Detect and Stop Data Exfiltration
Data exfiltration is a significant issue facing organizations. In a survey conducted by Ponemon Institute and published in its 2014 report “Exposing the Cybersecurity Cracks: A Global Perspective,” security professionals ranked data exfiltration as the second most feared attack.
Data exfiltration is the unauthorized transfer of data from corporate systems, whether those systems are a user’s computer or IT servers. Unauthorized transfers can be carried out by someone manually or automatically via malicious programs over a network.
With Splunk for Security, there are several ways to detect data exfiltration. In this use case, we use Splunk Enterprise Security (ES) with Splunk Enterprise, and the Splunk App for Stream. Splunk Enterprise Security provides statistics and notable events on security domain-specific dashboards to investigate threats. You can review the results, isolate the events that require attention, and use the contextual information provided to drill down into the issue. The Splunk App for Stream captures, analyzes and correlates network wire data to monitor operations and end-to-end transactions.
Use data from DNS logs and email servers, such as Exchange or Sendmail. Wire data is needed to determine the exfiltration and analyze real-time streaming wire data.
Configure and install Splunk Enterprise version 6.3 or later with Splunk Enterprise Security version 4.0 or later. Install the Splunk App for Stream on the same server as Splunk ES. Then install and configure the Stream add-on on the source of the wire data. Common information model (CIM) data models for network traffic, network resolution, email and web will need to be configured.
The dashboards and panels available with Splunk Enterprise Security are a good starting point, as they indicate signs of exfiltration behavior such as:
- Unapproved port activity
- High-volume email activity to non-corporate domains
- Host sending excessive email
- Excessive DNS queries
- Web uploads to non-corporate sites by users
Splunk Enterprise Security includes built-in correlation searches that report on suspicious activity across security domains to handle the common signs of exfiltration. Notable events, which are events generated by a correlation search, are often the ideal starting point for investigations and can be used to assist in this investigation.
Review the User Activity Dashboard
The User Activity dashboard displays panels representing user activities such as potential data exfiltration.
A spike in the volume or a high volume of key indicators such as Non-corporate Web Uploads and Non-corporate Email Activity can indicate suspicious data transfer. The dashboard indicates a high volume of suspicious activity involving data being uploaded to non-corporate domains, as well as suspiciously large email messages sent to addresses outside the organization.
Identify Suspicious Activities and Users
Look for uncommon usernames, identities on your organization’s watchlist, and large email messages or a large number of smaller messages. All of these can indicate suspicious activity and potential data exfiltration. If you find suspicious activity, you can create a notable event and assign it to an analyst for further investigation. Click on an “unknown” user to open the Identity Investigator dashboard to investigate the user in more detail. From there, click the magnifying glass to drill down into the details.
Investigate the Email Activity Dashboard
The Email Activity dashboard displays metrics relevant to email activity, such as the top sources for emails by IP address and large emails.
Use the Top Email Sources panel to find surges in email counts by IP address. Look for unfamiliar addresses, particularly those sending large numbers of messages. The sparklines can be used to identify consistent spikes of activity from a host, which can be an indicator of automated or scripted activity.
The Large Emails panel lists emails sent to internal or external addresses, which can be another avenue for further investigation. Selecting a record on either panel will drill down into the Email Search dashboard, where you can continue to investigate the email traffic. If you find suspicious activity, create a notable event and assign it to an analyst for investigation.
The User Activity dashboard was used as the starting point to detect suspicious data exfiltration behavior. The Email Activity dashboard exposed large data transfers to known and unknown domains. Using the dashboards and searches provided with Splunk Enterprise Security, the security analyst can check for common data exfiltration behaviors and set up monitoring of potentially compromised machines and take necessary remedial action. The Splunk App for Stream allows the capture and filtering of network data from internal hosts, allowing Splunk Enterprise Security to notify analysts of large data transfers.
For additional details, please refer to the Splunk Enterprise Security Use Case Documentation.