Multiple choice: Exfiltrate is . . .
If you selected (1) through (6), you’re just guessing. Although there are other definitions of exfiltrate—some similar to the foils above—the one we’re interested in today is “(7) to take sensitive data out of a victim’s environment.”
Here’s the way Symantec describes it in their white paper, Anatomy of a Data Breach: Why Breaches Happen and What to Do About It:
“Exfiltration. Confidential data is sent back to the hacker team either in the clear (by Web mail, for example), wrapped in encrypted packets or zipped files with password protection.”
Exfiltration can be done at the hands of an insider—perhaps a dishonest employee or a well-meaning but poorly trained worker tricked into sending data that should remain confidential—but for this blog I’d like to concentrate on exfiltration resulting from outside attacks.
Well-organized criminal enterprises stage large amounts of captured data on exfiltration servers, where it is picked up later by retrieval agents. These servers could be systems outside the targeted enterprise, accumulating the smaller packets, or they could be compromised servers within the victim’s enterprise. The data could be escaping disguised as email, PDF files, .doc, .xls, CAD, graphics files or other common types with hidden payloads.
How does this happen?
It starts with attackers getting into a company’s systems. Stolen login credentials and spyware such as keystroke loggers are two of the most common incursion methods.
The attacker or software operating on his behalf next sniffs around electronically to locate valuable confidential data. The typical next step is copying the information to exfiltration servers, and the final step is retrieval of the information by the attackers, who are now poised to sell it to the highest bidder or use it themselves.
What can you do about it?
Start by taking steps to prevent the initial incursion. For example,
Also make sure your important data is protected. For example,
Then monitor for suspicious activity and be prepared to take quick action. For example,
Of course, if the attackers have gotten into your servers, you might figure that the game is up and you’ve lost all your proprietary information. But that’s not always the case. Sometimes attackers don’t immediately find and exfiltrate the data they want. Verizon’s 2012 Data Breach Investigations Report includes this somewhat encouraging statistic:
“In over 40% of incidents we investigated, it took attackers a day or more to locate and exfiltrate data . This gives some hope that reasonable time exists for more than one shot at detecting/stopping the incident before data is completely removed from a victim’s control.”
Furthermore, the types of attacks known as Advanced Persistent Threat involve malware agents that remain on your servers and continue to steal your data over a period of weeks, months, and longer. (See my September 14, 2012, blog post, Advanced Persistent Threat, for more on this topic.)
So even though competitors halfway around the world might be looking over your plans for the Model One Outboard Turfenfoil today, you still can thwart their attempts to learn about the Model Two if you apply diligent security measures that prevent further exfiltration.