Data exfiltration

Last updated January 26, 2024

Data exfiltration occurs when malware and/or a malicious actor carries out an unauthorized data transfer from a computer. It is also commonly called data extrusion or data exportation. Data exfiltration is also considered a form of data theft. Since the year 2000, a number of data exfiltration efforts severely damaged the consumer confidence, corporate valuation, and intellectual property of businesses and national security of governments across the world.

Types of exfiltrated data

In some data exfiltration scenarios, a large amount of aggregated data may be exfiltrated. However, in these and other scenarios, it is likely that certain types of data may be targeted. Types of data that are targeted includes:

Usernames, associated passwords, and other system authentication related information^[1]
Information associated with strategic decisions^[1]
Cryptographic keys^[1]
Personal financial information^[2]
Social security numbers and other personally identifiable information (PII)^[2]
Mailing addresses^[2]
United States National Security Agency hacking tools^[2]

Techniques

Several techniques have been used by malicious actors to carry out data exfiltration. The technique chosen depends on a number of factors. If the attacker has or can easily gain physical or privileged remote access to the server containing the data they wish to exfiltrate, their chances of success are much better than otherwise. For example, it would be relatively easy for a system administrator to plant, and in turn, execute malware that transmits data to an external command and control server without getting caught.^[1] Similarly, if one can gain physical administrative access, they can potentially steal the server holding the target data, or more realistically, transfer data from the server to a DVD or USB flash drive.^[3] In many cases, malicious actors cannot gain physical access to the physical systems holding target data. In these situations, they may compromise user accounts on remote access applications using manufacturer default or weak passwords. In 2009, after analyzing 200 data exfiltration attacks that took place in 24 countries, SpiderLabs discovered a ninety percent success rate in compromising user accounts on remote access applications without requiring brute-force attacks. Once a malicious actor gains this level of access, they may transfer target data elsewhere.^[3]

Additionally, there are more sophisticated forms of data exfiltration. Various techniques can be used to conceal detection by network defenses. For example, Cross Site Scripting (XSS) can be used to exploit vulnerabilities in web applications to provide a malicious actor with sensitive data. A timing channel can also be used to send data a few packets at a time at specified intervals in a way that is even more difficult for network defenses to detect and prevent.^[4]

Main data exfiltration techniques

Preventive measures

A number of things can be done to help defend a network against data exfiltration. Three main categories of preventive measures may be the most effective:

Preventive^[4]
Detective^[4]
Investigative^[4]

One example of detective measures is to implement intrusion detection and prevention systems and regularly monitor network services to ensure that only known acceptable services are running at any given time.^[3] If suspicious network services are running, investigate and take the appropriate measures immediately. Preventive measures include the implementation and maintenance of access controls, deception techniques, and encryption of data in process, in transit, and at rest. Investigative measures include various forensics actions and counter intelligence operations.^[4]

Related Research Articles

Computer security, cybersecurity, digital security or information technology security is the protection of computer systems and networks from attacks by malicious actors that may result in unauthorized information disclosure, theft of, or damage to hardware, software, or data, as well as from the disruption or misdirection of the services they provide.

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.

A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed and often masks its existence or the existence of other software. The term rootkit is a compound of "root" and the word "kit". The term "rootkit" has negative connotations through its association with malware.

Network security consists of the policies, processes and practices adopted to prevent, detect and monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources. Network security involves the authorization of access to data in a network, which is controlled by the network administrator. Users choose or are assigned an ID and password or other authenticating information that allows them access to information and programs within their authority. Network security covers a variety of computer networks, both public and private, that are used in everyday jobs: conducting transactions and communications among businesses, government agencies and individuals. Networks can be private, such as within a company, and others which might be open to public access. Network security is involved in organizations, enterprises, and other types of institutions. It does as its title explains: it secures the network, as well as protecting and overseeing operations being done. The most common and simple way of protecting a network resource is by assigning it a unique name and a corresponding password.

Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet is an inherently insecure channel for information exchange, with high risk of intrusion or fraud, such as phishing, online viruses, trojans, ransomware and worms.

Crimeware is a class of malware designed specifically to automate cybercrime.

A supply chain attack is a cyber-attack that seeks to damage an organization by targeting less secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry, to a government sector. A supply chain attack can happen in software or hardware. Cybercriminals typically tamper with the manufacturing or distribution of a product by installing malware or hardware-based spying components. Symantec's 2019 Internet Security Threat Report states that supply chain attacks increased by 78 percent in 2018.

Cyber spying, cyber espionage, or cyber-collection is the act or practice of obtaining secrets and information without the permission and knowledge of the holder of the information using methods on the Internet, networks or individual computers through the use of proxy servers, cracking techniques and malicious software including Trojan horses and spyware. Cyber espionage can be used to target various actors- individuals, competitors, rivals, groups, governments, and others- in order to obtain personal, economic, political or military advantages. It may wholly be perpetrated online from computer desks of professionals on bases in far away countries or may involve infiltration at home by computer trained conventional spies and moles or in other cases may be the criminal handiwork of amateur malicious hackers and software programmers.

An advanced persistent threat (APT) is a stealthy threat actor, typically a state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals.

In computer security, a threat is a potential negative action or event facilitated by a vulnerability that results in an unwanted impact to a computer system or application.

Mobile security, or mobile device security, is the protection of smartphones, tablets, and laptops from threats associated with wireless computing. It has become increasingly important in mobile computing. The security of personal and business information now stored on smartphones is of particular concern.

Cyber crime, or computer crime, refers to any crime that involves a computer and a network. The computer may have been used in the commission of a crime, or it may be the target. Netcrime refers, more precisely, to criminal exploitation of the Internet. Issues surrounding this type of crime have become high-profile, particularly those surrounding hacking, copyright infringement, identity theft, child pornography, and child grooming. There are also problems of privacy when confidential information is lost or intercepted, lawfully or otherwise.

The term kill chain is a military concept which identifies the structure of an attack. It consists of:

The following outline is provided as an overview of and topical guide to computer security:

Endpoint security or endpoint protection is an approach to the protection of computer networks that are remotely bridged to client devices. The connection of endpoint devices such as laptops, tablets, mobile phones, Internet-of-things devices, and other wireless devices to corporate networks creates attack paths for security threats. Endpoint security attempts to ensure that such devices follow a definite level of compliance to standards.

Point-of-sale malware is usually a type of malicious software (malware) that is used by cybercriminals to target point of sale (POS) and payment terminals with the intent to obtain credit card and debit card information, a card's track 1 or track 2 data and even the CVV code, by various man-in-the-middle attacks, that is the interception of the processing at the retail checkout point of sale system. The simplest, or most evasive, approach is RAM-scraping, accessing the system's memory and exporting the copied information via a remote access trojan (RAT) as this minimizes any software or hardware tampering, potentially leaving no footprints. POS attacks may also include the use of various bits of hardware: dongles, trojan card readers, (wireless) data transmitters and receivers. Being at the gateway of transactions, POS malware enables hackers to process and steal thousands, even millions, of transaction payment data, depending upon the target, the number of devices affected, and how long the attack goes undetected. This is done before or outside of the card information being (usually) encrypted and sent to the payment processor for authorization.

In cybersecurity, cyber self-defense refers to self-defense against cyberattack. While it generally emphasizes active cybersecurity measures by computer users themselves, cyber self-defense is sometimes used to refer to the self-defense of organizations as a whole, such as corporate entities or entire nations. Surveillance self-defense is a variant of cyber self-defense and largely overlaps with it. Active and passive cybersecurity measures provide defenders with higher levels of cybersecurity, intrusion detection, incident handling and remediation capabilities. Various sectors and organizations are legally obligated to adhere to cyber security standards.

Data center security is the set of policies, precautions and practices adopted at a data center to avoid unauthorized access and manipulation of its resources. The data center houses the enterprise applications and data, hence why providing a proper security system is critical. Denial of service (DoS), theft of confidential information, data alteration, and data loss are some of the common security problems afflicting data center environments.

A web shell is a shell-like interface that enables a web server to be remotely accessed, often for the purposes of cyberattacks. A web shell is unique in that a web browser is used to interact with it.

Royal is a cybercriminal ransomware organization known for its aggressive targeting, its high ransom demands, and its use of double extortion. Royal does not use affiliates.

References

1 2 3 4 Kovacs, Eduard (May 30, 2016). "Researchers Devise "Perfect" Data Exfiltration Technique". Security Week. Retrieved July 1, 2018.
1 2 3 4 Larson, Selena (December 20, 2017). "The hacks that left us exposed in 2017". CNN. Retrieved July 1, 2018.
1 2 3 Percoco, Nicholas (March 12, 2010). "Data Exfiltration: How Data Gets Out". Computerworld. Retrieved July 1, 2018.
1 2 3 4 5 Ullah, Faheem (2017). "Data Exfiltration: A Review of External Attack Vectors and Countermeasures". Journal of Network and Computer Applications.

External sources

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[Kovacs_2018-1] 1 2 3 4 Kovacs, Eduard (May 30, 2016). "Researchers Devise "Perfect" Data Exfiltration Technique". Security Week. Retrieved July 1, 2018.

[Larson_2018-2] 1 2 3 4 Larson, Selena (December 20, 2017). "The hacks that left us exposed in 2017". CNN. Retrieved July 1, 2018.

[Percoco_2018-3] 1 2 3 Percoco, Nicholas (March 12, 2010). "Data Exfiltration: How Data Gets Out". Computerworld. Retrieved July 1, 2018.

[Ullah_2017-4] 1 2 3 4 5 Ullah, Faheem (2017). "Data Exfiltration: A Review of External Attack Vectors and Countermeasures". Journal of Network and Computer Applications.

[1]

[2]

[3]

[4]