Protecting sensitive data: an approach to prevent data exfiltration

Data exfiltration is mechanism to data breach that occurs when an individual’s or organization’s data is illegally copied from its systems.

It’s not a matter of “if” you will be attacked, but “when”. Preventing attackers from breaching our system is a necessity and stopping them before they can complete their mission is a requirement. Analyzing our data inflow, outflow productively to find data exfiltration, will help reducing the cost of a data breach.

Data exfiltration is mechanism of a data breach that occurs when an individual’s or organization’s data is illegally copied. They are generally a targeted attack where the hacker copies sensitive data from victim’s machines. The hackers gain access to the target machine through a remote application or by directly installing a malware through portable media.

A medium sized organization will have 20,000 devices connected to the network. It includes mobile phones, laptops, printers, servers and other devices that communicate through the Internet. There are myriads of channels used for data transmission: cloud-based apps like Salesforce and Amazon Web Services, email messaging services, various internet/web portals and social media. The amount of data the company’s network connected devices generate is around 20TB or more in a single day. Exfiltration within normal traffic patterns and sizes is already hard to detect and that’s compounded by the use of increasingly stealthy encryption when sensitive credentials are compromised.

With the introduction of new technologies and devices like drones, IoT, BYOD policies into organizations, we are increasing the risk rate that each individual is forced to face during their online activities.

False positives in DLP and SIEM

An advanced DLP solution and SIEM are used to monitor for risky events, but due to the sheer size of an organization and the amount of data accessed on a daily basis, those solutions on their own are not enough and are generating false positives in high numbers. Many data exfiltration were left unnoticed during the early stages due to the false positive findings of SIEM tools. Shifting to productive monitoring and SIEM intelligence coupled with behavioral analysis will help in early detections of data breaches.

Incorporating behavioral analysis in DLP tools will reduce false positives up to 99% as analyzed by a case study. Breaches are inevitable, but sensitive data loss isn’t. A traditional perimeter defense will not necessary the attackers from stealing sensitive data. Organizations will need to start with the assumption that some adversary might be successful in their attempt to bypass the defenses. One of the most vital stages in an APT type attack is the data exfiltration step. Companies must invest in preparing a model for understanding the threat vectors and creating a threat model. This will definitely help in identifying adversaries and their approaches.

Organizations must think differently

Companies should adopt a mentality of ‘Think like a hacker’. The motives of hackers are varied but their goals are all same. They intend to steal, leak or expose data from a victim. The victim can be an individual, an organization or even a nation. Instead of companies simply claiming that they cannot be breached, they can put in efforts and time to build a better approach. The traditional risk based approach will not single handedly help in mitigating or tackling a data breach. It should be coupled with proper incident response plans and data loss prevention mechanisms.

Plan for a better plan

Companies planning to invest in cyber security must also focus on different approaches to tackle cyber events. Cyber threats are increasing rapidly throughout the year. Few of the steps that companies can concentrate to build a custom defense strategy can include:

  • Defining a model to differential insider threat and outsider threat
  • Identifying the communication channels like HTTP, SFTP, SSH, RDP etc.
  • Analyzing a content type: Sensitive information ranges from personal identifiable information (social security numbers, credit card numbers) to intellectual property. This information could be contained in a static file (image, software program, and spreadsheet) or a multimedia session (VOIP conversation and video conference). Sensitive information may be leaked to an outsider in its original, modified, or hidden format. Content in its original format has not been modified in any way. Modified content includes data that may be compressed, padded, encoded into a new file type, or encrypted. Hidden content includes content that has been embedded into other content or the communication protocol using steganography techniques.
  • Increasing focus on Cyber Threat intelligence -It can enable defenders to establish a state of information superiority which decreases the adversary’s likelihood of success with each subsequent intrusion attempt. Security managers need accurate, timely and detailed information to continually monitor new and evolving attacks, and methods to exploit this information in furtherance of an improved defensive posture.

Cyber defense strategy and measures like multi-layered security approach that includes network defenses, strong passwords, intrusion detection, and multi-factor authentication to protect sensitive data can help companies to tackle breaches efficiently. The biggest challenge is in the detection because identifying these types of data exfiltration events is tedious because of the amount of data generated.

About the Author Ashiq JA (@AshiqJA)
Ashiq JA (Mohamed Ashik) is a Cyber Security Researcher and Writer passionate about Web Application Security, Security research using Machine Learning and Big Data, Deep web, Security technologies and Threat Analysis. He is currently working as a Security Consultant for a financial firm. He believes in knowledge sharing as the best source for information security  awareness.To catch up with the latest news on InfoSec trends, Follow Ashiq JA on Twitter @AshiqJA.

Edited by Pierluigi Paganini

(Security Affairs –  Hackers, cyber security)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

8 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

12 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

17 hours ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

20 hours ago

Finnish police linked APT31 to the 2021 parliament attack

The Finnish Police attributed the attack against the parliament that occurred in March 2021 to…

1 day ago

TheMoon bot infected 40,000 devices in January and February

A new variant of TheMoon malware infected thousands of outdated small office and home office…

1 day ago

This website uses cookies.