25 Signs of Data Exfiltration

At this point, there's nary an industry or government that hasn't suffered some level of data breach. Even universities can’t seem to keep a cap on data losses. Often, pwning data is all too simple, and, at 10GBE speeds, data exits hastily.

A RaspberryPi3 attached to a wall wart (power supply) with a 128GB flash card can be removed as easily as it was installed. Add a Wi-Fi dataflow exit, or perhaps another circuit to internal resources, and you could be looking at huge costs in both asset value and liability.

Cloud access security brokers (CASBs) and systems dataflow monitoring systems that look for anomalous behaviors can help. And, certainly, an ounce of prevention is worth a pound of cure. But nothing is foolproof because fools are so ingenious. You must watch for the signs that something’s afoot.

How do you know? Here's a quick list of 25 signs that your data may be "leaving the building."

1. Unknown internal IP addresses or IP addresses with the incorrect IP/MAC address pair

2. Large, unexpected data flows from one host to another

3. No. 1 and/or No. 2 transferring data on IPv6, where it’s never been used before

4. Large flow to unexpected external IP addresses

5. Rapid DHCP address changeovers with new MAC addresses

6. Finding new subnets and/or VLANs where there were none before

7. Larger than normal email messages (Hopefully, organizational ceilings for messages are low and are monitored.)

8. Local storage policy violations (Multi-terabyte USB drives are trivial to obtain.)

9. New WiFi hosts, both APs and non-AP supplicants

10. Excessive browser uploads or anomalous port traffic on VMware hosts

11. New VMs where there were none before (local cloud abuse)

12. Sudden appearance of RDP, WinRM or apps like VNC, LogMeIn and other remote desktop apps

13. SSH/Telnet/FTP/SFTP traffic detection, as found by anomalous port access traffic

14. Data movement quotas near or just under peak allocation for extended periods

15. Data flows over http rather than https, or unencrypted data found anywhere in packet traces

16. The presence of NTLM network packets anywhere (often used by older NAS storage systems, and now deprecated with prejudice)

17. The presence of SMBv1 or SMBv2 protocols (See No. 16.)

18. Changes to default access control lists (ACLs) for important global resources or plausible host targets (Look for baseline default changes through logs, especially frequent baseline changes.)

19. Data movements using unsigned URLs to cloud resources like GoogleCloud or AWS

20. Finding data sets marked for deletion that have reappeared, or remain undeleted

21. Cloud bucket checksums that don’t

22. Employee exits without account removals, zombie user account accesses, large repository pulls from civilian users

23. High activity between known audits

24. Slow implementations of new PAM credentials

25. Email server bulges

Unfortunately, this is just a shortlist of the signs of data exfiltration. In general, my strongest and best recommendation is to read your logs. And, if something doesn't look right, it probably isn't.