What Is Data Exfiltration?

Data exfiltration is defined as the unauthorized copying, transfer, or retrieval of data from either a server or an individual’s computer. It’s a type of security breach that occurs when individual or company data is illicitly copied, transferred, or retrieved from a device or server without proper authorization, often with malicious intent.

As a critical security concern with potentially catastrophic consequences, organizations with high-value data are particularly at risk of data exfiltration attacks, whether they’re from outside threat actors or trusted insiders. They can occur through multiple attack methods, ranging from phishing and malware attacks to physical theft and file-sharing sites.

Today, data exfiltration ranks among the top organizational concerns. According to a recent study from McAfee, 61 percent of security professionals have experienced a data breach at their current companies. With stricter compliance regulations around data privacy, like GDPR and California Consumer Privacy Act, the stakes for reporting data exfiltration events have also significantly increased.

Data exfiltration can be conducted manually by an individual with physical access to a computer but can also be automated through malicious programming over a network.

According to McAfee’s research cited above, the most common data exfiltration methods at organizations include:

• Database leaks
• Network traffic
• File shares
• Corporate email
• Malware attacks

Cloud Apps and Databases

A recent CA Technologies Insider Threat report called databases “the number-one most vulnerable IT asset,” ahead of file servers, cloud apps, and mobile devices. Because the data contained within them is so valuable, databases are commonly targeted by both insiders and external attackers alike.

Exfiltration of Data Through Removable Storage Media

Removable media are another common insider threat vector. Even in the age of ubiquitous cloud storage, old-school data exfiltration methods like flash drives are still pervasive. While altogether banning USB use for every organization is unrealistic, employees must understand the risks and adhere to policies around data access and storage.

While file shares top the list of data exfiltration methods in North America, USB drives are the number-one exfiltration vector in APAC and Europe.

Accidental Insider Threats

Besides users with malicious intentions, accidental insider threats are a primary cause of data exfiltration. Phishing emails and social engineering attacks remain a tried-and-true way for hackers to access company data. In addition, weak or reused passwords, or a lack of multifactor authentication, are common weaknesses hackers look for to infiltrate a user’s account. In these scenarios, the best defense is often cybersecurity awareness. McAfee’s study also showed that insider threats frequently used email data exfiltration.

Data Misuse

According to a recent Verizon Insider Threat Report, misuse is another top cause of data exfiltration. Unlike its careless cousin, the accidental insider threat, misuse is when users intentionally or unintentionally circumvent security controls or policies. For example, an employee may use unsanctioned software to work with a third-party contractor because it’s faster or easier to use, resulting in unintentional data exfiltration.

Employees can also exfiltrate company data in various ways, including personal email accounts, cloud storage, printers, file-sharing sites, keyboard shortcuts, and more. Organizations can find it challenging to distinguish legitimate user activity from malicious activity. However, using a system that delivers context into user actions can help.

Malware Attacks

Data exfiltration is often the target of malware attacks, where the malware is injected onto a computer or mobile device connected to an organization’s network. Once injected, the malware exfiltrates the data to an external server controlled by the attacker, where it’s sold or distributed. These malware attacks can be designed to spread across an organization’s network and infiltrate other devices, searching for sensitive corporate data to exfiltrate information.

Preventing data exfiltration is a critical cybersecurity initiative that requires dedicated user monitoring as well as data activity monitoring to ensure unauthorized activity is addressed in real-time. These measures, combined with the following tools and protocols, can effectively prevent data exfiltration from infiltrating an organization’s network:

• Monitor user activity: Consistently monitor user activity and remain vigilant of any suspicious activity. Administrators should track who accesses what files, when, and how often, as well as identify unusual user behavior that could indicate a security breach.
• Implement multifactor authentication: Leveraging multifactor authentication on all user accounts across a given network ensures that only authorized users can access the system. This common authentication protocol pays dividends in preventing unauthorized access to sensitive data.
• Use secure passwords: Implement policies requiring all user accounts to have strong passwords, such as using 12 or more characters in length with upper and lowercase letters, numbers, and symbols and limiting the reuse of passwords across multiple accounts.
• Regularly update software and systems: Regularly update software and systems to ensure they are protected against the latest security threats. This will help prevent attackers from exploiting vulnerabilities in outdated software and systems.
• Use data loss prevention (DLP) tools: Use DLP tools to monitor and prevent the unauthorized transfer of sensitive data. DLP tools can detect and prevent data exfiltration by monitoring network traffic and user activity.
• Use encryption: Encryption helps prevent data exfiltration by protecting sensitive data that’s both in use and stored. Encryption is essential in preventing attackers from accessing sensitive data, even if they manage to exfiltrate it.
• Maintain user experience: Preventing data exfiltration must not negatively impact user activity. Therefore, organizations should ensure that their prevention measures do not harm user productivity.

As an alternative or supplement to a DLP solution, organizations should adopt a dedicated insider threat management solution to prevent data exfiltration. Unlike DLP solutions, an insider threat management platform, like Proofpoint’s, relies on a combination of user and data activity monitoring. While DLPs and other tools focus on the data alone, user activity monitoring helps provide context into who’s doing what, when, and why.

Many traditional security defenses are aimed outwardly. But an inward-looking user and data activity monitoring solution can detect potentially suspicious user actions that other solutions may not… until it’s too late. Since insider threats are, by definition, already inside the perimeter, they often go undetected unless visibility into user activity in context with other data proves whether an incident was unintentional or malicious. A platform like Proofpoint Insider Threat Management quickly alerts teams to a potential insider threat and delivers a user activity timeline with detailed video playback to speed investigations.

Organizations can no longer afford to leave their treasure troves of data exposed. They must learn how to stop the most common data exfiltration threats and implement the right policies and training to curb accidental threats. Embracing a dedicated insider threat management solution produces the appropriate level of context for a potential incident. If you’d like to give Proofpoint’s sandbox environment a spin, feel free to try us out (no download or installation required) and see how simple it can be to catch and stop data exfiltration at your organization.