertext Transfer Protocol (HTTP)
HTTP is an application protocol that allows users to communicate data over the internet. Since it’s commonly used on most networks, HTTP is a perfect choice for attackers. The malicious transfer of sensitive data goes unnoticed in the high volume of HTTP traffic flowing through enterprise networks, allowing the attacker to stay undetected.
File Transfer Protocol (FTP)
FTP is an essential protocol used to communicate and transfer files between a client and a server over the internet. FTP is a reliable protocol for transferring large files. An attacker must authenticate to an external FTP server from within an organization’s server to exfiltrate data. Since most enterprise networks focus on rules preventing inbound traffic, the lack of firewall rules to moderate outbound connections allows the attackers to easily connect back to their own servers and transfer the data.
Domain Name System (DNS)
DNS is another essential protocol that translates human-readable domain names into IP addresses. DNS tunneling is the process of transmitting data using DNS queries and responses. It works by creating DNS records that will point queries for a specific domain name to a C2 server under the attacker’s control. This method can be used to transfer files from a compromised host. DNS tunneling is particularly effective in environments where other protocols may be closely monitored.
How to Identify and Prevent Data Exfiltration
Data exfiltration can be difficult to detect because it involves moving data within and outside a company’s network. The main challenge is distinguishing this movement from typical network traffic. Unsuccessful detection results in substantial data loss incidents flying under the radar until data exfiltration has already been completed. Once your company’s most sensitive data is in the hands of attackers, the damages can be devastating.
The best way to prevent data exfiltration is to:
- Perform a comprehensive risk assessment and identify all valuable data assets.
- Make an inventory of all the endpoints where this data resides.
- Estimate the business impact of the exfiltration of each of these data assets.
- Monitor important endpoints for indicators that an attack is progressing towards data exfiltration using a user and entity behavior analytics (UEBA) solution.
- Look for anomalies in time, count,\ and patterns in user and entity behavior.
ManageEngine Log360 identifies indicators of compromise and indicators of attack to expose major threats, including insider threats, account compromise and data exfiltration. Its UEBA module uses machine-learning algorithms to detect behavior anomalies, strengthening your defenses against insider threats and data breaches. Log360 also analyzes logs from different sources including firewalls, routers, workstations, databases and file servers. Any deviation from normal behavior is classified as a time, count or pattern anomaly. Then, it gives actionable insights to the IT administrator using risk scores, anomaly trends and intuitive reports, enabling them to investigate the issue and take the necessary steps to mitigate the risk.