What is Data Exfiltration and How Can You Prevent It?
Preventing cyberattacks is now the biggest challenge that many businesses face. According to Allianz, for example, cyberthreats are the number one area of risk in 2023, ahead of business interruption and macroeconomic issues such as inflation. This makes it an area no organization can afford to ignore.
The cost of these incidents also continues to rise, with figures produced by the Ponemon Institute on behalf of IBM noting that in 2022, the average
cost of a data breach reached $4.35 million – the highest figure ever recorded.
A particular threat that businesses must be aware of is data exfiltration. This can have a wide range of expenses, from reputational damage and lost business, through to ransom payments, class action lawsuits and regulatory penalties. As such, it’s vital that businesses are aware of this threat and are taking the right steps to mitigate it.
What does data exfiltration mean?
The first step in defending against data exfiltration must be to understand exactly what it is and how it works. In short, it is a term used to describe the movement of data OFF a device, as opposed to infiltration, the movement of data ON to the device.
What is data exfiltration?
Data exfiltration is the unauthorized removal of data from a device, which may be an endpoint such as a PC or smartphone or a database server, for example. This form of data security breach can be among the most costly to a business, as it can be extremely hard to spot. Indeed, in many cases, hackers have been able to transfer materials undetected for months, allowing them to build up a huge repository of sensitive data.
How does data exfiltration occur?
There are a few ways in which data exfiltration techniques work, but they can be essentially split into two main types of key attack vector – outsider attacks and insider threats.
Outside attacks often involve hackers using techniques such as injecting malware or using phishing attacks to steal credentials and gain access to confidential and encrypted data. Once inside, a threat actor can copy data and transfer it back to the attackers at will. In some cases, hackers have been able to exfiltrate data for months or even years before being discovered, which can give them immense power to extort businesses in exchange for returning or deleting the data.
Insider threats, meanwhile, originate from a company’s own employees. The majority of these are likely to be inadvertent, such as users being careless with their data handling. However, organizations also have to be mindful of the risk of deliberate data theft by their workers.
In these cases, a malicious insider may deliberately copy and remove data, which they can then sell on to criminals or deliver to a competitor. In some cases, ransomware gangs actively recruit malicious actors to help them breach corporate networks and execute successful attacks.
Why does data exfiltration occur?
For an attacker with malicious intent, exfiltrated data is a highly precious resource. For instance, valuable data such as personal customer information or corporate financial details can be used directly to commit fraud or sell on to other criminals.
However, other confidential data such as trade secrets or other proprietary information may also be of use as part of corporate or even state-level espionage and cyberwarfare. In fact, there are even dedicated services such as Industrial Spy, which promotes itself as a marketplace where businesses can purchase their competitors’ data, looking to take advantage of this.
Another growing problem is the risk of cyber extortion, where hackers threaten to publicly release private data online. This is often part of a ransomware attack and can also be highly lucrative, as many firms may feel paying up will be cheaper in the long run than dealing with the repercussions of public data exposure.
Verizon’s 2023 Data Breach Investigations Report, for example, warned that the average cost of a ransomware attack has more than doubled over the last two years, with 95 percent of incidents that experienced a loss costing between $1 million and $2.25 million. Such incidents now represent a quarter of all data breaches.
What are the implications of data exfiltration?
Falling victim to a data exfiltration incident can have numerous consequences, both financially and reputationally.
Where is the majority of exfiltrated data going?
Hackers are constantly becoming more organized, with criminal gangs increasingly recognizing the value of stolen data, both as a resource they can use directly for activities such as ransomware extortion and to sell on for an easy profit.
BlackFog’s own research indicates that China is the most common destination for exfiltrated data, with 27 percent of information ending up here in 2022 – an 11 percent rise from the previous years. This was followed by Russia, with 44 percent of attacks exfiltrating data to one of these two countries.
Can exfiltrated data hurt your business?
The exfiltration of data can be harmful to a company in a number of ways. Primarily, it can lead to unhappy customers and lost business, as well as the attention of regulators. With tough legislation threatening heavy fines for enterprises that fail to protect sensitive data – up to $20 million or four percent of global revenue under GDPR, for example – the financial cost can be high.
An organization that holds extremely sensitive proprietary data or trade secrets could also lose any competitive advantage it has in the market by giving away designs or future development plans to rivals.
All this is before you take into account the reputational damage that data exfiltration can lead to. With consumers more sensitive than ever to misuse of personal information, they will rarely be quick to forgive a company that has proven unable to take care of their data.
For instance, McKinsey notes that 87 percent of people will not deal with a firm if they have concerns about its security practices, while 71 percent said they would stop doing business with a company that gave away sensitive data.
What are the long-term costs of data exfiltration?
In the longer term, companies that have fallen victim to data exfiltration can find themselves facing a range of costs. In addition to regulatory penalties, the threat of class-action lawsuits from affected customers can be high.
As well as direct compensation, preventative measures such as credit monitoring services for any users who had financial details stolen can be a major expense. Elsewhere, the reputational damage from such incidents can be so substantial that many companies struggle to recover from them. Indeed, it’s claimed that as many as 60 percent of small businesses close within six months of a data breach.
In the last few years, organizations that have been forced to close due to cyberattacks include foreign exchange firm Travelex, Illinois healthcare provider SMP Health and the 157-year-old Lincoln College.
How to prevent data exfiltration
The best defense against data exfiltration threats is to block it before it happens. Once data has been extracted from a network, the damage is already done, so mitigation and incident response plans can only have a limited impact. You therefore need security controls that include an anti data exfiltration, or ADX, solution that stops your business from falling victim to data theft in the first place.
How can data exfiltration be prevented?
A key part of data exfiltration detection is to monitor all traffic that is leaving the business’ network. Many traditional cybersecurity solutions focus their efforts on protecting the network perimeter against incoming threats.
While this remains an important layer in your cybersecurity defense strategy, relying solely on perimeter defense tactics will leave you vulnerable should a bad actor slip through the net – which, given the prevalence of risks such as zero-day threats, is likely to happen to every business sooner or later.
Therefore, you need to go beyond standard cyberthreat prevention techniques, including data loss prevention (DLP) tools, and look for solutions designed specifically to stop attackers from exfiltrating unauthorized data. This helps you take control of how information flows through your network and ensures that when it is transferred beyond your borders, it is fully authorized and secured.
How can you protect from data loss by negligent, compromised and malicious users?
Careless employees are among the main causes of data exfiltration. In fact, Statista research notes that in 2023, 78 percent of UK CISOs named human error as their biggest cybersecurity vulnerability.
This may include poor practices or accidental sharing of details due to a phishing attack. Such issues can be compounded by weak access control policies that do not adequately guard against unauthorized access, such as a lack of multifactor authentication.
Putting controls in place to prevent reckless behavior such as password sharing or accessing data via unsecured devices and network connections is a must. However, to be effective, you need to go further to also counter any malicious insider within your business who may be looking to steal data.
To do this, strong ADX solutions must include effective monitoring tools that can keep a close watch on data leaving the network. Using behavioral profiling techniques, suspicious activities – such as users attempting to access resources they do not have permission for or transferring files in an unusual way – will be blocked, ensuring that unauthorized data doesn’t leave the network.
The importance of endpoint protection for data exfiltration prevention
Focusing on your endpoint security as part of a data exfiltration strategy is another essential part of preventing a cyberattack. This is something that’s particularly important in the new era of remote and hybrid working, where more business activities take place on personally-owned and mobile devices that can often be overlooked by a traditional DLP solution.
For instance, in 2020 – when remote working became the norm for many people – ransomware attacks spiked by 150 percent compared with the previous year. This is no coincidence, as many attackers looked to take advantage of less direct oversight. With remote and hybrid working now a permanent reality for many enterprises, on-device security solutions ensure that your threat detection tools extend to every part of your network, no matter where they are or who they belong to.
How does BlackFog prevent data exfiltration?
Unlike many other data protection tools, BlackFog uses a layered approach that can identify in real-time any data exfiltration attempts and shut them down before an attacker has a chance to succeed, using technologies such as machine learning to help build a picture of network activity.
Our ADX technology provides full on-device protection by constantly monitoring user activity and outgoing network traffic. This includes company data being transferred to and from cloud storage or applications, emails being sent to suppliers or customers, and large-scale data transfers to offsite backup solutions. If suspicious activity is detected – for example where the destination is unknown or if a larger volume than usual is being moved – it can be automatically blocked to disrupt cyberattacks and protect sensitive data.
With a complete endpoint protection platform to guard against the loss of sensitive information, BlackFog’s unique ADX solution helps your security team block any possible avenue for attackers to conduct a data exfiltration attempt, whether this originates from a hacking attempt, phishing attack or an insider threat.
Learn more about how BlackFog protects enterprises from the threats posed by data exfiltration.