adam's notes

Data Exfiltration

Data exfiltration describes the unauthorized transfer of sensitive or confidential information from a computer or network to an external destination.

  • significant risk for organizations
    • can result in loss of critical business information, financial losses, and serious reputational damage
  • occurs through several methods
    • e.g., email, file transfer protocols, social media, or physical theft
  • can be:
    • employee emailing sensitive data to personal email account
    • hacker using advanced malware and tunneling to copy file to external server
    • insider using USB drive to copy data
  • implement security controls to mitigate data exfiltration risks:
    • access controls
    • data encryption
    • network segmentation
    • monitoring suspicious activity
    • security awareness training

Data Exfiltration Methods

  • HTTP(S) transfers to file-sharing sites or suspicious domains
    • OneDrive, Dropbox, Google Drive can be used to receive exfiltrated data
    • can block employee access to these sites
  • HTTP requests to database-backend services
    • adversary may use SQL injection to copy records from a database they should not have access to
    • Web Application Firewalls (WAF) can detect injection attacks
    • Other indicators of injection-style attacks
      • spikes in requests to PHP files or scripts
      • unusually large HTTP response packets
  • DNS exploits for exfiltration and C&C activity
    • An indicator is atypical query types from client workstations.
    • Most client requests are for host (A or AAAA) name records using UDP
    • Requests for TXT, MX, CNAME, and NULL records or DNS over TCP are typically suspicious
  • Communication using FTP, IM, P2P, and email is also common
    • might involve consumer services such as Outlook.com, Gmail, and others
  • Traffic tunnels such as SSH or VPNs are indicative of suspicious communication

Graph View

Backlinks