Data exfiltration is big business for cybercriminals and a significant problem for any company that finds themselves the victim of an attack. Any unauthorized movement of data is considered data exfiltration, which is also known as data extrusion, exportation, or theft.
Malicious actors that copy, transfer, or retrieve sensitive data without authorization might be outside attackers or malevolent insiders. To adequately address these threats, it is important to understand not just what data exfiltration is, but how to prevent such attacks through increased security measures.
How Is Data Taken?
Data is exfiltrated through three common attack vectors:
- Unintentional employee errors
- Intentional insider attacks
- Outsider targeted attacks
Both intentional and accidental insider actions account for 43% of data exfiltration events, with the rest attributed to outside actors. These outside actors include hackers, malware creators, and organized crime units, among others.
Cybercriminals often use phishing techniques to gain and exploit system access. In fact, phishing scams were listed in the top three internet crimes reported to the FBI in 2020. A ubiquitous method to steal organizational data, phishing attacks use emails that look legitimate and appear to be from a trusted sender, but these messages contain malicious links or attachments that threaten your cybersecurity.
Additional vectors of data extrusion include the following:
Network breaches. Attackers can gain remote access to your data assets by exploiting access vulnerabilities, such as weak passwords, compromised user credentials, or brute-force techniques.
Once the attacker has access to your system, they can peruse the network looking for sensitive data and critical assets. To execute the unauthorized data transfer, the most common method is to set up a shell communication channel. This channel facilitates remote interaction between the attacker’s command-and-control (C2) server and the compromised host network.
The C2 server is configured to respond to a predetermined protocol, which initiates the data transfer from the victim’s device to the attacker’s server. Common protocols used for data exfiltration include:
Hypertext Transfer Protocol (HTTP). The HTTP protocol is commonly used on most networks, making it a prime choice for attackers. With the high volume of HTTP traffic that flows through enterprise networks, malicious actors can transfer sensitive data without being noticed.
File Transfer Protocol (FTP). The FTP protocol is essential for transferring large files online. It does not use encryption and instead relies on plain text usernames and passwords for access authentication. An attacker can exfiltrate data if your FTP protocol’s outbound connections are not monitored or protected by a firewall.
Domain Name System (DNS) protocol. The DNS protocol facilitates communication between internal networks and the internet and translates domain names into IP addresses. Attackers use a process known as DNS tunneling to reroute DNS queries to the attacker’s server, creating a data exfiltration path for unauthorized file transfer.
Security Risks Associated with Data Exfiltration
Data exfiltration is difficult to detect because it often mimics normal network traffic while moving data outside the company network. Should an incident go unnoticed until after the attacker has successfully exfiltrated your data, it could result in significant data losses.
Personal information about customers, clients, or employees.
Confidential enterprise information, including intellectual property, strategy documents, and proprietary technology.
Financial information such as payment card data and bank account details.
Data exfiltration’s consequences are not just limited to data loss. It also leads to lost customer trust, reputational damage, and regulatory fines.
For example, the loss of proprietary information impacts your competitive advantage in the market. If sensitive personal information is compromised, your company can lose your customers’ trust and new customers may hesitate to work with you in the future.
The theft of personal data also opens your organization up to hefty fines for failing to comply with privacy regulations. For example, under the European Union’s (EU’s) General Data Protection Regulation (GDPR), the theft of personal data from an organization required to properly protect that data could lead to fines of up to 20 million euros (approximately $22 million USD).
In addition to the security risks associated with data loss, exfiltration events often occur in tandem with ransomware attacks. This form of cybercrime is known as double extortion because malicious actors first exfiltrate sensitive data before encrypting files and holding them for ransom or launching the ransomware payload.exfiltrate sensitive data before encrypting files and holding them for ransom, or launching the ransomware payload.
A double extortion attack means that should a company refuse to pay the ransom to have their files decrypted and returned to them, the cybercriminals can simply leak or sell the data on the dark web. During the first half of 2021, almost 80% of all ransomware events involved data exfiltration.
Threat actors are backing their ransomware attacks with data exfiltration in response to victims refusing to pay ransoms. Their unauthorized data transfer gives attackers extra assurance that they will profit from their efforts.
Even if the organization refuses to meet their demands, the cybercriminals can leverage the exfiltrated data. They can extort the company for even more money than the original demand or release the data on the dark web where it can be sold for a profit.
Data Exfiltration Is a Growing Threat
Data exfiltration is one of the fastest growing cyberthreats today, especially when it comes to using double extortion as a key technique in ransomware attacks. By the end of 2020, around 40% of known ransomware groups had data exfiltration capabilities.
Interestingly, double extortion has increased in popularity amongst cybercriminals in response to better data backup practices. Because companies have improved their processes for backing up data and devices, the threat of losing data if they do not pay a ransom in exchange for the decryption key is not as powerful.
Double extortion enables cybercriminals to encrypt and exfiltrate data, pressuring the victims into paying the attacker one way or another. In fact, the cost of cyber-extortion and ransom claims doubles when attackers exfiltrate data.
A key area of concern is the growth and proliferation of ransomware-as-a-service (RaaS) product offerings. This is pay-for-use malware that can be used by people with limited technical skill to extort stolen data. In a typical RaaS environment, the malware developer keeps a portion of the ransom, with the majority of the profits going to its affiliates.
For example, BlackCat is a RaaS solution in which threat actors pay RaaS operators to launch a ransomware attack. Since first appearing on the threat landscape in November 2021, BlackCat attacks have compromised companies all over the world, demanding ransoms as large as $3 million.
In February of 2022, Expeditors International were victims of BlackCat ransomware, which forced the company to shut down its systems to investigate and remediate the attack. Because Expeditors is part of the shipping supply chain, this event impacted shipping processes when Expeditors’ systems were taken offline.
BlackCat differs from other RaaS offerings because it not only exfiltrates sensitive data and encrypts systems—it also launches a distributed denial-of-service (DDoS) attack if the victim does not meet its demands. Double extortion with the added threat of a DDoS attack gives RaaS operators greater leverage in negotiating ransom payments.
How Secure File Storage and Sharing Combats Data Exfiltration
Comprehensive security strategies help prevent data exfiltration. A secure file storage and sharing system empowers IT teams with administrative controls over access privileges, encryption requirements, and other data management tools.
Secure file storage and sharing solutions employ permission-based user roles to control who can access what data. By granting access only to what is necessary for an individual’s job functions, the principle of least privilege (POLP) minimizes the attack surface in which data exfiltration can occur.
To ensure that the POLP still applies, IT teams should conduct regular, scheduled reviews of file storage and user activity. The frequency of these reviews will vary depending on system size and asset risk, ranging from monthly reviews of high-risk assets to annual reviews of low-risk systems.
Strong encryption protocols are needed to fend off malicious actors seeking to exfiltrate your data. Should cybercriminals access your system, they will be unable to read or understand information without the proper decryption key. Encrypting files both while at rest and in transit ensures end-to-end data protection, preventing unauthorized access to sensitive information.
File storage and sharing solutions include features to increase data visibility and security. When IT administrators can monitor movement of files and data, they are better positioned to identify anomalous or unusual behavior that could indicate data theft. For example, the following warning signs could indicate unauthorized insider activity:
- Turning off or not using security controls, such as encryption or multi-factor authentication.
- Accessing and/or downloading large volumes of data.
- Accessing data or applications that are not relevant to the person’s job role.
- Searching for security vulnerabilities, such as circumventing access controls.
WinZip Enterprise Increases Security and Helps Prevent Data Exfiltration Attacks
WinZip® Enterprise secures, manages, and protects sensitive business data. This fully customizable solution empowers IT admins with streamlined controls over user access, encryption standards, and protocols regarding the storage and sharing of information.
Detecting and stopping data exfiltration is key to eliminating data loss. Therefore, solutions like WinZip Enterprise are essential by providing file tracking, which records every instance of a file being moved, edited, or deleted. These insights help organizations review system activity and identify both insider attacks and external threats.
For unsurpassed protection of data at rest and in transit, WinZip Enterprise leverages military-grade AES encryption. This keeps files safe whether they are in storage or being shared, preventing unauthorized access and its associated costly unauthorized data transfers that can result in acts of extortion or even worse.