As one of the biggest threats to data security, data exfiltration has the potential to result in devastating outcomes for organizations. From significant financial loss to regulatory compliance violations to sensitive asset leaks, data exfiltration is a critical business risk.
Although it may seem difficult, preventing data exfiltration is possible with the right security strategies. This article discusses how businesses can keep their data safe from exfiltration by explaining how data exfiltration works, how this type of attack is commonly executed and which steps and tools are effective in blocking data exfiltration attempts.
What is data exfiltration?
Sometimes referred to as data theft or data extrusion, data exfiltration is the transfer of data from a computer, storage device or other electronic system to another system, where it can be accessed by someone who does not have authorization to view it.
Data exfiltration places businesses at risk because it means that potentially sensitive information becomes available to external parties who may misuse or abuse it. Exfiltrated data may also be stored in locations, such as an employee’s personal device, where it is not supposed to reside according to policy rules. It could even be held for ransom by attackers who demand a payment in order to return the exfiltrated data to the organization to which it belongs.
Prime data exfiltration suspects
Data exfiltration can be carried out by attackers with malicious intent. However, it can also happen due to honest mistakes. Understanding all of the ways in which data exfiltration can be carried out is an essential step in protecting your data.
The three types of people most likely to exfiltrate data include:
- Accidental insiders: Employees, business partners or other stakeholders who have legitimate access to data may accidentally exfiltrate it due to negligence or oversight. For example, an employee might copy sensitive data to a personal thumb drive in order to work with it at home, even if company policy prohibits this practice. Or, an employee might mistakenly address an email with a sensitive file attachment to the wrong recipient, leading to accidental data exfiltration.
- Malicious insiders: In some cases, employees deliberately move data out of the systems where it is supposed to reside in order to cause harm to the company. This may happen with disgruntled employees who are unhappy with the company, or former employees who retain access to company systems even though their access should have been disabled.
- Malicious outsiders: Attackers who are external to an organization may also seek to gain access to its data and transfer the data to their own systems.
Examples of data exfiltration
Data exfiltration can be carried out in many ways. Predicting every single one is not possible. However, to illustrate common vectors of data exfiltration, of the accidental and purposeful variety, consider the following scenarios:
- Network breaches: Attackers may gain access to a company’s internal network, then transfer data out of it. Sophisticated attackers can do this using methods that make their activity difficult to detect.
- Outbound mail: As noted above, employees may accidentally send an email that contains sensitive data to the wrong parties. They may also send an email to a legitimate party who, in turn, forwards it to someone who should not have access to the data inside it.
- Lost laptops/storage devices: A laptop, thumb drive, phone or other device that is lost could contain data that is exposed to unauthorized access when a third party recovers the device.
- Insecure device downloads: Software that is downloaded to a device could contain malware that transfers data to an external system without the user’s authorization.
- Cloud weaknesses: Data stored in cloud-based environments could be copied by users who are not supposed to have access. For example, cloud-based data may be unintentionally exposed to the internet, or one user may be able to access another user’s data on a shared cloud hosting server where permissions are not properly configured.
How to prevent data exfiltration: 8 best practices
In order to best prevent data exfiltration and mitigate any disastrous events before they happen, organizations should review current security measures and institute greater safety processes.
Block unauthorized communication channels
The fewer paths that you make available for accessing data, the lower the risk that those paths will be accidentally or or maliciously used as a vector for data exfiltration. As a best practice, consider disabling all unauthorized communication channels, ports and protocols by default, then enabling them on an as-needed basis. This approach offers a stronger data security policy than one where all entryways are enabled by default, which can lead to issues such as the accidental exposure of data over the web by users who forget to turn off a server’s HTTP service.
Prevent phishing attacks
Phishing is a common vector for malicious data exfiltration. Taking action to prevent phishing attacks is therefore an essential step toward mitigating the risk of data exfiltration. Toward this end, it’s important to educate employees about how phishing attacks work, how to spot one and what to do when they believe they are facing a phishing attack. Writing rules for security analytics tools that can generate alerts when they detect emails, SMS messages and other content that may be involved in phishing attempts also helps to prevent this type of attack.
Systematically revoke data access for former employees
Prohibiting an employee’s access to IT systems should happen immediately whenever an employee’s relationship with a company ends. The same is true of business partners or vendors who may also have access to internal systems during their relationship with a company, but should no longer have that access once the relationship has ended. Don’t wait a week or a month to “clean up” old accounts. Make the process an automatic part of the departure protocol.
Since software tools and automation can only go so far in preventing employees from mistakenly sharing data with unauthorized parties, educating employees about company policies regarding data sharing, as well as best practices for keeping data secure, are essential.
That said, software tools can be used to help detect instances of unauthorized data sharing, such as unusual network activity that indicates an employee has connected a personal device to the network and is copying data to it.
Identify and redact sensitive data
Not all data is at the same level of risk for exfiltration. Some data is more sensitive than other information, and some data may be more easily exfiltrated than other assets, depending on factors such as the systems on which it resides, whether those systems are connected to the network and how many users have access to those systems. For this reason, identifying the systems on which sensitive data resides and ensuring that it is properly secured on those systems is an important step toward preventing exfiltration. In cases where data cannot be secured, it should be copied to a more secure system and then deleted from the original system.
Set a clear BYOD policy
Bring-your-own-device (BYOD) policies allow employees to use personal computers, phones, storage media or other devices in the workplace. BYOD offers benefits for many businesses, but it also increases the risk of data accidentally or maliciously being exfiltrated to third-party devices. For this reason, businesses that permit BYOD practices should have a clear policy in place regarding which data can and cannot be copied to personal devices. Monitoring the network for misuse of personal devices is also important for detecting breaches that might involve data exfiltration.
Identify malicious and unusual network traffic
IT infrastructures that power modern businesses rely heavily on a network connection, making it an obvious attack vector for malicious data exfiltration. Monitoring the network for signs of breaches or attempted breaches is therefore a critical practice for catching attacks early, before they lead to successful data exfiltration.
Implement data encryption & backup processes
Although most organizations typically use data encryption and data backup processes to help preserve data against attackers or internal mishaps, it’s essential to ensure these measures are optimized in case of threats like data exfiltration.
Data encryption protects confidential data stored on internal systems by transforming information into ciphertext. Without a key, attackers have no way of understanding and using the data. Data backup guarantees your organization can restore the data lost and resume operations while the data exfiltration attack is being investigated.
Automate your data exfiltration prevention plan
Because data exfiltration can happen in so many ways, businesses seeking to keep their data out of unauthorized hands must adopt a multi-pronged defense. Several types of software tools can help in this regard:
- DLP alerting tools: Data loss prevention, or DLP, tools can alert your team when data is moved or stored in ways that may indicate exfiltration. DLP alerts help ensure that the business can take early action, before significant damage is done.
- EDR software: Endpoint detection and response, or EDR, tools enable monitoring of network endpoints for signs of malicious activity. They can also deploy automated responses based on pre-defined playbooks, another way to react quickly to data exfiltration.
- Encryption: While encryption can’t defend against all data exfiltration threats, it does provide some protection by preventing access to data by parties.
- Network monitoring: As noted above, monitoring activity on the network for signs of malicious or suspicious activity offers broad visibility into exfiltration attempts.
The Siemplify security orchestration, automation, and response (SOAR) platform helps streamline potential data exfiltration incidents, overcome false positives and integrate security operations efforts across scores of third-party tools, enabling SOCs to remediate threats rapidly, resulting in a more secure network.