Data exfiltration is a specialized type of data theft. It occurs when data that is stored digitally is unlawfully transferred or copied. Once threat actors successfully exfiltrate data, they may attempt to share or sell it on the dark web or hold it for ransom to extort money from the victim. Today, 89% of ransomware attacks include data exfiltration. Often, cybercriminals don’t use encryption as part of the attack, they simply steal data and attempt to collect a ransom. Loss of this invaluable data can impact not only the daily function of an enterprise but also its longevity, as reputational damage is challenging to overcome. As a result, many SMBs never recover from a data loss incident.
Cybercriminals use many different techniques to exfiltrate data from a victim's network. Often, the initial connection with a target system is made through malware. The malware will establish a shell connection with the victim computer. This shell connection allows the hacker to interact directly with the target computer's operating system. Once this connection is established, hackers can instruct the victim computer to "share" their data with the hacker's server. Cybercriminals are crafty and often have size limits on the amount of data to exfiltrate at once to avoid triggering security tools and use commonly used protocols such as HTTP, HTTPS, and DNS, which are generally not blocked by the firewall.
Although cybercriminals are good at obscuring their nefarious deeds, there are some anomalies an analyst can observe when data is being exfiltrated. Monitor open ports for unusual traffic volumes and connections from unknown IP addresses. Pay special attention to commonly abused protocols HTTP, HTTPS, and DNS. Look at the time of day data is being moved. Often attackers will attempt to transfer data during off-business hours. No detection technique is foolproof, and it can be challenging to detect data exfiltration until it is too late.
Instead of reacting once data loss has been discovered, proactively guard against it. ThreatLocker Network Control provides total control over inbound network connections. Using agent authentication and dynamic ACLs, policies can be created to permit on-demand access only to the devices that require it. No unauthorized devices will be allowed to connect or see the open port. Lock down network access, preventing threat actors from gaining access to the network or moving laterally within the network.
Apply ThreatLocker Storage Control to govern access to local files, network shares, and external devices to prevent data exfiltration. Create policies to permit access to data locations only to users and applications that need it, like allowing access to backup files only to your backup software.
The ThreatLocker Ringfencing™ solution creates boundaries that specify what permitted applications can access: Block PowerShell and CMD, two commonly abused shell programs, from accessing protected file locations. Use Network Control, Storage Control, and Ringfencing™ together to provide layers of protection against data exfiltration.
