Data exfiltration is the unauthorized copying, transfer or retrieval of data from a computer or server.

Data exfiltration is a malicious activity performed through various different techniques, typically by cybercriminals over the Internet.

Methods

  • HTTP
  • FTP
  • SMTP/E-mail attachments
  • DNS

Types of data

  • “Sensitive files”
  • E-mails
  • User credentials

Malware/Threat actors

Name Type Years Source
Operation Cleaver threat actor 2012-2013 Cylance_Operation_Cleaver_Report.pdf

stamp.jsp?tp=&arnumber=7460498&tag=1

GRIZZLY STEPPE threat actor 2015-2018 GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity

AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf

icefog threat actor 2013 icefog.pdf

stamp.jsp?tp=&arnumber=7460498&tag=1

Nettraveler malware 2004-2013 kaspersky-the-net-traveler-part1-final.pdf

Poison Ivy malware 2005-2013 fireeye-poison-ivy-report.pdf

RedOctober malware 2012-2013 2013.01.14.Red_October_Campaign

Ajax Security Team threat actor 2010-2013 rpt-operation-saffron-rose.pdf

fireeye-operation-saffron-rose.pdf

Threat%20Group%20Cards.pdf

ZxShell malware 2004-2014 </a>

Careto threat actor 2008-2014 unveilingthemask_v1.0.pdf

Flying Kitten threat actor 2013-2014 GlobalThreatIntelReport.pdf

Threat%20Group%20Cards.pdf

CrowdStrike_Flying_Kitten.pdf

Whois Hacking Team threat actor 2009-2013 dissecting-operation-troy.pdf

HPSR%20SecurityBriefing_Episode16_NorthKorea.pdf

Regin malware 2008-2013 regin-analysis.pdf

Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf

ICIT-Brief-Know-Your-Enemies-2.0.pdf

stamp.jsp?tp=&arnumber=7460498&tag=1

Energetic Bear threat actor 2010-2014 EB-YetiJuly2014-Public.pdf

Uroburos malware 2008-2013 GData_Uroburos_RedPaper_EN_v1.pdf

ICIT-Brief-Know-Your-Enemies-2.0.pdf

ProjectSauron malware 2011-2016 The-ProjectSauron-APT_research_KL.pdf

Backdoor.Remsec malware N/A Symantec_Remsec_IOCs.pdf

Preventions

<Mitigation techniques>

Detections

  • Persistent connections outbound with a high amount of data
  • DNS exfil channels - Large payloads that are encoded
  • FTP connections being initiated outbound
  • Analyze traffic flows looking for certain anomalous behaviors such as prolonged connections, data frequently being pushed to the server (e.g., commands being sent to the shell), frequent large data transfers (an indication of data exfiltration), and abnormal encryption (anything that is not SSL/TLS or that negotiates using an alternate certificate) as indicators of potential nefarious activity.

Toolkit

<Toolkit instructions, if applicable>

Similar techniques

References