Data Exfiltration Detections: Threat Research Release, June 2021

Data exfiltration is often the last step in a cyberattack and thus the last chance to detect the cyberattack. Therefore, the Splunk Threat Research team focused on developing detections to detect data exfiltration for the June release.

Watch the video to understand how data exfiltration detections can be developed with Splunk Attack Range and use Continuous Integration / Continuous Development (CI/CD) to test them:

What is Data Exfiltration?

Data exfiltration — also referred to as data extrusion, data exportation, or data theft — is a technique used by adversaries to steal data. Data exfiltration comes in many flavors. Adversaries can collect data over encrypted or unencrypted channels. They can utilize Command and Control (C2) channels that are already in place to exfiltrate data. They can use both standard data transfer protocols such as FTP, SCP, etc. to exfiltrate data. Or, they can use non-standard protocols such as DNS, ICMP, etc. with specially crafted fields to try and circumvent security technologies in place.

Cloud data storage is also abused as another data exfiltration channel. Examples of cloud storage are Dropbox, Google Drive, or AWS Simple Cloud Storage (S3). Transferring data to another cloud account is another way for attackers to perform data exfiltration. For example, when an attacker can compromise an email admin account on Office 365, he can transfer the emails to the compromised account and exfiltrate them.

The Analytics Story Data Exfiltration is focused on detecting the different variations of data exfiltration. The detections include:

• Multiple Archive Files Http Post Traffic
• Plain HTTP POST Exfiltrated Data

These detections are designed to leverage network tools or network logs to detect exfiltration attempts. Adversaries using certain tools to collect and exfiltrate data. These tools are detected by the following detections:

• DNS Exfiltration Using Nslookup App
• Excessive Usage of NSLOOKUP App
• Detect Renamed RClone
• Detect Renamed 7-Zip
• Detect Renamed WinRAR

As described in the previous section, transferring data to another cloud account, or more specifically giving a compromised Office 365 account access to other mailboxes, is an often-used technique by threat actors. The abuse of Office 365 to exfiltrate data can be detected with:

• O365 Suspicious User Email Forwarding
• O365 Suspicious Admin Email Forwarding
• O365 PST export alert

A summary of all detections in security content for the tactics data exfiltration can be found in the following table:

Responding to Data Exfiltration with Automated Playbooks

Splunk SOAR uses automated playbooks to detect and respond to threats. We listed the playbooks, which can help you to detect and respond to data exfiltration:

Why Should You Care About Data Exfiltration?

A data breach can be very costly. Some of the costs can be fines and legal fees, costs for performing the forensic investigation, costs for business disruption, revenue lost from downtime, and many more. The cost of a data breach depends on the Meantime to detect or discover (MTTD), which is the time between the attacker compromised a system and the appropriate parties becoming aware of it.

By using an effective monitoring strategy and deploying detections, such as the introduced data exfiltration detections, the MTTD can be heavily reduced and therefore the costs of a data breach.

For a full list of security content, check out the release notes on Splunk Docs:

• 3.23.0
• 3.24.0

Learn More

You can find the latest content about security analytic stories on GitHub and in Splunkbase. Splunk Security Essentials also has all these detections now available via push update.

Feedback

Any feedback or requests? Feel free to put in an issue on Github and we’ll follow up. Alternatively, join us on the Slack channel #security-research. Follow these instructions If you need an invitation to our Splunk user groups on Slack.

Contributors

We would like to thank the whole threat research team Jose Hernandez, Rod Soto, Bhavin Patel, Mauricio Velazco, Michael Haag, Teoderick Contreras, Patrick Bareiss for their contribution on this release.