Five tips for preventing data exfiltration

'How to' guides

Data exfiltration is one of the worst parts of any cyberattack. All malware is dangerous—and you never want it in your computer network. However, many types of malware are useless unless they can exfiltrate data. So, what does this mean?

Data exfiltration is the part of a cyberattack where attackers use malware they've installed on your network to shift data out of your network and into their own. In other words, it's where they steal your stuff.

Preventing data exfiltration won't defang all the malware you're likely to encounter. It can't block ransomware, for example. With that said, having a mechanism to prevent data exfiltration can act as a last-ditch defense mechanism that can save you and your customers' data if your primary defenses fail.

Tip 1: Look for programs exfiltrating a lot of data

One thing to know about data exfiltration is that it isn't fast. You'd most likely notice and shut down a large, high-bandwidth blast of data being beamed out of your network, as it would be entirely out of the ordinary.

Most exfiltration efforts are going to look different. They're going to involve very slow bitrates, just bytes or kilobytes per second, and they'll try hiding among the dozens or hundreds of other services legitimately communicating data outside your network. How can you distinguish legitimate web traffic from malicious exfiltration?

The good news is that malicious exfiltration traffic has some signifiers. You can start by looking at the list of applications currently exfiltrating data. Start by looking at the top end. Even though malicious programs don't exfiltrate data quickly, they can be active for months. If you find a program you don't recognize that's exfiltrated gigabytes of traffic over the last few months; it's probably worthy of investigation.

Tip 2: Watch out for semi-legitimate programs

Attackers and legitimate users can use the same programs. Remote desktop support programs can be legitimately used by tech support or maliciously used by attackers to exfiltrate data. Similarly, legitimate pen testers can use a tool called Metasploit, but it also contains a module called Meterpreter that can be used to exfiltrate data over DNS. A program called Curl legitimately transfers data using URLs, which attackers can also use.

That list of programs with a dual purpose is far from exhaustive. But if you see these programs (or others like them) uploading large amounts of data from your network, it's worth taking a much closer look at them.

Tip 3: Check the file types being uploaded

Look at the uploaded data if you suspect a legitimate or semi-legitimate program has been repurposed to be abused to exfiltrate data. The biggest red flag in this situation is when you see a program exfiltrate compressed or encrypted data.

Encrypted data means the uploader wants to make sure data loss prevention tools don't see the file types the program is uploading—because they'd flag the sensitive data that's escaping the network. If the data is compressed, the attacker is also trying to ensure they can send out as much data as possible while getting around low bandwidth restrictions.

Tip 4: Sinkhole suspect uploaders

If a program has successfully exfiltrated data, you'll want to understand how it got there. That may mean leaving the suspect program in place—but clearly, you don't want this program to exfiltrate any more data.

Sinkholing is a network engineering technique where you redirect traffic from a malicious program to an IP address of your choosing. This technique means you can see exactly what the malware program is attempting to exfiltrate while preventing the exfiltration from doing any harm. You can then study the malware at your leisure to understand how it got there and mitigate future attempts.

Tip 5: Augment threat hunting with egress prevent

Exfiltration doesn't just mean secretive programs shuttling data out of low-numbered ports. Sometimes it's as simple as an attacker taking over a computer and emailing themselves a bunch of interesting files. Egress Prevent is a data loss prevention (DLP) solution designed to detect and mitigate data exfiltration methods, whether accidental or malicious. Our solution uses contextual machine learning to identify when someone is attempting to send sensitive data to an inappropriate email address, then shuts it down and alerts administrators.

There are many potential sources of data exfiltration in a network environment. With Egress Prevent covering your email accounts, you'll have that much more time to conduct threat hunting, allowing you to mitigate stealthy malware infestations and protect your most sensitive data. For more information, book a demo today!

Found this article helpful? We’ve got a whole library of data loss prevention resources – take a look here.

FAQ

What causes data exfiltration?

Data exfiltration occurs when an attacker or insider sends information outside of your network perimeter. That's the final stage of the kill chain in a traditional malware attack. Afterward, the attacker has your data and can exploit it by either extorting your organization or selling it on the dark web.

How can data exfiltration be prevented?

There are several tools for preventing data exfiltration. Traditional programs like firewalls and data loss prevention tools can spot sensitive data when attackers attempt to send it outside the network. You can also use techniques like threat hunting to understand when attackers are making their move.

How do you monitor data exfiltration?

You can use a SIEM tool such as Splunk to create a dashboard that lists all the programs or processes exfiltrating data from your network. If an unfamiliar program starts exfiltrating large amounts of data suddenly, it might be an attempt at data theft.