Data Exfiltration: 25 Clues Your Data Is Flying the Coop

It's getting easier than ever to pilfer data; IT pros must be on the lookout for the tell-tale signs of data exfiltration.

Escaped data is no fun. Data exfiltration breaches have now hit almost every industry, including government. Even universities can’t seem to keep a cap on data losses. Often, pwning data becomes simple, and, at 10GBE speeds, data exists hastily. Yes, you need to have a network protocol sniffer at key ingress/egress points, and someone that knows how to trigger alarms for various conditions. Excellent third-party and open-source software exists to do just the sort of sniffing work that identifies data flowing out the door.

The question is: Where does it go? Usually, a target IPv4 or IPv6 address, but not always.

RaspberryPi3 attached to a wall wart (power supply) with a 128GB flash card can be removed as easily as it was installed. Add a WiFi data flow exit, or perhaps another circuit to internal resources, and it was a bad day, perhaps costing much in both asset value and liability.

Cloud Access Security Brokers/CASB, and systems data flow monitoring can help. Many CASB and monitoring solutions look for anomalous behaviors. No matter which you choose, your bad day comes from not being able to detect the outflows.

Certainly, an ounce of prevention is worth a pound of cure, but nothing is foolproof because fools are so ingenious. You must watch for the signs that something’s afoot. Here are 25 signs your data is leaking:

  1. Unknown internal IP addresses or IP addresses with the incorrect IP/MAC address pair
  2. Large, unexpected data flows from one host to another
  3. Either No. 1 or No. 2 on this list transferring data on IPv6, where it’s never been used before
  4. Large flow to unexpected external IP addresses
  5. Rapid DHCP address changeovers with new MAC addresses
  6. Finding new subnets and/or VLANs where there were none before
  7. Larger-than-normal email messages (hopefully organizational ceilings are low, and are monitored)
  8. Local storage policy violations (multi-terabyte USB drives are trivial to obtain)
  9. New WiFi hosts, both APs and non-AP supplicants
  10. Excessive browser uploads or anomalous port traffic on VMware hosts
  11. New VMs where there were none before (local cloud abuse)
  12. Sudden appearance of RDP, WinRM, or apps like VNC, LogMeIn and other remote desktop apps
  13. SSH/telnet/ftp/sftp traffic detection as found by anomalous port access traffic
  14. Data movement quotas near or just under peak allocation for extended periods
  15. Data flows over http rather than https, or unencrypted data found anywhere in packet traces
  16. The presence of NTLM network packets anywhere (often used by older NAS storage systems, and now deprecated with prejudice)
  17. The presence of SMBv1 or SMBv2 protocols (see No. 16)
  18. Changes to default Access Control Lists/ACL for important global resources, or plausible host targets; look for baseline default changes through logs, especially frequent baseline changes
  19. Data movements using unsigned URLs to cloud resources like GoogleCloud or AWS
  20. Finding data sets marked for deletion that have reappeared or remain undeleted
  21. Cloud bucket checksums that don’t
  22. Employee exits without account removals, zombie user account accesses, large repository pulls from civilian users
  23. High activity between known audits
  24. Slow implementations of new PAM credentials
  25. Email server bulges

InfoSec experts employ many tricks to prevent data exfiltration, and the warning signs listed here are just the tip of the iceberg. It's a good baseline, but, in general, if something doesn't seem right, it probably isn't. 


TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.