What is Data Exfiltration? Tips for Preventing Data Exfiltration Attacks

  • 25 February 2020

Today, data is valuable currency. Don’t believe us? Data brokering is a $200 billion industry…and this doesn’t even include the data that’s sold on the dark web. 

For an organization, this data can be anything from customer email addresses to financial projections and the consequences of this data being leaked are tremendous and far-reaching. When data is leaked purposefully and without authorization, we call it data exfiltration. You may also hear it referred to as data theft, data exportation, data extrusion, and data exfil.

  • What is data exfiltration?

    Data exfiltration is the act of sensitive data deliberately being moved from inside an organization to outside an organization’s perimeter without permission. This can be done through the digital transfer of data, the theft of documents or servers, or via an automated process.

What are the various types of data exfiltration?

Data can be exfiltrated in a number of ways from both insiders and external bad actors. We’ll cover both in this article but, if you want to learn more about insider threats, read this blog: What is an Insider Threat? Insider Threat Definition, Examples, and Solutions.

Here are some of the most common ways in which data exfiltration can be carried out.

Email

According to IT leaders, email is the number one threat vector. It makes sense. 

Over 124 billion business emails are sent and received every day and employees spend 40% of their time on email, sharing memos, spreadsheets, invoices, and other sensitive information and unstructured data with people both in and outside of their organization. 

Needless to say, it’s a treasure trove of information, which is why it’s so often used in data exfiltration attempts. But how?

  • Insider threats emailing data to their own, personal accounts or third-parties
  • External bad actors targeting employees with phishing, spear phishing, or ransomware attacks

Employees, contractors, and other individuals with access to an organization’s systems and networks could email databases, calendars, images, planning documents, and other sensitive data to their personal email accounts or to other third-parties. 

If there’s no security software in place to prevent an email from being sent anywhere, it just takes one click of a mouse to move data from inside of an organization into the wild. 

But, it’s not just insiders who can exfiltrate data via email. Bad actors can, too, via phishing, spear phishing, or ransomware attacks. In this case, an employee (the target) will receive an email that appears to be legitimate. If successful, this fraudulent email will get them to share credentials, download a malicious attachment, or otherwise share sensitive information. 

If the bad actor crafts the email in such a way that it appears to genuinely be from a trusted source like a CEO or third-party supplier, the target will often fall for the scam.

Downloads/Uploads

Data can also be exfiltrated via a USB or another personal device like a smartphone, laptop, camera, or external drive. 

An employee (or someone else with access to the company network) simply has to download or upload the data without being detected in order for the attempt to be successful. 

This happens more frequently than you might think. One report shows that:

  • 15% of insiders exfiltrate data via USBs and 8% of external bad actors do the same
  • 11% of insiders exfiltrate data via laptops/tablets and 13% of external bad actors do the same

Via the Cloud 

While working in the cloud, storage services like Google Drive and DropBox offer employees incredible flexibility (especially when working outside of their office environment), but there is risk involved around data exfiltration.

Again, both insiders and outsiders could exfiltrate data via the cloud; all the person needs is access. Once they have access, they could simply copy, download, or print sensitive documents or they could modify the virtual machines, make malicious requests to the cloud service, and deploy malicious software.

Physical theft 

Before the digitization of many business operations, data was exfiltrated via physical theft. It still happens! This could involve someone taking documents or entire servers with them when they leave the office, or faxing documents to themselves or a third-party.

In this case, lockable confidential waste bins, paper shredding devices, and security cameras or personnel could help secure sensitive data.

But, how do you prevent digital data exfiltration? 

“Data loss prevention (DLP) is a real challenge. And, while there are a handful of solutions, many fall short.”

What types of tools and technologies can prevent data exfiltration? 

Preventing data loss is a top priority for IT, security, and compliance leaders. Not only do they want to protect client and customer information and their own Intellectual Property (IP), but they want to avoid the many consequences that come from a data breach.

But, data loss prevention (DLP) is a real challenge. And, while there are a handful of solutions, many fall short.

Blocking or blacklisting domains, channels, or software    

What it is: Data exfiltration prevention has often been simplified to stopping communication with certain accounts/domains (namely freemail accounts like @gmail) or blocking access to certain tools and software (like DropBox, for example). 

Why it doesn’t work: This is a blunt approach that impedes on employee productivity. There are many legitimate reasons to communicate with freemail accounts, such as updating private clients, managing freelancers, or emailing friends and family about non-work issues. What’s more, a determined insider could easily circumvent this by setting up an account with its own domain.

Secure Email Gateways (SEGs)

What it is: SEGs are essentially more sophisticated spam filters. They’re used to block malicious inbound email threats like phishing attacks.

Why it doesn’t work: While SEGs may be effective in blocking bulk phishing emails, they can’t stop all spear phishing emails. That means the most targeted attacks can still get through and employees could easily fall victim to an attack and unknowingly exfiltrate data to a bad actor. (Not sure what the difference is between phishing and spear phishing? Read this.)

Labeling and tagging sensitive data

What it is: The first step in any DLP strategy is to label and tag sensitive data. This way, it can be monitored (and stopped) when it is seen moving outside the network. 

Why it doesn’t work: This approach relies entirely on employees tagging data correctly. Given how much data organizations handle, the manual process of tagging isn’t viable; employees may label incorrectly or, worse, not do it at all.

Rule-Based solutions

What it is: Organizations could implement rule-based solutions that take the form of “if-then” statements. These “if-then” statements involve keywords, email addresses, and regular expressions that look for signals of data exfiltration.

Why it doesn’t work: Similar to tagging, rule-based solutions are impossible to maintain because data changes in value and sensitivity over time. Beyond that, you simply can’t define or predict human behavior with rules. That’s why 85% of IT leaders say rule-based DLP is admin-intensive and just 18% say it’s the most effective way to prevent data loss

Training 

What it is: Because it’s people who control our data, training is a logical solution to data exfiltration. In fact, 61% of organizations have training every 6 months or more frequently. 

Why it doesn’t work: While training does help educate employees about data exfiltration and what the consequences are, it’s not a long-term solution and won’t stop the few bad eggs from doing it. You also can’t train away human error, including breaking the rules or falling for scams like phishing attacks. Learn more in our report: Why the Threat of Phishing Can’t Be Trained Away.

Machine Learning

What it is: Machine learning – especially ML models trained on historical email data – understands the intricacies and fluctuations of human relationships over time. That means ML models can constantly update their “thinking” to determine whether an action looks like exfiltration or not. 

Why it does work: This is the “human” way forward. Machine-intelligent software recognizes what looks suspicious, much like a trained security professional could. However, unlike humans, it can do this thousands of times per second without missing information or getting tired. 

How does Tessian prevent data exfiltration?

Tessian uses stateful machine learning to prevent data exfiltration on email by turning an organization’s own data into its best defense against inbound and outbound email security threats.  

Our Human Layer Security platform understands human behavior and relationships, enabling it to automatically detect and prevent anomalous and dangerous activity like data exfiltration attempts and targeted phishing attacks

Importantly, Tessian’s technology automatically updates its understanding of human behavior and evolving relationships through continuous analysis and learning of the organization’s email network. 

Tessian Enforcer detects and prevents data exfiltration attempts by:

  1. Analyzing historical email data to understand normal content, context, and communication patterns
  2. Establishing, mapping, and continuously updating every employee’s business and non-business email contacts into relationship graphs 
  3. Performing real-time analysis of outbound emails before they’re sent to automatically predict whether the email looks like data exfiltration. This is based on insights from relationship graphs, deep inspection of the email content, and previous user behavior
  4. Alerting users when data exfiltration attempts are detected with clear, concise, contextual warnings that reinforce security awareness training

Tessian Defender detects and prevents data exfiltration attempts by:

  1. Analyzing historical email data to understand normal content, context, and communication patterns
  2. Establishing, mapping, and continuously updating every employee’s business and non-business email contacts into relationship graphs 
  3. Performing real-time analysis of inbound emails in real-time to automatically predict whether the email looks unsafe. This is based on insights from relationship graphs, deep inspection of the email content, and previous user behavior
  4. Alerting users when targeted email attacks are detected with clear, concise, contextual warnings that reinforce security awareness training

To learn more about data exfiltration and how Tessian is helping organizations like Arm keep data safe, talk to one of our experts today.