Data Exfiltration Detection

Purpose and Scope

Data exfiltration is the unauthorized transfer of data from an organization. This playbook covers detecting exfiltration through network, cloud, and endpoint telemetry before or during data theft attempts.

Prerequisites

• Network telemetry: Proxy logs, DNS logs, NetFlow, DLP alerts
• Cloud telemetry: SaaS application logs, cloud storage access logs
• Endpoint telemetry: File access, USB activity, clipboard monitoring
• Data classification: Understanding of where sensitive data resides
• Baseline: Normal data transfer patterns for your organization

Detection Goals

Identify exfiltration via:

• Web uploads and cloud storage
• Email with attachments
• DNS tunneling and covert channels
• Removable media
• Physical printouts
• Encrypted channels to suspicious destinations

Network Based Exfiltration

Large Outbound Transfers

Detect anomalous data volumes:

• Single connections transferring large amounts of data
• Cumulative transfers to a single destination exceeding baseline
• Transfers during non-business hours
• Transfers from systems that normally have minimal outbound traffic

Proxy and Firewall Logs

Key indicators:

• HTTP POST requests with large request bodies
• Connections to file sharing services (WeTransfer, Mega, Dropbox personal)
• Connections to paste sites (Pastebin, GitHub Gist)
• Uploads to IP addresses instead of domains
• Traffic to newly registered or low reputation domains

DNS Based Exfiltration

Data encoded in DNS queries:

• Unusually long subdomain labels
• High volume of DNS queries to a single domain
• TXT record queries with encoded responses
• Queries with high entropy (random looking) subdomains

Encrypted Channel Analysis

When payload inspection is not possible:

• Analyze connection metadata (duration, bytes, timing)
• Identify beaconing patterns
• Check TLS certificate anomalies
• Monitor for connections to VPN or proxy services

Cloud and SaaS Exfiltration

Cloud Storage

• Files shared externally from corporate cloud storage
• Bulk downloads preceding account termination
• Sync to personal accounts
• Anonymous sharing links created

Email Exfiltration

• Large attachments to external recipients
• Forwarding rules to external addresses
• Email to personal accounts
• Unusual attachment types (archives, databases)

SaaS Application Logs

Monitor for:

• Bulk data exports from CRM, HR, or financial systems
• API access patterns indicating data harvesting
• Report generation covering sensitive data

Endpoint Based Exfiltration

Removable Media

• USB device connections
• File copies to removable drives
• Large data transfers to external devices
• New device connections from privileged users

Local Staging

Before exfiltration, attackers often stage data:

• File archiving (zip, rar, 7z) in temp directories
• Compression of sensitive directories
• Renaming files to avoid detection
• Files with unusual extensions containing archives

Clipboard and Screen Capture

• Screenshot utilities executed
• Screen recording software
• Clipboard monitoring malware

Data Staging Detection

Attackers collect data before exfiltrating. Look for:

• Archive creation in unusual directories
• Compression tools (rar.exe, 7z.exe) with command line arguments
• Large files appearing in temp or user directories
• Files with generic names (data.zip, backup.rar)
• Access to many sensitive files in short time periods

Investigation Workflow

1. Identify anomalous transfer (volume, destination, timing)
2. Determine the source system and user
3. Review what data was accessed before the transfer
4. Check for staging activity (compression, collection)
5. Analyze the destination (reputation, ownership)
6. Determine if this is authorized activity or exfiltration
7. If malicious, scope the data exposed

Response Actions

• Block destination: Add to firewall and proxy blocklists
• Isolate endpoint: Quarantine the source system
• Preserve evidence: Capture relevant logs and memory
• Assess data exposure: Determine what was taken
• Revoke access: Disable compromised accounts
• Notify stakeholders: Legal, compliance, management as required

Tuning and False Positives

• Backup and sync operations can trigger volume alerts
• Software updates and patches involve large transfers
• Video conferencing generates sustained traffic
• Build and compile processes may create large archives
• Establish baselines per system role and user function

References

• MITRE ATT&CK Exfiltration: attack.mitre.org/tactics/TA0010
• CISA Data Loss Prevention: cisa.gov/data-security
• NIST SP 800-53 Data Protection Controls