What is Data Exfiltration?

Data exfiltration is any unauthorized movement of data. It can also be known as data exfil, data exportation, data extrusion, data leakage and data theft. Whether information is stolen with a printer or a thumb drive, data exfil is a very real threat for organizations. Attacks can be conducted manually by an authorized employee with access to company systems or through external malicious actors who have gained access.

Data exfiltration can be big business to cybercriminals and a massive problem for any organization that finds themselves on the receiving end of an attack. Whether the threat is present inside your organization or externally, it is imperative that you are aware of the risk and how to protect what matters. Data exfiltration prevention and detection requires and an organization to have an adaptive security culture and solutions that utilize a spectrum of observables and indicators to assess the plausibility of various scenarios. 

Data exfiltration can be carried out in a number of ways, and techniques are becoming more sophisticated in an effort to stay one step ahead of data security solutions. Here are some of the more common types of data exfiltration and how they work.

Outbound Email -- Outbound email can be used to exfiltrate email, databases, calendars, planning documents, images and practically any object that exists on an outbound mail system. This data can be transmitted to a third party as an email or text message or as a file attachment. Email security solutions are integral to preventing email data exfil.

Downloads to Insecure Devices -- These instances can occur when users access sensitive information through a trusted device and authorized channel and then transfer the data to an insecure local device. The data may be exfiltrated using a smartphone, laptop, camera or external drive. Any file that is transferred to an insecure or unmonitored device will be at a high risk of data exfiltration.

Uploads to External Devices -- Similar to the way data is exfiltrated through a download to an insecure device, uploads to external devices can pose the same threat. This could be as simple as a disgruntled employee with a thumb drive.  

Non-Secured Behavior in the Cloud -- Working in the cloud offers many benefits and opportunities, but it also brings an element of risk when it comes to data exfiltration. If an authorized cloud user accesses cloud services in an insecure way, there is the potential for a third party to modify virtual machines, make malicious requests to the cloud service and deploy malicious code.

SunTrust Bank Data Breach

The SunTrust Bank data breach occurred in April 2018. SunTrust reported an insider may have stolen the personal data of 1.5 million SunTrust customers. It is believed that the culprit attempted to print the data and share it with a criminal third party.

Tesla Insider Saboteur

Similarly, a Tesla empoyee exfiltrated damaging amounts of data to unknown third parties and altered code in the Tesla Manufacturing Operating System in 2018. It is rumored the employee, a trusted user at the time, was previously seeking a promotion that was denied. 

Organizations must prevent data exfiltration in order to protect their data and systems, but they must choose solutions that do not negatively impact performance or productivity. This can be a challenge, but is by no means impossible. When choosing a security solution with data exfiltration prevention capabilities, there are a number of features that should be top of the list. These include:

Blocking of Unauthorized Communication Channels -- Malware often uses external communications to exfiltrate data. It is essential to block any unauthorized communication channels. This includes direct communication channels and channels that may be created by a compromised application.

Prevention of Credential Theft and Phishing Attacks -- Phishing attacks are one of the most popular forms of data exfiltration. Endpoint security needs to be able to lock down users from submitting their login details and other credentials to non-enterprise sites. Keystroke logging should also be prevented.

No Impact on Users -- Data exfiltration prevention controls should also have no negative impact on legitimate user activities. They should be able to detect legitimate communications and applications activities, even for applications that are new and unknown.

Forcepoint's Data Loss Prevention solution provides a single policy that protects your data wherever it is. See behind a single alert for better incident response. Identify your riskiest users in seconds while empowering employees to work across a range of devices, multiple networks and cloud applications.