Detect and Stop Data Exfiltration

Data exfiltration is a significant issue facing organizations. In a survey conducted by Ponemon Institute and published in its 2014 report “Exposing the Cybersecurity Cracks: A Global Perspective,” security professionals ranked data exfiltration as the second most feared attack.

Data exfiltration is the unauthorized transfer of data from corporate systems, whether those systems are a user’s computer or IT servers. Unauthorized transfers can be carried out by someone manually or automatically via malicious programs over a network.

Workflow

Overview

The dashboards and panels available with Splunk Enterprise Security are a good starting point, as they indicate signs of exfiltration behavior such as:

  • Unapproved port activity
  • High-volume email activity to non-corporate domains
  • Host sending excessive email
  • Excessive DNS queries
  • Web uploads to non-corporate sites by users

Splunk Enterprise Security includes built-in correlation searches that report on suspicious activity across security domains to handle the common signs of exfiltration. Notable events, which are events generated by a correlation search, are often the ideal starting point for investigations and can be used to assist in this investigation.

Review the User Activity Dashboard

The User Activity dashboard displays panels representing user activities such as potential data exfiltration. 

A spike in the volume or a high volume of key indicators such as Non-corporate Web Uploads and Non-corporate Email Activity can indicate suspicious data transfer. The dashboard indicates a high volume of suspicious activity involving data being uploaded to non-corporate domains, as well as suspiciously large email messages sent to addresses outside the organization.

Identify Suspicious Activities and Users

Look for uncommon usernames, identities on your organization’s watchlist, and large email messages or a large number of smaller messages. All of these can indicate suspicious activity and potential data exfiltration. If you find suspicious activity, you can create a notable event and assign it to an analyst for further investigation. Click on an “unknown” user to open the Identity Investigator dashboard to investigate the user in more detail. From there, click the magnifying glass to drill down into the details.

Investigate the Email Activity Dashboard

The Email Activity dashboard displays metrics relevant to email activity, such as the top sources for emails by IP address and large emails. 

Use the Top Email Sources panel to find surges in email counts by IP address. Look for unfamiliar addresses, particularly those sending large numbers of messages. The sparklines can be used to identify consistent spikes of activity from a host, which can be an indicator of automated or scripted activity.

The Large Emails panel lists emails sent to internal or external addresses, which can be another avenue for further investigation. Selecting a record on either panel will drill down into the Email Search dashboard, where you can continue to investigate the email traffic. If you find suspicious activity, create a notable event and assign it to an analyst for investigation.