Data exfiltration

Data exfiltration occurs when malware and/or a malicious actor carries out an unauthorized data transfer from a computer. It is also commonly called data extrusion or data exportation. Data exfiltration is also considered a form of data theft. Since the year 2000, a number of data exfiltration efforts severely damaged the consumer confidence, corporate valuation, and intellectual property of businesses and national security of governments across the world.

Types of exfiltrated data
In some data exfiltration scenarios, a large amount of aggregated data may be exfiltrated. However, in these and other scenarios, it is likely that certain types of data may be targeted. Types of data that are targeted includes:


 * Usernames, associated passwords, and other system authentication related information
 * Information associated with strategic decisions
 * Cryptographic keys
 * Personal financial information
 * Social security numbers and other personally identifiable information (PII)
 * Mailing addresses
 * United States National Security Agency hacking tools

Techniques
Several techniques have been used by malicious actors to carry out data exfiltration. The technique chosen depends on a number of factors. If the attacker has or can easily gain physical or privileged remote access to the server containing the data they wish to exfiltrate, their chances of success are much better than otherwise. For example, it would be relatively easy for a system administrator to plant, and in turn, execute malware that transmits data to an external command and control server without getting caught. Similarly, if one can gain physical administrative access, they can potentially steal the server holding the target data, or more realistically, transfer data from the server to a DVD or USB flash drive. In many cases, malicious actors cannot gain physical access to the physical systems holding target data. In these situations, they may compromise user accounts on remote access applications using manufacturer default or weak passwords. In 2009, after analyzing 200 data exfiltration attacks that took place in 24 countries, SpiderLabs discovered a ninety percent success rate in compromising user accounts on remote access applications without requiring brute-force attacks. Once a malicious actor gains this level of access, they may transfer target data elsewhere.

Additionally, there are more sophisticated forms of data exfiltration. Various techniques can be used to conceal detection by network defenses. For example, Cross Site Scripting (XSS) can be used to exploit vulnerabilities in web applications to provide a malicious actor with sensitive data. A timing channel can also be used to send data a few packets at a time at specified intervals in a way that is even more difficult for network defenses to detect and prevent.

Preventive measures
A number of things can be done to help defend a network against data exfiltration. Three main categories of preventive measures may be the most effective:


 * Preventive
 * Detective
 * Investigative

One example of detective measures is to implement intrusion detection and prevention systems and regularly monitor network services to ensure that only known acceptable services are running at any given time. If suspicious network services are running, investigate and take the appropriate measures immediately. Preventive measures include the implementation and maintenance of access controls, deception techniques, and encryption of data in process, in transit, and at rest. Investigative measures include various forensics actions and counter intelligence operations.

External sources

 * http://www.ists.dartmouth.edu/library/293.pdf
 * https://www.scmagazine.com/data-exfiltration-defense/article/536744/
 * Data exfiltration blogs, news and reports