Why Exfiltrate Data?
There is a vast and varied amount of reasons why attackers need to exfiltrate data. And it's not a coincidence that almost all attackers, especially in enterprise environments, end up doing some form of it.
If one considers the example of industrial espionage, it follows perhaps the most straightforward reasoning. Research, commercial secrets, and various other data types are valuable to competitors, or as it happens far more often, nation-state actors want to increase the competitiveness of domestic enterprises.
From the above, we can also deduce that this information is also generally valuable to almost any opportunistic individual willing to violate cyber legislation. Even if they cannot utilize such data, it can be sold or even arbitraged. This is the case not just for explicitly commercial data but for many different types of data that one might find relatively innocuous – from logs to email lists.
This brings us to yet another reason why data is extracted. Often enough, adversaries do not intend to compromise, harm, or even perform any significant cyber activity aimed against a particular organization. Instead, it’s but a step towards a wider goal. Hence, exclusive data that can be obtained from, for example, a supplier of a potential target or about the employees of your target, can prove invaluable in the long-term operations of a given adversary.
Targeted Data Types
The number one type of data that is looked for is credentials of all kinds – most often passwords and cryptographic keys and certificates. The main reason for this is that gaining access to credentials is a widely established practice in almost every offensive security area. It is often the preferred method of gaining access to resources – which should be evident because it tends to save time and effort, and is often the most direct way to other data. There are great examples of this in the wild. Everything from the Sony hacks to NSA leaks tends to confirm the predilection attackers have for credentials of all types.
Another major type of data – most common to commercial organization attacks – is sensitive documentation. This is often related to internal correspondence, classified research information, and unknown financial data regarding the company. Depending on the attacker's goals, this can directly damage the company or extract a form of financial or another benefit. The latter, however, has been getting increasingly replaced with the planting of ransomware.
Potential Sources and Methods of Exfiltration
Exfiltration need not be an entirely digital process. Often it happens via physical media – in fact, an inexperienced malicious insider may very well consider this a viable way of getting away with the act – especially when they expect to hand over the data in person. When one considers an insider as a potential source of data exfiltration, the insider threat level grows proportionally with their privileges. Administrative users are, as in most other cases, the biggest threat due to their borderline unrestricted access to resources within the organization.
When it comes to exfiltration as used by external malicious actors, the primary methodologies are automated and often, but not always, rely on established protocols for transferring data, such as FTP, HTTP, and email. In recent years, a significant addition to these has been cloud storage – which is why one should consider investing in a set of cloud security solutions or even disabling the ability to utilize such within the organization. Finally, it is, of course, worth mentioning the still ever-present exfiltration over a C2 channel.
There are also more complex exfiltration methods – for example, over protocols typically unintended for direct data transfer or over web applications – which are themselves often compromised.
Addressing and Preventing Data Exfiltration
Limiting the amount and type of software users can deploy on their workstations can often work as perhaps a simplistic but effective technical solution. This prevents the user from acting maliciously and addresses the common threat of external actors using various common communication channels for exfiltration. This would include everything from personal VPN services to instant messaging to P2P filesharing.
Auditing accounts and making sure that the authentication data is sufficiently secure is a perennial piece of advice that also comes up here. Even though the practice of renewing passwords is controversial, it is helpful if your credentials are circling on some darknet forum, waiting to be sold to someone willing to use them.
One should also be aware of the value and location of the most important resources the organization possesses – both physically and in terms of network topology. Even in the case of compromise, quickly identifying the most valuable data, as well as checking when and by whom it was accessed, will put you many steps ahead in the unpleasant and complicated process of incident response.
Finally, monitoring is helpful to detect data exfiltration as it is happening. Many SIEM solutions come prepackaged with rules aimed at detecting such data – which can further be enriched with endpoint monitoring products and receiving logs from data protection and compliance software.
Overall, data exfiltration is not an aim or an attack in itself, but a part of a sequence of actions aimed at compromising a target. The good news is that there is a high degree of synchronicity between this threat and others and its varieties. This makes protecting against it a matter of knowledge and not necessarily expending extra resources.
Basic security practices, such as documenting your network and organizing it well, renewing passwords regularly, or at least ensuring they satisfy complexity requirements and having a hand on the living pulse of your organization – the employees – will ensure you reduce the risk of data exfiltration massively.