Detecting and Preventing Data Exfiltration
Data exfiltration is a form of security breach that occurs when an organisations data is copied, transferred or retrieved from a computer or server without authorisation. Data exfiltration can be difficult to detect, as it is often the last stage of a cyber security attack, once compromised the malware orchestrating the attack can lay dormant until the point of data exfiltration or it can take data little by little over time. It can do this because it involves the transfer or moving of data within and outside a network, which closely resembles or mimics typical network traffic, allowing substantial data loss incidents to fly under the radar.
A recent report by Mcafee ‘Grand Theft Data II: The Drivers and Shifting State of Data Breaches’ revealed that a majority of IT professionals have experienced at least one data breach during their careers—61% at their current company and 48% at a previous company. On average, they have dealt with six breaches over the course of their professional lives. These statistics indicate that this type of attack is getting more serious and with the introduction of tougher policies and laws around data protection such as GDPR, those who are in charge of defending network security are under greater scrutiny. Nearly three-quarters of all breaches have required public disclosure or have affected financial results, up five points from 2015.
The report highlighted that the top three vectors for exfiltrating data are database leaks and network traffic, cloud applications and removable USB drives. When it comes to who is taking the data, the internal threat is still as significant as ever with employee driven breaches accounting for almost 60% of incidents, with a big slice of those numbers being accidental.
The external threat should not however be minimised as external actors including hackers, malware authors, organized crime, nation states, and activists consistently and aggressively target specific companies or organisations. They look to gain access to the most valuable data such as trade secrets, intellectual property, financial information and/or sensitive customer data.
The report also noted that over the past three years ‘malware-driven’ theft has risen significantly, showing that this facet of the cyber threat landscape is continually evolving and adjusting at a high rate, that is difficult to keep pace with. Active threat hunting has shown to have a significant impact on the speed of threat discovery and an organisations resilience against this type of attack. More than half (52%) of organisations have people and resources allocated to threat hunting, while 30% are planning to implement this type of preventive strategy.
In order for threat hunters within security operation (SOC) teams to be able to perform this function they need fit for purpose tools, technologies, policies and education. These will enable them minimise potential exposure from internal and external threats and give them a granular view of the activity/traffic traversing the network, allowing defenders to pinpoint and immediately block activity that looks suspicious. These tools and techniques should include:
- Intelligent contextual intrusion detection systems (IDS),
- Data loss prevention (DLP)
- Event data recorder (EDR)
- Cloud access security broker (CASB)
- Data analysis tools that combine filtering and traffic profiling