Introduction to Data Exfiltration
Digital transformation is rushing to occupy all life aspects. In today's digital age, organizations of all types and across all industries utilize digital solutions to facilitate work operations. Nowadays, most information is created digitally and never finds its way into papers. According to Statista, total data created, captured, copied, and consumed worldwide is forecast to increase rapidly and already reached 59 zettabytes in 2020.
Digital information is increasing rapidly, e-documents exist everywhere, and every organization in every industry worldwide uses it. There are numerous benefits for storing documents electronically, such as saving costs, getting the data you need instantly and without delay, helping a business comply with various compliance requirements, and helping secure sensitive files from unauthorized access through encryption.
Organizations use digital files to store different types of sensitive information such as trusted customer details, suppliers and third-party provider's records, trade secrets, marketing plans, financial information, tax forms, and other legal documents. For instance, keeping them on your computer is much safer than storing them in papers in your cabinets. Thieves and hackers know this fact and have developed numerous ways to steal confidential information for various reasons, primarily for commercial gain or espionage purposes. In the cybersecurity world, stealing sensitive digital files for malicious purposes is known as data exfiltration.
Data exfiltration, also known as data extrusion, data exportation, data theft, or data leakage, refers to the unauthorized transfer of sensitive data from a device or other storage media. Thieves may manually conduct this transfer when having physical access to the target system or via automated process using special tools over computer networks.
Different parties are interested in infiltrating data, such as disgruntled employees, black hat hackers, organized criminal organizations, or APT groups controlled by foreign governments.
Data exfiltration is a type of data breach; it happens when sensitive files stored on an organization's server are copied or retrieved without authorization. These attacks are conducted remotely via private computer networks or the internet. It is too difficult to detect because the stolen data is passed via a computer network silently and looks like any ordinary network traffic. The security team may not know about such incidents till the data become in the malicious actor's hands. It is considered a big business for cybercriminals. The stolen data that may contain susceptible information can be sold for millions and even billions of US dollars, especially trade secrets and proprietary information. The most well-known cyberattack that aims to exfil data is Advanced Persistent Threat (APT) attack. APT groups work to establish a long-term presence on the target organization network to mine the most valuable data. Their targets are researched very well (using OSINT techniques) before executing the attack, which commonly relies on social engineering attack tactics and phishing emails. They are typically large enterprises such as government agencies and banks; the stolen data is too sensitive and can cause severe damage, both financially and reputation, to victims.
Data exfiltration types
Data exfiltration can be conducted using different methods; new ways are developed every day by cybercriminals to stay ahead of security solutions.
- USB devices: If the adversary has physical access to the target system, he/she can exfiltrate data from the target device by copying them into a USB thumb drive.
- Outbound email: Email service can be used to exfiltrate data outside an organization's network. An adversary can copy sensitive data via email message or attach the sensitive files to email messages and send them to a third party.
- Downloads to insecure devices: Some employees bring their own devices to work; such unmonitored devices can be used to exfiltrate data by moving the sensitive information to them.
- Unsecured practice in the cloud: Cloud services have become widespread across all organizations. The ongoing spread of the COVID19 pandemic has forced most global organizations to adopt cloud technology to facilitate the work-from-home model. Homeworkers use their devices to access corporate cloud assets; their devices are not secure, similar to those used in their working environment. Any compromised endpoint device can introduce malware to cloud assets which result in creating a data exfiltration incident.
As we note, the inside threat is a major element to facilitate data exfiltration. According to Statista, emailing to a personal email account was the most common method of sensitive data exfiltration during insider incidents. Misuse of cloud collaboration privileges was ranked second with a 16.07 percent occurrence rate.
Data exfiltration has become a significant concern for organizations in today's digital age. There are different security solutions to prevent data exfiltration. However, the human element (insider threats) remain a significant factor in conducting such incidents.