Data Exfiltration: 25 Clues Your Data Is Flying the Coop
It's getting easier than ever to pilfer data; IT pros must be on the lookout for the tell-tale signs of data exfiltration.
October 1, 2018
Escaped data is no fun. Data exfiltration breaches have now hit almost every industry, including government. Even universities can’t seem to keep a cap on data losses. Often, pwning data becomes simple, and, at 10GBE speeds, data exists hastily. Yes, you need to have a network protocol sniffer at key ingress/egress points, and someone that knows how to trigger alarms for various conditions. Excellent third-party and open-source software exists to do just the sort of sniffing work that identifies data flowing out the door.
The question is: Where does it go? Usually, a target IPv4 or IPv6 address, but not always.
A RaspberryPi3 attached to a wall wart (power supply) with a 128GB flash card can be removed as easily as it was installed. Add a WiFi data flow exit, or perhaps another circuit to internal resources, and it was a bad day, perhaps costing much in both asset value and liability.
Cloud Access Security Brokers/CASB, and systems data flow monitoring can help. Many CASB and monitoring solutions look for anomalous behaviors. No matter which you choose, your bad day comes from not being able to detect the outflows.
Certainly, an ounce of prevention is worth a pound of cure, but nothing is foolproof because fools are so ingenious. You must watch for the signs that something’s afoot. Here are 25 signs your data is leaking:
Unknown internal IP addresses or IP addresses with the incorrect IP/MAC address pair
Large, unexpected data flows from one host to another
Either No. 1 or No. 2 on this list transferring data on IPv6, where it’s never been used before
Large flow to unexpected external IP addresses
Rapid DHCP address changeovers with new MAC addresses
Finding new subnets and/or VLANs where there were none before
Larger-than-normal email messages (hopefully organizational ceilings are low, and are monitored)
Local storage policy violations (multi-terabyte USB drives are trivial to obtain)
New WiFi hosts, both APs and non-AP supplicants
Excessive browser uploads or anomalous port traffic on VMware hosts
New VMs where there were none before (local cloud abuse)
Sudden appearance of RDP, WinRM, or apps like VNC, LogMeIn and other remote desktop apps
SSH/telnet/ftp/sftp traffic detection as found by anomalous port access traffic
Data movement quotas near or just under peak allocation for extended periods
Data flows over http rather than https, or unencrypted data found anywhere in packet traces
The presence of NTLM network packets anywhere (often used by older NAS storage systems, and now deprecated with prejudice)
The presence of SMBv1 or SMBv2 protocols (see No. 16)
Changes to default Access Control Lists/ACL for important global resources, or plausible host targets; look for baseline default changes through logs, especially frequent baseline changes
Data movements using unsigned URLs to cloud resources like GoogleCloud or AWS
Finding data sets marked for deletion that have reappeared or remain undeleted
Cloud bucket checksums that don’t
Employee exits without account removals, zombie user account accesses, large repository pulls from civilian users
High activity between known audits
Slow implementations of new PAM credentials
Email server bulges
InfoSec experts employ many tricks to prevent data exfiltration, and the warning signs listed here are just the tip of the iceberg. It's a good baseline, but, in general, if something doesn't seem right, it probably isn't.
About the Author
You May Also Like