Data Exfiltration

Risk Glossary

For many organizations, their data is their most valuable resource.

Research and development (R&D) data and intellectual property (IP) are essential to maintaining competitive advantage and competing in the marketplace. Customer information is crucial to marketing and sales efforts.

The value of this data also makes it a common target of attack. Threats – whether internal or external – can gain access to a company’s data in a variety of different ways.

However, access isn’t enough without a method for actually getting the data off of an organization’s systems and out of its network.

What is data exfiltration?

Data exfiltration is the process of getting sensitive data from inside an organization’s network and systems to outside, where it is of use to or accessible to an attacker. Data thieves can use a variety of different methods to sneak data out of an organization’s network while attempting to evade data protection and data loss prevention (DLP) solutions.

How can data exfiltration be prevented?

Data exfiltration can be performed for different reasons by different people. While data exfiltration is a serious threat to corporate cybersecurity and data protection, it is not always an intentional “attack”. Effective data exfiltration prevention requires an understanding of the reasons why someone with access to sensitive data is attempting to take it from the company.

Departing employees

One of the biggest data exfiltration threats is departing employees. In fact, 63% of employees admit to bringing company data with them to a new job. These employees that believe that their work and data belong to them exploit their legitimate access to data to steal it from the company.

In these cases, a traditional DLP solution is unlikely to be effective. 69% of organizations breached by insider threats had a DLP solution in place. However, a departing employee can copy files to a USB drive or access sensitive emails from home, bypassing this protection completely.

Protecting against data exfiltration by insider threats requires complete visibility into the sensitive data that these employees may attempt to bring with them. By monitoring high-risk activities, like copying files to USB or the cloud, an organization can block attempted data exfiltration by outbound employees.

Productivity improvements

While departing employees are intentionally taking a company’s data, not all insider threats act with intent. Another common source of data exfiltration is employees attempting to do their jobs more effectively.

For employees wishing to share files or access them more easily from off-site, uploading them to personal cloud storage seems like a good idea. This is especially true in the wake of COVID-19 as telework has become commonplace.

The problem with this is that data on personal cloud accounts is no longer visible to the organization and may be exposed by poorly-configured security settings. As a result, external attackers may be able to gain access to and steal this exposed data. As cloud usages increased due after COVID-19, employees became 85% more likely to unintentionally leak files.

Protecting against this type of data exfiltration requires a two-step approach. Achieving visibility into high-risk activities like cloud uploads is essential to blocking this unintentional data leakage.

At the same time, organizations should take steps to make this type of workaround unnecessary. This can be accomplished by:

  • Setting up official cloud storage accounts for data sharing.
  • Soliciting employee input regarding processes and technology that hurt productivity.
  • Training employees on company policy and data protection.

By eliminating the need for insecure workarounds and monitoring for accidental leakages, organizations can decrease their risk of unintentional data exfiltration by well-meaning employees.

External attackers

While insider threats are responsible for a significant percentage of data exfiltration, external attackers account for their fair share of data breaches. A little over a third (36%) of data breaches involve external attackers.

These types of attacks look a little different from insider threats because the attackers rarely have the same level of access as legitimate employees. For example, an external attacker can’t copy critical files to a USB drive and carry it out of the building.

Instead, these attackers use a variety of methods for stealthily removing data over the network. For example, a DNS exfiltration attack hides the data being stolen in DNS requests. Since DNS is essential for converting domain names (like code42.com) used by people to the IP addresses used by computers, they aren’t blocked by firewalls, making them a useful tool for data exfiltration.

Due to the variety of methods that external attackers use for exfiltration, the best way to block data theft is catching it before exfiltration occurs. Monitoring sensitive data for unusual or unauthorized access can identify attempted breaches before they begin.

Minimizing the risk of data exfiltration

78% of security leaders believe prevention solutions are not enough to stop insider threats like data exfiltration.

Organizations must deploy solutions capable of identifying and blocking actions that place sensitive data at risk (intentionally or unintentionally).

Why legacy solutions are incapable of effectively protecting against data exfiltration