Insider Threat Management

Data Exfiltration Channels Used by Attackers (and How to Defend Them)

Share with your network!

Data exfiltration is a major risk for most organizations, particularly those with highly valuable or sensitive information. Whether accidental or intentional, insider threats within an organization may be putting sensitive data at risk every day. Hackers also target privileged insiders with credential theft attempts, including phishing and social engineering attacks. That’s why it’s critical for organizations to understand the top data exfiltration channels used by both insiders and external attackers, and how to defend them. 

Here are a few of the most common ways data leaves an organization:

Databases: The Most Vulnerable IT Asset

According to research from CA Technologies, databases are the number one most vulnerable IT asset. If you think about it, databases are the crown jewel of sensitive information, and if an attacker accesses one, there’s a high likelihood of uncovering something extraordinarily valuable to the organization. 

Privileged administrative users, such as network, application, database and other system administrators and trusted third-party contractors, usually work with at least one critical database on a daily basis. These insiders can easily misuse their privileges based on certain motivations and are prime targets of sophisticated credential theft attacks. If databases aren’t protected with multiple layers of defense and monitoring, they may be particularly vulnerable. 

Many organizations make the mistake of relying on data loss prevention (DLP) solutions to defend against and respond to data exfiltration. Unfortunately, these systems are dependent on security teams carefully and regularly cataloging assets like records in databases, which in today’s fast-paced climate, is unrealistic at best. As a result, DLP systems can quickly fall out of date and miss sensitive data movement. In addition, they lack the proper context needed to know what happened when a database has been breached and data exposed or exfiltrated.

Instead, organizations should track a combination of user and data activity, to understand exactly who did what, when, where and why. This context can help security analysts detect suspicious data movement and investigate insider-related data exfiltration incidents faster.

Email and Cloud Storage: The Daily Threat

Employees and contractors rely on technologies like email and cloud storage daily to do their jobs effectively. A vast amount of sensitive information travels via these channels, which can make them particularly effective for data exfiltration. Malicious insiders can take everyday and seemingly mundane actions via these channels to steal corporate information. Simple mistakes can mean that a sensitive file was sent to an inappropriate audience or that sensitive folders are left unprotected in the cloud, which often goes unnoticed.

For example, according to Verizon’s 2019 Data Breach Investigations Report (DBIR), 32% of all security incidents involved phishing. Even though many users understand phishing at the surface level, social engineering attacks continue to become more sophisticated and realistic. CEOs and other C-level executives are particularly prone to these types of attacks; for instance, many hackers may use a CEO’s name to send a corporate email that looks legitimate. Other hackers may attempt to steal cloud account credentials via email by sending requests that look as if they’re from the vendor itself.

A combination of cybersecurity awareness training and dedicated insider threat management solutions can help defend against these everyday threats. If employees are properly trained in identifying phishing attacks, they can greatly increase their confidence and reduce the risk of accidental insider threat. In addition, dedicated insider threat management solutions, such as Proofpoint ITM, warn the user (and even notify the security team) in real-time when the user may be violating security policies. 

Removable Media: Old-School but not to be Ignored

Everyone has at least one USB drive hiding in a desk drawer somewhere, and many people still use them daily. Even though cloud storage has started to send USBs slowly into the computer history museum, they are still one of the most common data exfiltration channels.

Accidental insider threat incidents can easily happen with USB drives. Users may misplace drives containing sensitive company or personal data, or these USBs can fall into the wrong hands. Commonly, USB drives are a channel for malicious actors to spread malware to local machines. Research from Kaspersky shows that one in four users worldwide is affected by these types of “local” malware threats.

Some organizations choose to lock down USB ports throughout the organization through hard blocking the port or with endpoint protection tools. Sometimes, if cloud storage options abound, this type of policy may be minimally obtrusive to people’s workflows. If a significant portion of the workforce will continue to use USBs, insider threat management can help security analysts detect and respond in real-time to USBs being used to maliciously exfiltrate data.

As for accidental insider threats, while you can’t prevent people from losing USB drives, you can inform them of best practices around acceptable USB drive use. Better yet, you can point them to some secure, encrypted or password-protected cloud storage alternatives. Adopting a no-USB policy for your organization will decrease the risk of data loss and also prevent malware from being introduced via this threat vector.

With vigilance, dedicated insider threat management tools, and proper cybersecurity training, organizations can effectively defend some of the most common data exfiltration channels.

What other ways does data typically leave your organization?