Data Exfiltration: How Businesses Can Detect, Prevent, and Respond to Insider and External Threats

External Attackers

External hackers use various techniques to infiltrate and hack into databases and other data stores. A recent example is the Atlassian, Confluence Zero-Day Vulnerability Exploit. The attackers initially gained unauthorized access to Confluence administrator accounts. Once in control of privileged accounts, the attackers used command-line tools to transfer data to a server under their control.

Insider Threats

Ex-employees and other insiders may increase the risk of data exfiltration if identity accounts are not properly off-boarded when they leave the company. For example, an ex-employee at First Republic Bank (FRB) could use existing access via a company-issued laptop to access the organization's network without authorization. He then deleted code repositories, emailed himself source code, and sabotaged code.

Phishing and Social Engineering

Phishing is used to initiate many data filtration attacks. A phishing email, vishing call, or smishing message can be used to socially engineer an individual into navigating to a spoof website where they enter their login credentials. Alternatively, attackers can manipulate and socially engineer unsuspecting employees into installing keylogger malware that allows them to steal credentials. Once the attacker has control of an employee's account, they can use common tools or other tactics to escalate privileges to give them access to sensitive network areas. A victim of this technique was Magellan Health, which experienced a spear phishing attack leading to ransomware deployment and data exfiltration for use in leveraging the ransom. The exfiltrated data included names, employee ID numbers, and Social Security numbers.

System Vulnerabilities

Security vulnerabilities in software solutions can open the door to data exfiltration attacks. A recent example was the attack on Progress Software's MoveIT file transfer app by the CLOP ransomware gang. Over 1,000 customers of the file transfer app suffered data exfiltration after downloading an update.

Malware (Including Ransomware)

Malware is another way that cybercriminals can get at vast arrays of data. The favorites are the keyloggers that steal login credentials and ransomware that uses exfiltrated data to leverage a ransom. Password manager vendor LastPass was recently breached using keylogger malware installed on an employee's home device. Hackers exploited a vulnerability in the engineer's home computer that allowed remote code execution to be performed. This allowed the attackers to install the malware. The company lost encrypted vault data for all customers.

Cloud Storage Misconfiguration

Cloud misconfigurations are another common method of exfiltrating data. Capital One was a victim of a misconfigured web application firewall (WAF) exploited by an ex-employee. The vulnerability allowed the employee to access AWS S3 buckets that contained customer data. The attacker was charged with stealing over 100 million customer applications for credit.

DNS Tunnelling

The recent SolarWinds attack demonstrates the malicious technique known as DNS Tunnelling. The method allowed the SolarWinds attacker to go undetected for eight months. Attackers inserted malicious code into the SolarWinds Orion software. The malware was distributed to thousands of clients, and command and control servers, used via the DNS tunneling technique, allowed attackers to exfiltrate sensitive data.

API Abuse

The Facebook-Cambridge Analytica (CA) data scandal was not intentionally malicious; however, CA exfiltrated customer data without their knowledge or consent. Facebook's Graph API's normal functionality allowed developers to obtain profile information from the friends of a Facebook user by taking permission from the user only, i.e., no friends needed to give permission. The result was that a developer could gather the profile information of the app user's friend lists. Cambridge Analytica abused this functionality to exfiltrate the data of 87 million users without permission.

Noncompliance with Regulations

Data exfiltration places victim companies in noncompliance with data protection regulations. Data privacy regulations cover three-quarters of the world's population. One of the most well-known is the EU's GDPR (General Data Protection Regulation); others include HIPAA, which protects health information, and the CCPA (California Consumer Privacy Act). All data privacy and security regulations issue fines for noncompliance. The GDPR, for example, fines companies who commit privacy violations 4% of their annual revenue or 20 million euros, whichever is higher.

Reputation Damage

Exfiltrated customer data can lead to reputation damage, loss of customer trust, and class actions. All of these have cost repercussions for a business and may cost it its competitive edge.

Downtime

Data exfiltration can be an insidious attack that works by stealth, where attackers evade detection and work their way through a network. Ransomware and other malware infections can be part of a data exfiltration attack. This requires a company to respond to the damage, often by closing down systems for repair. An ITIC Hourly Cost of Downtime report surveyed businesses of all sizes, from micro to large enterprises. The results found that a single affected server costs $167 per minute of downtime.

Operational Disruption

Consequences from the broader attack chain, like ransomware, can severely disrupt normal business operations. Companies often have to close their IT operations during a ransomware infection to isolate the infection's impact. This leads to all of the above costs, from reputation damage to downtime to noncompliance caused by data exfiltration associated with ransomware.

IP Theft

Exfiltrated company secrets, including IP, often end up on the dark web for sale. Research has shown that leaked IP can cause a company to lose 50% of its market share.

Security Awareness Training

Phishing is often used to initiate data exfiltration. Use security awareness training to educate employees about the dangers of phishing and how phishing campaigns work. Back this training up with a phishing simulation exercise that tests an employee's reaction to a fake but realistic phishing attack.

In addition to phishing awareness, security awareness training will teach employees about safe internet use and concentrate on areas like password and security hygiene, e.g., the importance of maintaining secure passwords.

Robust Identity Management

Access to a network before data exfiltration can be mitigated by ensuring that the identity management across the network is robust. This means using measures such as only allowing access on a need-to-know basis (least privilege), multi-factor authentication (MFA), or passwordless authentication, and using measures that manage and govern access across an extended enterprise, out to remote endpoints.

Data Encryption

Ensure that you use encryption for data at rest, i.e., in a database, as well as during transportation.

Data Loss Prevention (DLP) Solutions

DLP solutions use policies and rules to identify any unusual or disallowed data movement, including emails that may contain sensitive data. The policies ensure that the legitimate movement of data is allowed.

Endpoint Protection

Advanced anti-malware protection identifies potential malware infections. AI and machine learning-based solutions are used to identify emerging and evasive malware-based attacks.

Network Segmentation

When an attacker enters a network, they can use tactics, like lateral movement, to access sensitive areas. Use network segmentation to isolate areas of the network to prevent attackers from entering restricted areas.

Intrusion Detection and Prevention System (IDPS)

IDPS solutions monitor a network, looking for any unusual activity, such as unexpected data movement. The IDPS solution then sends out alerts, allowing an IT team to respond..

Web Application Firewall (WAF)

A WAF inspects HTTP requests and applies rules to identify malicious traffic. Some advanced WAFs use AI to identify emerging threats.

Dark Web Monitoring

Attackers use the dark web to identify target organizations and gather intelligence. Once data is exfiltrated, it often ends up on a dark web marketplace, offering information needed for follow-on attacks. A dark web monitoring service, like Sentinex, allows an SMB to see if its brand and company details are held on dark web forums and marketplaces, allowing the company to prepare itself and customers for further attacks.