Data Exfiltration Detections: Threat Research Release, June 2021
Data exfiltration is often the last step in a cyberattack and thus the last chance to detect the cyberattack. Therefore, the Splunk Threat Research team focused on developing detections to detect data exfiltration for the June release.
Watch the video to understand how data exfiltration detections can be developed with Splunk Attack Range and use Continuous Integration / Continuous Development (CI/CD) to test them:
What is Data Exfiltration?
Cloud data storage is also abused as another data exfiltration channel. Examples of cloud storage are Dropbox, Google Drive, or AWS Simple Cloud Storage (S3). Transferring data to another cloud account is another way for attackers to perform data exfiltration. For example, when an attacker can compromise an email admin account on Office 365, he can transfer the emails to the compromised account and exfiltrate them.
The Analytics Story Data Exfiltration is focused on detecting the different variations of data exfiltration. The detections include:
These detections are designed to leverage network tools or network logs to detect exfiltration attempts. Adversaries using certain tools to collect and exfiltrate data. These tools are detected by the following detections:
- DNS Exfiltration Using Nslookup App
- Excessive Usage of NSLOOKUP App
- Detect Renamed RClone
- Detect Renamed 7-Zip
- Detect Renamed WinRAR
As described in the previous section, transferring data to another cloud account, or more specifically giving a compromised Office 365 account access to other mailboxes, is an often-used technique by threat actors. The abuse of Office 365 to exfiltrate data can be detected with:
A summary of all detections in security content for the tactics data exfiltration can be found in the following table:
Responding to Data Exfiltration with Automated Playbooks
Splunk SOAR uses automated playbooks to detect and respond to threats. We listed the playbooks, which can help you to detect and respond to data exfiltration:
This playbook processes an ExtraHop detection of an internal database being accessed externally. The playbook will block the corresponding client source IP Address on a Palo Alto Networks Firewall as well as retrieve the following information on both the client and server:
- ExtraHop device objects
- List of peer devices communicated with in the last 30 minutes
- List of client and server protocols spoken in the last 30 minutes
Why Should You Care About Data Exfiltration?
A data breach can be very costly. Some of the costs can be fines and legal fees, costs for performing the forensic investigation, costs for business disruption, revenue lost from downtime, and many more. The cost of a data breach depends on the Meantime to detect or discover (MTTD), which is the time between the attacker compromised a system and the appropriate parties becoming aware of it.
By using an effective monitoring strategy and deploying detections, such as the introduced data exfiltration detections, the MTTD can be heavily reduced and therefore the costs of a data breach.
For a full list of security content, check out the release notes on Splunk Docs:
Learn More
You can find the latest content about security analytic stories on GitHub and in Splunkbase. Splunk Security Essentials also has all these detections now available via push update.
Feedback
Any feedback or requests? Feel free to put in an issue on Github and we’ll follow up. Alternatively, join us on the Slack channel #security-research. Follow these instructions If you need an invitation to our Splunk user groups on Slack.
Contributors
We would like to thank the whole threat research team Jose Hernandez, Rod Soto, Bhavin Patel, Mauricio Velazco, Michael Haag, Teoderick Contreras, Patrick Bareiss for their contribution on this release.
Related Articles
Is Your Cyber Team Overwhelmed by System Alerts?
Staff Picks for Splunk Security Reading July 2024
