- Role-based, attribute-based, & just-in-time access to infrastructure
- Connect any person or service to any infrastructure, anywhere
- Logging like you've never seen
Summary: In this article, we’ll explore what data exfiltration is, the difference between exfiltration of data and data leakage, and how to detect data exfiltration. You’ll learn the dangers of data exfiltration in cybersecurity, data exfiltration examples, and the types of exfiltrated data that malicious actors target most. By the end of this article, you’ll know what causes data exfiltration, common data exfiltration tactics, and how to prevent data exfiltration in your organization.
What Is Data Exfiltration?
Data exfiltration is a type of data breach involving the unauthorized copying or transferring of data from one device to another. Cyberattackers can use both manual access and automated malware attacks to exfiltrate data from companies or individuals.
Any removal of data from a device qualifies as data exfiltration, even if a user has the proper permissions to access or work with that data. However, the typical data exfiltration definition classifies data extrusion tactics as acts of intentional data theft performed by malicious actors.
The Danger of Data Exfiltration
Any instance of data exfiltration—whether accidental or intentional—can put sensitive customer data, employee data, or company information like confidential documents and trade secrets at risk of exposure. Data exfiltration poses a significant threat to an organization’s reputation, legal standing, and financial health, especially when a data leak or security breach goes undetected.
Organizations struggle to detect data exfiltration because many exfiltration techniques look like regular business practices. Activities like printing, emailing, and saving documents to a new device all pose a data exfiltration risk. However, tracking these activities and determining which instances are legitimate is often challenging, time-consuming, and expensive.
When data is removed from its secure location, companies don’t have insight into how people will use that data. Some companies may not even discover they’ve experienced a breach until a bad actor shares the company’s data online.
Legal and financial costs of data exfiltration
Alongside compromising confidential company data and personally identifiable information for customers and employees, losing data in a data breach is also costly. In 2022, companies pay an average of $164 for every data record that’s exposed. That amount goes beyond regulatory compliance fines, including notification costs, detection expenses, costs associated with a company’s post-breach response, and lost business.
Compliance regulations require companies to notify customers and employees when their data is exposed in a data exfiltration attack. While most companies will need to pay fines issued by regulatory agencies, they may also be at risk for class action lawsuits and other legal action, augmenting the overall cost of the breach.
What Causes Data Exfiltration?
Both external and internal security threats can cause data exfiltration, meaning organizations need strong access control and data visibility to prevent it. Proprietary and sensitive data are extremely valuable on the dark web, making data theft a compelling opportunity for malicious actors. For example, bad actors can earn $17 for one U.S. credit card number.
In many cases, unsafe employee behaviors and insufficient security training increase the risk of data exfiltration. These behaviors include:
- Creating weak passwords
- Sharing login information
- Losing company assets or devices
- Leaving a workspace unlocked and unattended
- Accessing company documents on personal equipment
- Not properly disposing of printed material
- Falling victim to a phishing attack
65% of organizations continue to rely on shared logins for infrastructure access. Read the full report.
Internal or insider threats account for over 40% of data exfiltration incidents in the U.S. In these instances, an employee transfers or copies data from their work device to an external device. Even if a disgruntled employee does not sell or expose the data intentionally, they may transfer the data to a less secure device like a personal cloud drive or to a personal email. These locations have fewer security controls, putting data stored there at a higher risk of further exposure.
External threats from cyberattackers exfiltrate data by gaining access to a company’s network. Often, they use phishing attacks to gain credentials or infect networks with malware or scripts to access data.
Types of Exfiltrated Data
While any exfiltrated data poses a risk to an organization, two primary types of data are frequently targeted in data breaches: personally identifiable information (PII)—also known as sensitive data—and proprietary company data.
PII includes any data that can be traced back to a specific person and is not publicly available, like social security numbers, credit card data, medical records, or biometric data. Other personal data—like names, phone numbers, addresses, or login credentials—can also be valuable, especially if it’s stored alongside PII. Companies are responsible for securely storing any PII they collect for both their customers and their employees.
Proprietary company data—like intellectual property, strategy or process documents, or financial information—are valuable for competitors, making this data desirable on the dark web. While securing proprietary data is not a regulatory concern, the unintentional release of proprietary data can cause significant business losses.
Malicious actors most commonly gain access to this information through spreadsheets, documents, PDFs, image files, and presentations.
Data Exfiltration Techniques
An email-based social engineering attack like phishing is the most common data exfiltration technique attackers use. Phishing allows bad actors to email an infected file or link which, when clicked, easily infects a company computer with malware that will spread throughout the network. These emails may also direct employees to a false login page and prompt them to log in, instantly gaining access to their credentials.
Data exfiltration through DNS is another common method. DNS tunneling for data exfiltration allows bad actors to infiltrate a firewall and infect a network with malware through encoding DNS requests. Once the malware is placed on a computer within the company’s network, the cyberattacker sends DNS requests and routes queries to their server, effectively creating a tunnel to transfer data. This is one example of a command and control (C2 or C&C) attack.
Companies can use resources like MITRE ATT&CK to stay up to date on data exfiltration methods and corresponding detection or mitigation methods.
Data Exfiltration vs. Data Leakage
The terms data exfiltration and data leakage are often used interchangeably. However, there is a notable distinction between the two.
Data leakage accounts for any data exposure—whether it is intentional or accidental—caused by security vulnerabilities. But then, what is exfiltration? Exfiltrating data implies that cyberattackers remove or retrieve data through intentional malicious activity by copying or transferring it to another location.
Often, a data leak can lead to intentional exfiltration. Once a cyberattacker discovers a vulnerability, they can leverage that vulnerability to access the network and exfiltrate more data. This can also happen if an employee unintentionally moves data to a less secure personal device or cloud storage, which a bad actor later gains access to.
How to Detect Data Exfiltration
Effective data exfiltration incident response depends on careful monitoring to detect abnormal traffic patterns, monitor access or usage patterns, and block suspicious data transmissions. However, in order to monitor data movement in, out, and throughout a company’s IT infrastructure, companies must first understand the data they have.
Discovering, classifying, and encrypting data across the organization is essential to tracking data movement and securing data if it falls into the wrong hands. Companies should also monitor all ports, endpoints, irregular IP addresses, and outbound communication patterns.
Increasingly sophisticated attacks have made data exfiltration particularly hard to detect. Regularly performing risk assessments and eliminating security vulnerabilities is one of the best ways of detecting data exfiltration.
How to Prevent Data Exfiltration
Introducing a Zero-Trust Architecture and implementing data loss prevention methods are two powerful ways to prevent data exfiltration.
Understanding who is accessing data is crucial to protecting against intentional or accidental data loss. A Zero-Trust environment requires constant verification and authentication of users and devices to maintain strict access controls. Through constant monitoring, logging, and segmenting across the entire IT infrastructure, organizations can detect the first signs of data exfiltration.
Data loss prevention (DLP) identifies and tracks sensitive data across all exit and entry points. The software triggers designated rules to monitor when data moves, whether data matches previous versions, and when transmissions or transfers are detected. DLP helps prevent data exfiltration by allowing companies to better understand their data and how it moves in, out, and through their infrastructure.
Simplify Data Exfiltration Prevention with StrongDM
Controlling access and creating a Zero-Trust environment is easy with StrongDM.
StrongDM simplifies user and access management through comprehensive authentication and authorization across your entire IT infrastructure. By monitoring and logging all user and device access workflows, StrongDM helps organizations ensure ony the right people are accessing sensitive data. Plus, StrongDM makes provisioning and deprovisioning permissions fast and secure, keeping insider threats at bay.
Better endpoint security and access management are the keys to excellent data exfiltration detection and prevention. StrongDM gives companies the support they need to gain full visibility over usage and access, lock down unauthorized infiltration attempts, and support your company’s DLP strategy.
Make Data Loss Prevention a Reality with StrongDM
If you’re questioning “what is data exfiltration,” then you probably need a data loss strategy. However, no data loss strategy is complete without strong access management. With the right tools, your company can reduce the risk of a data breach and stop an unauthorized data exfiltration attempt in its tracks.
Sign up for a free 14 day trial to see how exceptional access control can support your organization’s goals.
About the Author
Andrew Magnusson, Director, Global Customer Engineering, has worked in the information security industry for 20 years on tasks ranging from firewall administration to network security monitoring. His obsession with getting people access to answers led him to publish Practical Vulnerability Management with No Starch Press in 2020. He holds a B.A. in Philosophy from Clark University, an M.A. in Philosophy from the University of Connecticut, and an M.S. in Information Management from the University of Washington. To contact Andy, visit him on LinkedIn.