The Guide to Data Exfiltration

Egress | 19th Nov 2020

What is data exfiltration?

Data exfiltration is the unauthorized transfer of data, typically from a computer, and is more simply described as data theft. The malicious actor in data exfiltration can be a cyber attacker or an insider (i.e. a current employee, contractor or anyone else considered to be part of the organization). These individuals might intentionally steal data to leak to a foreign government, competitor or journalist for personal gain, or in some cases may be breaching data regulations through ignorance.

Data exfiltration is a broad category, and there are as many ways to steal data as there are to store it and move it around. Here are a few of the more popular approaches.

Data exfiltration techniques

Social engineering

People can be a significantly weak link in cybersecurity, and one way to steal data is to prey on human error through social engineering. Attackers use persuasion techniques and exploit biases to manipulate employees into breaching security policies and sharing data. When this is done electronically via email, it is called “phishing”. Attackers will send large numbers of emails that entice the recipients to open an attachment or click on a link and sign into a fraudulent platform, which then allows the cyber-criminal to launch an attack using malware or steal their credentials, both with the ultimate aim of stealing valuable data. These attacks can also be highly targeted, known as “spear phishing”.

Not all social engineering is done via email. Attacks also take the form of a phone call, where the criminal pretends to be a legitimate representative of, for example, a supplier, bank or utility provider to gain sensitive data from an individual to either take advantage of them personally or the company they work for. Twitter recently suffered a phone spear phishing attack, where internal Twitter employees were tricked into revealing the account credentials of a smaller number of higher value individuals (CEOs, celebrities, politicians, etc.), rather than sending a large number of spam emails. The compromised Twitter accounts were then used to promote a bitcoin scam via the platform.

With social media and company websites making information public, it is a relatively easy task for cyber-attackers to gather enough information about a company and/or individual to launch a targeted attack.

Malicious insiders

Another source of data exfiltration could be the malicious insider. This is someone who works for a company and wants to expose data externally, for a variety of reasons. For example, redundancies furloughs and pay cuts can dramatically raise the risk of insider threats. Disgruntled employees are at an elevated risk of exfiltrating data, threatening their company’s data and intellectual property.

Randomization

Cryptography often relies on randomly generated data known to authorized users but unpredictable to outsiders. Random Number Generator attacks take advantage of weaknesses in technical design to substitute pseudo-random data that can compromise these systems in a way that is difficult to detect. In January of 2020, researchers demonstrated that this could be used to break RNS encryption on IoT devices and access their data.

Domain Name System

Domain Name System (DNS) is increasingly being used as a pathway for data exfiltration either by malware-infected devices or by malicious insiders. Hackers tunnel traffic through DNS port 53, where traffic is often not inspected even by next-gen firewalls. They obscure this data from monitoring by encoding and compressing it, often breaking it up to send in chunks. While DNS exfiltration is slow, it is difficult to detect. According to a recent DNS security survey, 46% of respondents had experienced DNS exfiltration at some point.

What are the implications of data exfiltration?

As you might imagine, data exfiltration can cause a lot of problems for a company. Data regulation in California, Europe and several other jurisdictions assigns considerable value to personal data. Under the EU’s General Data Protection Regulation, if malicious actors steal personal data, it can cause fines of up to $24m (approximately) or 4% of the parent company’s global turnover, whichever is higher.

Data exfiltration at scale also grabs headlines, which can cause massive reputational damage that leads to falls in share prices and lost customers. Those whose data has been stolen may also decide to pursue a class action lawsuit, which can be another source of financial damage and keep the company’s name in the press for longer, causing a further reputational hit. Customers whose data is lost will often leave the company, and new customers may think twice about signing away their data.

There is also a chance that data exfiltration is part of industrial espionage by nation states and Advanced Persistent Threats. In these cases, the target is company intellectual property, as the attackers go after source code, manufacturing data or corporate strategy documents. Loss of this data from the parent company empowers competitors and reduces competitive advantage, especially when the attackers are based internationally and there is no legal means of remediation.

How to detect data exfiltration

Data exfiltration touches on several different areas of cybersecurity. At a basic level companies need to be on top of cyber hygiene, ensuring staff are trained on resisting phishing and that they are using secure passwords. The main challenge is one of monitoring. Vast amounts of data are moved around inside and outside of large companies daily, so monitoring for malicious data exfiltration can be hard. At a higher level, cyber hygiene should include authorization controls; determining valuable data that requires protection and putting controls in place to limit access and monitor activity. When doing this, it is important to avoid permission bloat and ensure the security team stays on top of managing permissions, as well as onboarding and offboarding users. Getting this right means beginning with robust and thorough cybersecurity policies.

Internal firewall deployments are a useful way of monitoring traffic and staying on top of providing a level of visibility that can prevent data exfiltration. This requires investment in deployment and maintenance, but doing so offers broad security benefits. Some companies will prefer zero-trust architecture, removing the reliance on a perimeter. While this represents best practice in some cases, it could also mean rebuilding the network from the ground up and instituting a new network architecture.

Data loss prevention technology can offer protection against data exfiltration. This requires the use of agents on every company endpoint, which offers increased protection but can be a logistical challenge to roll out. These approaches affect the performance of the networks, and the most appropriate solution will vary according to the number of users and devices, and the amount of sensitive data being stored and accessed. Additionally, much legacy DLP technology is built using static rules, which cannot always predict human behavior, particularly when an individual is trying to avoid detection, and will always require administrators to update polices to ensure the best protection.

How to prevent data exfiltration

At the heart of data protection for the modern company is email protection. This is the most frequent and accessible method of communication and facilitates a great deal of data sharing. Because of this, email is a prime vector for external attacks, and inadvertent or intentional leaks by employees. Being serious about preventing data exfiltration means investing in email security.

The most direct method of protecting data is to encrypt email traffic, and the most effective way to do so is with end-to-end encryption. This eliminates the risk of man-in-the-middle attacks, and also allows varied levels of protection according to the sensitivity of the data being shared. With Egress Protect, users can vary levels of confidentiality applied to shared data, preventing recipients from saving or printing data in the email body or attachments. Egress Protect also facilitates audit logs to allow improved security and monitor for any sources of data loss.

There are also software solutions to protect against email spear phishing, and inadvertent and intentional data loss via email. Egress Prevent can identify replies to spear phishing attacks to prevent responses and data exfiltration through this channel. It can also detect when someone is about to leak data, for example because they’ve added a wrong recipient by accident or because they’re leaking data intentionally. It does this using advanced machine learning to analyze email subject lines, bodies and attachments to identify when employees are about to accidentally or intentionally leak data and steps in to prevent it.

To better monitor activity related to data exfiltration, we also built Egress Investigate. This allows companies to index and search plaintext and Egress-encrypted emails to determine risky behavior within data flows. The solution is platform and provider agnostic, and allows for granular searches, as well as building a baseline that allows users to monitor for unusual activity related to data movement.

Protecting against data loss is at the heart of cybersecurity, and email is central to all organizations’ operations. Getting email security right is the first step towards comprehensive protection against data exfiltration.