{{Short description|Unauthorized data transfer}}

'''Data exfiltration''' occurs when malware and/or a malicious actor carries out an unauthorized data transfer from a computer. It is also commonly called data extrusion or data exportation. Data exfiltration is also considered a form of data theft. Since the year 2000, a number of data exfiltration efforts severely damaged the consumer confidence, corporate valuation, and intellectual property of businesses and national security of governments across the world.

== Types of exfiltrated data == In some data exfiltration scenarios, a large amount of aggregated data may be exfiltrated. However, in these and other scenarios, it is likely that certain types of data may be targeted. Types of data that are targeted includes:

* Usernames, associated passwords, and other system authentication related information<ref name="Kovacs 2018">{{Cite web|url=https://www.securityweek.com/researchers-devise-perfect-data-exfiltration-technique|title=Researchers Devise "Perfect" Data Exfiltration Technique|last=Kovacs|first=Eduard|date=May 30, 2016|website=Security Week|access-date=July 1, 2018}}</ref> * Information associated with strategic decisions<ref name="Kovacs 2018" /> * Cryptographic keys<ref name="Kovacs 2018" /> * Personal financial information<ref name="Larson 2018">{{Cite web|url=https://money.cnn.com/2017/12/18/technology/biggest-cyberattacks-of-the-year/index.html|archive-url=https://web.archive.org/web/20171220232211/http://money.cnn.com/2017/12/18/technology/biggest-cyberattacks-of-the-year/index.html|url-status=dead|archive-date=December 20, 2017|title=The hacks that left us exposed in 2017|last=Larson|first=Selena|date=December 20, 2017|website=CNN|access-date=July 1, 2018}}</ref> * Social security numbers and other personally identifiable information (PII)<ref name="Larson 2018" /> * Mailing addresses<ref name="Larson 2018" /> * United States National Security Agency hacking tools<ref name="Larson 2018" />

== Techniques == Several techniques have been used by malicious actors to carry out data exfiltration. The technique chosen depends on a number of factors. If the attacker has or can easily gain physical or privileged remote access to the server containing the data they wish to exfiltrate, their chances of success are much better than otherwise. For example, it would be relatively easy for a system administrator to plant, and in turn, execute malware that transmits data to an external command and control server without getting caught.<ref name="Kovacs 2018" /> Similarly, if one can gain physical administrative access, they can potentially steal the server holding the target data, or more realistically, transfer data from the server to a DVD or USB flash drive.<ref name="Percoco 2018">{{Cite web|url=https://www.computerworld.com/article/2520483/enterprise-applications/data-exfiltration--how-data-gets-out.html|title=Data Exfiltration: How Data Gets Out|last=Percoco|first=Nicholas|date=March 12, 2010|website=Computerworld|access-date=July 1, 2018|archive-date=September 22, 2018|archive-url=https://web.archive.org/web/20180922103103/https://www.computerworld.com/article/2520483/enterprise-applications/data-exfiltration--how-data-gets-out.html|url-status=dead}}</ref> In many cases, malicious actors cannot gain physical access to the physical systems holding target data. In these situations, they may compromise user accounts on remote access applications using manufacturer default or weak passwords. In 2009, after analyzing 200 data exfiltration attacks that took place in 24 countries, SpiderLabs discovered a ninety percent success rate in compromising user accounts on remote access applications without requiring brute-force attacks. Once a malicious actor gains this level of access, they may transfer target data elsewhere.<ref name="Percoco 2018" />

Additionally, there are more sophisticated forms of data exfiltration. Various techniques can be used to conceal detection by network defenses. For example, Cross Site Scripting (XSS) can be used to exploit vulnerabilities in web applications to provide a malicious actor with sensitive data. A timing channel can also be used to send data a few packets at a time at specified intervals in a way that is even more difficult for network defenses to detect and prevent.<ref name="Ullah 2017">{{Cite journal|last=Ullah|first=Faheem|date=2017|title=Data Exfiltration: A Review of External Attack Vectors and Countermeasures|journal=Journal of Network and Computer Applications}}</ref> <gallery widths="390" heights="200"> File:Data Exfiltration Methods.jpg|alt=Main data exfiltration techniques|Main data exfiltration techniques </gallery>

== Preventive measures == A number of things can be done to help defend a network against data exfiltration. Three main categories of preventive measures may be the most effective:

* Preventive<ref name="Ullah 2017" /> * Detective<ref name="Ullah 2017" /> * Investigative<ref name="Ullah 2017" />

One example of detective measures is to implement intrusion detection and prevention systems and regularly monitor network services to ensure that only known acceptable services are running at any given time.<ref name="Percoco 2018" /> If suspicious network services are running, investigate and take the appropriate measures immediately. Preventive measures include the implementation and maintenance of access controls, deception techniques, and encryption of data in process, in transit, and at rest. Investigative measures include various forensics actions and counter intelligence operations.<ref name="Ullah 2017" />

== References == {{reflist}}

== External sources == * http://www.ists.dartmouth.edu/library/293.pdf {{Webarchive|url=https://web.archive.org/web/20181024232622/http://www.ists.dartmouth.edu/library/293.pdf |date=2018-10-24 }} * https://www.scmagazine.com/data-exfiltration-defense/article/536744/ *[https://gurucul.com/?s=Data+exfiltration Data exfiltration blogs, news and reports]

Category:Data security Category:Theft