What is data exfiltration in cybersecurity? 5 key facts

Data exfiltration is a serious cybersecurity threat that’s affecting more industries than ever.

The attackers’ methods are becoming more sophisticated and multi-layered, and they often manage to slip through unnoticed.

Whether you’re in IT security for a housing association, financial institution, a healthcare provider or any organisation with sensitive data, understanding how data exfiltration happens and how to stop it is critical.

Here are five key facts to help you understand the risks and what you can do to prevent a data breach.

1. Data exfiltration is the unauthorised removal of data

What is data exfiltration in cybersecurity? Data exfiltration happens when sensitive information is removed from your network without permission. This could be anything from financial records and intellectual property to personal data.

A recent report by Delinea found that data exfiltration attacks surged by 39% in 2023, with 64% of respondents now facing this type of attack.

In many cases, attackers exploit vulnerabilities to get in and quietly move data out.

Recently, housing associations have become prime targets for these attacks. Bad actors focus on exfiltrating sensitive, protected status data, often using identity impersonation and credential harvesting as their main methods.

These organisations are especially vulnerable because of their large supply chains and mergers, creating a complex network of contractors and external partners that can be harder to protect.

2. Both external and internal threats contribute to data exfiltration

External attacks, such as phishing and malware, remain one of the most common methods for stealing data. Attackers will often use compromised credentials to slip into your system unnoticed. Once they have access, they’ll extract data in stages to avoid detection.

However, insider threats are just as dangerous, if not more so. Employees, contractors, and other insiders can either intentionally or accidentally cause data breaches.

Reuters reported that two Tesla employees managed to exfiltrate the personal data of almost 76,000 current and former employees in May 2023. They then went on to leak them to the German media.

CloudGuard CEO, Matt Lovell, said:

While the exfiltration of data by trusted employees is an unfortunate event, it’s a stark reminder that even organisations with the strongest cybersecurity protocols are not immune to insider threats.

In sectors like housing associations, where mergers and acquisitions are common, managing multiple contractors and external partners adds complexity. This makes it harder to monitor all users effectively.

This is why robust identity protection, especially when connected to networks, endpoints, and applications, is critical.

3. Attackers use sophisticated, multi-layered methods to steal data

Data exfiltration is rarely a one-step process.

Attackers often layer their methods to improve their chances of success. For example, attackers may start with identity impersonation or phishing attacks to gain access, then they slowly exfiltrate data to avoid detection.

They may even time their attacks to periods when employees are on holiday or out of the office, giving them a better chance of slipping under the radar. We covered this example in our video on Business Email Compromise attacks.

The SolarWinds attack in 2020 was a complex, multi-layered cyber espionage campaign where hackers compromised SolarWinds’ Orion software. They inserted malicious code into updates, allowing access to networks of major organisations and governments.

The attackers used stealthy tactics, including credential theft and slow data exfiltration, making it one of the most damaging and difficult-to-detect attacks in recent history.

Bad actors are also evolving their tactics to use legitimate cloud services like Google Drive and Dropbox to move stolen data. These services are commonly used in business, making it harder to detect when data is being exfiltrated.

Another sophisticated technique is using multiple vectors over an extended period. Attackers might detect weaknesses in your system and exploit them gradually, making it difficult to spot unusual data movements in real time.

4. Spotting data exfiltration can be difficult, but there are warning signs

Detecting data exfiltration early is crucial. The problem? It’s not always easy.

The signs can be subtle. Watch for unusual spikes in network traffic, large or unexpected data transfers, or unknown devices connected to the network.

Bruce Schneier, Security Technologist and Author, says:

Data exfiltration is particularly challenging to detect because it often involves legitimate credentials and normal-looking traffic. Attackers are getting better at hiding their tracks, making it essential for organizations to have robust monitoring and anomaly detection systems in place.

It’s also important to monitor for suspicious behaviour from employees, especially if they’re accessing files they don’t usually work with or are active at odd hours.

In many recent attacks, organisations have struggled to answer critical questions during an incident. Can you quickly identify what data has been exfiltrated? Can you pinpoint which customers or users have been affected in the first 24 hours?

If not, your incident response plan needs updating and CloudGuard can help you.

5. Preventing data exfiltration requires proactive monitoring and identity protection

Stopping data exfiltration before it happens is the ultimate goal here. Here’s how you can do that.

Identity protection

The first step is robust identity protection.

Monitoring user behaviour and correlating it with data movements is essential. This allows you to catch when someone is accessing or moving data they shouldn’t be.

In sectors like housing associations, where contractors and external partners are common, tight control of identity access is crucial.

SIEM systems and baseline monitoring

Security information and event management (SIEM) systems like Microsoft Sentinel are excellent tools for detecting exfiltration attempts.

They help correlate multiple log sources, whether it’s from endpoints, mobile devices, or cloud services, to spot unusual patterns. Baseline monitoring can also be highly effective.

By establishing normal behaviour patterns, you can set tight alerts for out-of-band activities or unexpected data transfers.

Employee training and awareness

Many data exfiltration attempts start with phishing or social engineering.

Training your staff to recognise phishing emails and other suspicious activity can prevent attackers from getting in. Regular training is essential, as attackers are constantly evolving their methods.

Controlling cloud services and API permissions

Attackers frequently exploit weak API permissions or unauthorised applications.

Some organisations have seen attacks where oversubscribed app permissions were used to exfiltrate data. Ensuring that cloud services and third-party applications are tightly controlled, and permissions are limited, is critical.

Endpoint monitoring

Pay attention to endpoints. Think of these devices connected to your network that could be used for data exfiltration.

Attackers often use stolen credentials to gain access to an endpoint before moving data. Monitoring endpoints and securing them against unauthorised use will help reduce the risk.

Long-term and slow exfiltration: The time-based threat

Not all data exfiltration attacks are quick or immediately noticeable. In fact, some of the most dangerous attacks happen over an extended period, with attackers slowly moving small amounts of data to avoid raising alarms.

This approach, known as long-term or slow exfiltration, is a method increasingly used by cybercriminals to stay under the radar.

By extracting data in smaller, less detectable quantities, attackers can blend in with normal network traffic, making it hard to spot anomalies.

This kind of slow data theft is why continuous monitoring and long-term behavioural analysis is key.

Real-time monitoring alone isn’t enough. To detect this type of attack, you need to track patterns over weeks, months, or even longer.

Monitoring unusual or unexpected data movements over time can reveal subtle signs of an ongoing breach that might otherwise be missed.

Summary

Data exfiltration is an ever-present and evolving threat.

The tactics used by attackers are becoming more advanced, with multi-layered methods and careful timing making them harder to detect.

Organisations that handle sensitive data and manage complex supply chains, are prime targets.

The key to protecting your organisation lies in being proactive. Identity protection is essential. Especially when combined with advanced monitoring systems like SIEM.

By correlating user behaviour with data movements, you’ll catch potential exfiltration attempts before they cause serious damage.

At CloudGuard, we understand how stressful it can be to stay ahead of these evolving threats. Let us help you develop the right tools and strategies to protect your organisation, reduce your workload, and keep your data secure.

Data exfiltration prevention checklist

1. Identity protection

• Implement multi-factor authentication (MFA) across all systems.
• Regularly review and limit user permissions, especially for contractors and external partners.
• Monitor user behaviour and correlate with data movements (e.g. accessing data at unusual times).
• Use identity management tools to track endpoint, network, and application access.

2. Monitoring and detection

• Deploy a Security Information and Event Management (SIEM) system to correlate log sources (e.g. endpoints, mobile devices, cloud services).
• Establish normal user and network behaviour patterns for baseline monitoring.
• Set up alerts for unusual data transfers, login times, or access to sensitive files.
• Regularly audit network traffic for unexpected spikes or anomalies.

3. Endpoint and device security

• Monitor endpoints for unauthorised device connections and access attempts.
• Implement encryption for sensitive data stored on endpoints.
• Secure all mobile and remote devices with strong passwords, encryption, and remote wipe capabilities.
• Limit the use of external storage devices (e.g. USBs) or block them entirely.

4. Cloud services and third-party application management

• Regularly review cloud services and application permissions, revoking those that are unnecessary or excessive.
• Ensure that third-party API permissions are tightly controlled and secured.
• Monitor for unauthorised uploads to external file-sharing platforms (e.g. Google Drive, Dropbox).
• Ensure all third-party applications are authorised and verified.

5. Incident response and planning

• Develop and regularly test an Incident Response Plan for data breaches.
• Ensure the ability to identify what data has been exfiltrated and which customers are affected within 24 hours of an incident.
• Prepare for slow exfiltration attempts by monitoring long-term data movements.
• Conduct regular drills to ensure the team is ready for rapid response.

6. Phishing and social engineering defence

• Train employees to recognise phishing attacks and social engineering tactics.
• Regularly conduct phishing simulations and refresher courses on cybersecurity best practices.
• Implement email filtering systems to block phishing emails and malicious attachments.
• Ensure compromised credentials are immediately revoked and reset.

7. Data classification and access control

• Classify sensitive data and limit access to those who need it.
• Monitor access to sensitive data, ensuring it aligns with the user’s role.
• Set up alerts for any attempts to access data outside of normal business hours or from unusual locations.
• Regularly review who has access to critical data and adjust permissions as needed.

8. Addressing insider threats

• Monitor user activity for suspicious behaviour, such as accessing data they don’t typically work with.
• Implement policies to detect and investigate unauthorised data movements or leaks.
• Provide regular training for employees on the risks of insider threats.
• Limit access to data during staff changes or periods of high turnover, especially in complex supply chains.