Escaped data is no fun. Data exfiltration breaches have now hit almost every industry, including government. Even universities can’t seem to keep a cap on data losses. Often, pwning data becomes simple, and, at 10GBE speeds, data exists hastily. Yes, you need to have a network protocol sniffer at key ingress/egress points, and someone that knows how to trigger alarms for various conditions. Excellent third-party and open-source software exists to do just the sort of sniffing work that identifies data flowing out the door.
The question is: Where does it go? Usually, a target IPv4 or IPv6 address, but not always.
A RaspberryPi3 attached to a wall wart (power supply) with a 128GB flash card can be removed as easily as it was installed. Add a WiFi data flow exit, or perhaps another circuit to internal resources, and it was a bad day, perhaps costing much in both asset value and liability.
Cloud Access Security Brokers/CASB, and systems data flow monitoring can help. Many CASB and monitoring solutions look for anomalous behaviors. No matter which you choose, your bad day comes from not being able to detect the outflows.
Certainly, an ounce of prevention is worth a pound of cure, but nothing is foolproof because fools are so ingenious. You must watch for the signs that something’s afoot. Here are 25 signs your data is leaking:
- Unknown internal IP addresses or IP addresses with the incorrect IP/MAC address pair
- Large, unexpected data flows from one host to another
- Either No. 1 or No. 2 on this list transferring data on IPv6, where it’s never been used before
- Large flow to unexpected external IP addresses
- Rapid DHCP address changeovers with new MAC addresses
- Finding new subnets and/or VLANs where there were none before
- Larger-than-normal email messages (hopefully organizational ceilings are low, and are monitored)
- Local storage policy violations (multi-terabyte USB drives are trivial to obtain)
- New WiFi hosts, both APs and non-AP supplicants
- Excessive browser uploads or anomalous port traffic on VMware hosts
- New VMs where there were none before (local cloud abuse)
- Sudden appearance of RDP, WinRM, or apps like VNC, LogMeIn and other remote desktop apps
- SSH/telnet/ftp/sftp traffic detection as found by anomalous port access traffic
- Data movement quotas near or just under peak allocation for extended periods
- Data flows over http rather than https, or unencrypted data found anywhere in packet traces
- The presence of NTLM network packets anywhere (often used by older NAS storage systems, and now deprecated with prejudice)
- The presence of SMBv1 or SMBv2 protocols (see No. 16)
- Changes to default Access Control Lists/ACL for important global resources, or plausible host targets; look for baseline default changes through logs, especially frequent baseline changes
- Data movements using unsigned URLs to cloud resources like GoogleCloud or AWS
- Finding data sets marked for deletion that have reappeared or remain undeleted
- Cloud bucket checksums that don’t
- Employee exits without account removals, zombie user account accesses, large repository pulls from civilian users
- High activity between known audits
- Slow implementations of new PAM credentials
- Email server bulges
InfoSec experts employ many tricks to prevent data exfiltration, and the warning signs listed here are just the tip of the iceberg. It's a good baseline, but, in general, if something doesn't seem right, it probably isn't.