Data security is key. Incidents of data exfiltration bring lots of unwanted attention to organizations and lead to reputational and financial losses. That’s why companies in various industries pay maximum attention to their cybersecurity measures and constantly enhance them.
In this article, we define what data exfiltration is and how it’s performed. We also explore some recent examples of data loss and offer eight best practices that will help you prevent data exfiltration.
Data exfiltration: definition, consequences, and possible attackers
Data exfiltration is the unauthorized transfer of data from an organization’s systems and devices to systems and devices outside the organization’s perimeter. Such a security breach is sometimes called data theft, data exportation, a data leak, or data extrusion.
Malicious actors can exfiltrate data through digital transfer, the theft of physical documents or corporate devices, or an automated process as part of a targeted attack on sensitive data. Data they target can include:
- Corporate and financial information
- Intellectual property and trade secrets
- Customer databases
- Users’ credentials and other information related to system authentication
- Personally identifiable information
- Personal financial information
- Cryptographic keys
- Mailing addresses
Data exfiltration definition by Google Cloud
Potential consequences of data exfiltration depend on the attacker’s goals. Attackers might demand payment to return stolen data to the organization, sell data to a company’s competitor, or use data to get revenge against a former employer.
Data exfiltration occurs either through outsider or insider threats. It could be carried out by random cybercriminals or employees (former or existing) that try to gain access to an organization’s assets and data with malicious intent. Former employees can be extremely dangerous if they still have access to their accounts or if they managed to create backdoor accounts before they left the company.
Not only employees can exfiltrate data. Third-party vendors who have access to an organization’s networks and systems also can. A separate category of insiders worth your attention are users with elevated access rights. Privileged users often have full and permanent access to protected data, applications, and systems, and thus pose additional security risks.
Apart from malicious insiders, there could be users who accidentally expose sensitive data by neglecting corporate security policies when transferring files.
Let’s explore several real data exfiltration attacks that happened in 2019 and 2020 and see their origins and consequences.
Examples of data exfiltration
Although it’s possible to detect data exfiltration at early stages, an organization may not know about an incident for months. Sometimes, companies get to know about data leaks only when they notice missing data or learn that their data was sold to someone.
In December 2019, Wawa Inc. announced a nine-month-long breach of its payment card processing systems. Attackers installed card-stealing malware on in-store payment processing systems and fuel dispensers at potentially all Wawa locations. In January 2020, a popular fraud bazaar started selling card data stolen from Wawa that presumably includes more than 30 million card accounts.
Another victim of a data exfiltration attack, Travelex, had to pay a ransomware gang $2.3 million to regain access to its data lost in an attack on New Year’s Eve 2020. Malicious actors gained access to Travelex’s network and exfiltrated 5 GB of data.
An example of data exfiltration caused by a malicious insider is an incident at Amazon. In 2020, Amazon employees leaked customer email addresses and phone numbers to a third party. Amazon notified the public about firing a number of employees responsible for the incident but didn’t comment on the party the information was shared with or the number of affected customers.
Such examples show that data exfiltration can happen to any organization and that it may take time to detect an incident. To avoid data loss, it’s essential to implement cybersecurity best practices and monitor employees’ activity. But first, let’s discover how attackers can exfiltrate data to understand what to secure first.
Types of data exfiltration
Data can be stolen in a range of ways by both internal and external actors. But the most commonly used data exfiltration techniques are sending targeted emails, uploading data to insecure devices, installing unauthorized software, and unsecurely sharing data in cloud storage.
1. Phishing and outbound emails
Emails are still one of the major vectors of choice for cybercriminals to distribute malware and perform phishing attacks. With dozens and even hundreds of emails received each day, people can’t always distinguish a potentially dangerous email from a legit one.
Data exfiltration methods that use emails can also be related to forwarding an email with sensitive data to personal accounts. According to Statista, such actions were the most common, representing 43.75% of data exfiltration behavior during insider attacks in the US in 2020.
The three major threats from emails are:
- Phishing — Although spam filters are able to identify the majority of phishing emails, some can still fake a trusted web source down to the tiny details. Clicking on links in phishing emails may lead to launching ransomware or spyware attacks. Such harmful malware can potentially infect an entire corporate network and lead to data leaks.
- Spear phishing — Cybercriminals can email specific and well-researched targets while purporting to be a trusted sender. For instance, they can fake an email in a way that it may genuinely seem to be sent from the CEO or a third-party vendor.
- Outbound emails — Employees may accidentally attach sensitive data when sending an email to parties who shouldn’t have access to such data. Also, they may send emails to legitimate recipients who can resend the data to unauthorized parties.
2. Uploading data to insecure devices
Employees may copy corporate data to USB sticks or other insecure devices like smartphones, cameras, or external drives. From there, attackers can infiltrate the devices and exfiltrate the data.
A user can intentionally steal data using personal storage devices or just copy data to finish work from home. In the last case, a careless employee can lose the device or expose data through vulnerabilities in their home computer and network.
3. Unauthorized software and shady websites
Installing unauthorized software on corporate devices is a severe risk for an organization’s cybersecurity. Employees can intentionally or inadvertently download unlicensed products that may contain malware that transfers data to an external system without the user’s authorization.
Another way for malware to get into corporate devices and networks is through shady websites if negligent employees access them from corporate computers.
4. Unsafe behavior in the cloud
Data stored in cloud-based environments can be vulnerable to exfiltration, especially if employees violate basic cybersecurity practices. For instance, data loss can occur if users intentionally or accidentally upload sensitive information from secured systems to their personal cloud storage.
Malicious actors can exfiltrate data from cloud drives if data is uploaded to insecure or misconfigured resources. Another concern is when a user provides extensive access permissions to cloud-based storage, exposing data to unauthorized parties.
Now, let’s move to the top security practices that can help you prevent data exfiltration, or at least minimize the chances of it.
How to secure your assets from data exfiltration?
8 data exfiltration prevention techniques
Preventing data exfiltration requires a holistic approach that includes reviewing your security measures, updating your cybersecurity software, and educating employees. To help you grasp where to start, we’ve gathered eight best practices that can enhance your organization’s cybersecurity and help you mitigate data exfiltration.
1. Assess risks to identify vulnerable assets and data
To efficiently handle data exfiltration, you need to know what threats to expect and mitigate security risks before they're realized.
Consider applying risk assessment practices to:
- Identify data that can harm your organization if leaked or stolen
- Define possible threats to your organization’s data
- Detect existing vulnerabilities
- Identify harm that may occur as the result of threats exploiting vulnerabilities
- Determine the likelihood that damage will occur
Risk assessment helps you identify potential threats, prioritize risks, and evaluate how your current cybersecurity measures can mitigate potential threats. Then, you can determine whether you need to employ any additional cybersecurity practices.
2. Monitor user activity
It’s essential to track user activity to make sure users access and handle data securely. Ekran System offers real-time user activity monitoring that will help your security officers efficiently detect cases of malicious and inadvertent data exfiltration. You can also review recorded user sessions to analyze employees’ behavior and detect suspicious activity.
Apart from monitoring regular employees, you should keep an eye on third parties and users with elevated access rights. Privileged users have access to the most sensitive parts of the corporate network and have more opportunities to exfiltrate data while remaining unnoticed. Therefore, such users have to be closely watched.
3. Encrypt data
Encryption is a proven way to protect data in storage and during transfer. Once confidential information is transformed into ciphertext, you need a unique key to understand and use it.
Encryption not only secures your data and prevents unauthorized use by malicious actors — it’s also a requirement or at least a recommended practice of various regulations, laws, and industry standards like HIPAA and NIST.
4. Implement user and entity behavior analytics (UEBA) mechanisms
UEBA solutions are based on artificial intelligence algorithms. They analyze users’ and entities’ behavioral patterns and define baselines of normal and expected behavior. User actions that contradict these baselines will be considered potentially risky.
Ekran System offers a UEBA module as part of its insider threat management software. Whenever the UEBA solution detects abnormal activity, it alerts security officers. Then, officers can check user activity in real time and identify whether it threatens cybersecurity.
5. Introduce a clear bring your own device (BYOD) policy
If employees are using personal devices for corporate purposes, they pose an additional risk of an insider threat. Employees can lose their smartphones or accidentally expose data to parties that shouldn’t have access to it.
To minimize the risk of data exfiltration, make sure your BYOD policy explicitly defines:
- What applications and assets are forbidden to access from personal devices
- What security controls are required for personal devices used for work
- What security components like SSL certificates for device authentication are provided by your company
USB devices like modems, mass storage devices, and video devices pose a potential threat to an organization’s cybersecurity. They can be used to copy sensitive data or may contain malware.
Since blocking all USB devices isn’t an option for a modern company, consider managing their use by implementing solutions that monitor connected devices and control users’ access to them. For example, Ekran System offers a USB device management feature. It sends alerts to security officers when suspicious devices are connected and can even block the connection of a prohibited type of USB device.
6. Ensure data backups
Back up your data to ensure that even if a data exfiltration attack occurs or an employee deletes information by mistake, you will still be able to restore the lost data. Backing up data is a common requirement of various cybersecurity standards and regulations (as is encrypting data).
7. Implement just-in-time privileged access management (the JIT PAM) approach
Ensure that only the right users are provided with privileged access to specific systems and resources, only for a valid reason, and only for the time required. With the JIT PAM approach, you can minimize the risks of data exfiltration and implement the true principle of least privilege with zero standing privileges as the goal. As part of checking access rights, you should also systematically revoke data access for former employees.
To help you adopt the JIT PAM approach, Ekran System offers privileged access management functionality. It helps you manage access of users with elevated access rights to sensitive data and audit their activity.
8. Educate employees
Data exfiltration is often caused by phishing, transferring data to insecure devices and cloud storage, and account exploits caused by weak credentials. To minimize the risks of such incidents, you need to systematically educate your staff and update your security policies. Also, consider implementing a people-centric security approach to make your employees your security perimeter.
To get the big picture of how your employees currently handle data, you can use reporting functionality of your user monitoring solution. For instance, Ekran System offers a wide range of customizable reports that can show you information about user activity, accessed URLs, connected USB devices, etc. Knowing weak spots in users’ behavior, you can reshape your security training and policies accordingly.
Preventing and mitigating data extraction techniques is a complicated task. You need to deal with both possible attackers and potentially negligent employees. However, you have a high chance of overcoming these challenges if you choose a comprehensive cybersecurity approach.
Implementing proven technologies like UEBA and monitoring the activity of users with privileges will help you secure the lion’s share of potential vulnerabilities. Ekran System is ready to help you start your cybersecurity improvements. Request a 30-day trial of the Ekran System platform to see how it works.