Data exfiltration

What Is Data Exfiltration?

Data exfiltration is the unauthorized removal of sensitive data from an organization by cybercriminals with the intent to use it to extort or publicly embarrass the organization. Also known as Ransomware 3.0, the exfiltration of data increases the blast radius of a ransomware attack because bad actors go beyond encrypting production data (Ransomware 1.0) and locking up both production and backup data (Ransomware 2.0) to encrypting and stealing valuable data—often customer personally identifiable information or protected health information—to expose or sell it on the dark web for profit unless the targeted organization agrees to pay ransom.

Why Is Understanding Data Exfiltration Important?

Organizations need to know about data exfiltration techniques and methods as well as data exfiltration prevention and detection solutions because of the risks they involve. Should bad actors make sensitive information available to unauthorized parties outside the organization, that data could be misused and cause customers, employees, or partners as well as your business to experience irreparable harm.

Ransomware has become a popular way for cybercriminals to profit. This type of cyberattack experienced a 1070% increase between July 2020 and June of 2021, according to a FortiGuard Labs report. As companies learn to counter ransomware, bad actors have become more creative, which is why organizations now must be aware of and fortify their IT environments against more malicious attacks, including the launching of malware targeting backup data, backup systems, and production data using encryption with the goal of not only eliminating backups but stealing or exfiltrating data for profit. Targeted organizations are asked to pay ransom to avoid having their data publicly exposed.

What Causes Data Exfiltration?

Cybercriminals, particularly ransomware attackers, as well as employees with malicious intent accessing sensitive data, are the most common causes of data exfiltration. These bad actors typically target IT systems with high vulnerability and low patching rates, which often include databases, file shares, and network traffic.

What Controls Help Defend Against Data Exfiltration?

Data exfiltration is the unauthorized removal of sensitive data from an organization by a person or entity with malicious intent. The faster enterprises find an intrusion, the less damage it can do to the business—and the fewer nights and weekends IT and security pros are working around the clock on recovery.

Organizations can take advantage of modern data management with robust data security, data exfiltration detection and monitoring capabilities to reduce the blast radius of ransomware. Among the key technologies companies should have in place are:

• Artificial intelligence/machine learning (AI/ML) — Automation that benchmarks patterns with alerts that report anomalies, allowing teams to discover insights and prevent paying ransom
• Encryption — AES-256 standard encryption for data in flight and at rest, providing assurances that data can’t be viewed for gain
• Multi-factor authentication (MFA) — A multi-step verification requirement process to authenticate—with both something the person “knows” and something the person “has” to prove people say they are who they say they are, helping to prevent data loss
• Role-based access controls (RBAC) — The granting of each person a minimum level of access to all of the organization’s data needed to do a particular job and at the same time spreading critical data processes and functions across IT roles, protecting against no single administrator (or insider) compromising a whole business

What Are Some Typical Examples of Data Exfiltration?

Common data exfiltration examples include leaks from databases and file shares as well as bad actors hijacking network traffic.

How Can You Detect Data Exfiltration?

It’s challenging to know when a bad actor is intent on exfiltrating your data. However, instead of a human sentry, IT can use a next-gen data management solution with capabilities that continually track normal system operations and can detect anomalous user activity, quickly highlighting irregularities that may signify a ransomware attack.

Coupled with alerting, these capabilities don’t just signal potential danger but can also initiate remediation. With anomaly detection in near real time, teams benefit from fast discovery of both encryption-style and data exfiltration attacks in progress and that helps minimize ransomware’s blast radius.

Are Data Exfiltration Defenses Necessary?

Global ransomware damage costs—lost revenue and productivity as well as rebuilding—are predicted to exceed $265 billion by 2031, according to Cybersecurity Ventures. Although data exfiltration is not a required ransomware technique, it is fast becoming a popular one. Solutions such as next-gen data management can help teams better defend their data from ransomware attackers seeking to steal and resell data for significant gain, unless ransom is paid by the victim to recover the data.

What Does Exfil Mean?

The term exfil comes from the military and is defined as a way to withdraw someone (e.g., an intelligence agent, soldier, etc.) surreptitiously from an enemy-held area. In IT, it has become synonymous with ransomware and the sneaky, unlawful removal of data from a computer, network, or other IT system (exfiltration) with the intent to ransom it back to the organization.

What Is DLP Used For?

Data loss prevention, or DLP, can be both a strategy and a solution for safeguarding an organization’s data, and preventing access to that data without permission.

What Does DLP Mean in Security?

Data loss prevention (DLP) typically refers to technology that monitors sensitive data (PII, PCI, PHI, IP) for unauthorized transmission. File systems are monitored by DLP solutions to ensure that classified or sensitive data is not sent outside the organization or copied to removable media that would violate a company’s security policies.

How Do Threat Actors Steal Your Data?

The primary ways threat actors gain access to and steal, or exfiltrate, data for ransom profit are:

• Exploiting unpatched systems, particularly legacy software products such as older versions of backup infrastructure, files shares, databases, operating systems and browsers
• Compromised user credentials, which can happen when someone inadvertently provides their log-in to someone else, someone from outside of the organizations hacks into a system or an authorized employee with malicious intent exploits admin privileges

To counter the last scenario, also known as the insider threat, organizations can use mechanisms such as write once, read many (WORM) technology. It enables the creation and application of a time-bound lock on data through policies and then the assignment of them to selected jobs to enhance immutability for protected data. With it in place, either security officers nor security admins can modify or delete the policies, thwarting potential attacks by employees from inside.

What Is Insider Data Exfiltration?

Cybercriminals are not only external parties. Sometimes people with malicious intent work inside of the organization. When they make sensitive information available to unauthorized parties outside of the organization and ransom it back to the company for financial gain, that is called insider data exfiltration.

Cohesity and Data Exfiltration

Organizations need data and the valuable insights it provides to effectively compete. Yet as data increases exponentially, it’s becoming impossible for teams to know what matters most because legacy data management products cannot perform effective pattern matching and data classification. 

Cohesity’s next-gen data management solution is effective in countering data exfiltration and helping organizations refuse to pay ransom because it is powered by artificial intelligence and machine learning insights (AI/ML) that assists organizations in more accurately detecting variations and reducing false positives without adding staff. 

IT organizations can take advantage of robust data security capabilities built into the Cohesity platform such as encryption, MFA, RBAC, Quorum and more to deter cybercriminals and protect against insider threats. They can also benefit from AI/ML techniques Cohesity uses to match to “known good” sets of data and do that more effectively and efficiently as “known sensitive data” is matched and fed back to the AI/ML algorithm.