Meet us in Las Vegas at Zscaler’s ZenithLive June 10-13

Presenting the 2024 Champions in Security Honorees

Portal26’s Guide To Preventing Data Exfiltration

In today’s data driven world, data can be considered one of the most valuable assets an enterprise’s possession. A vast majority of security controls deployed in an organization serve to keep its data secure and private and so one could argue that an organization’s security posture can be assessed by the quality of its data protection strategy. Knowing the different angles attackers may use to access data and the attack paths they could use to steal it, should be a central point of consideration when designing the organization’s approach to data protection.

This is a blog about how attackers typically go about stealing data and effective methods organizations can use to prevent it.

What is data exfiltration?

Data exfiltration is another term for data theft. Data exfiltration typically occurs when an unauthorized user or malware attack infiltrates a network, gains access to data and copies, transfers, or retrieves it. The primary goal of data exfiltration is to access as much data as possible, as quickly as possible without detection.

Data exfiltration is one of the most profitable aspects of modern cyberattacks and provides attackers with vast amounts of leverage over cyberattack victims. When attackers exfiltrate sensitive data, especially data belonging to customers, they are able to compel victim organizations to pay millions of dollars in ransom to avoid this data being leaked. Often attackers threaten to extort customers directly. In addition, Data Exfiltration enables attackers to utilize stolen data to launch future attacks on both the original victim, as well as entities identified in the stolen data set.

Interestingly, many organizations find that exfiltrated data eventually gets leaked even after they make the ransom payment, which reinforces the need to keep data from being exfiltrated in the first place. Also, the implications of real peoples’ sensitive data being leaked or the value an organization could lose without their information, are also large.

Portal26’s State of Data Exfiltration and Extortion 2022 report revealed that the nature of cyberattacks has changed to include data exfiltration in a majority of the attacks. Over 70% of organizations admitted to suffering a ransomware attack in the report. Of that number, 68% of those included data exfiltration, and 60% were extorted and forced to give in to ransom demands.

Read The Report >

How do hackers exfiltrate data?

Cyberattackers aiming to capture organizational data often have the opportunity to physically access a computer with all necessary credentials or use inside assistance to break into company networks using an automated approach quickly.

On the organizational side, this means that the form of cyberattack can be incredibly difficult to detect and defend against since at the time it happens, it is already too late to defend. On the technical side, the action is frequently misconstrued as ordinary because the stolen data merely travels inside and outside an organization’s network using trusted paths.

But, once the data has been successfully exfiltrated, criminals can do anything they want. This includes seriously harming a company’s reputation, demanding an outrageous ransom for the data, or performing other extortion techniques. While many businesses opt to use audits to identify any potential vulnerabilities, this is not a holistic approach to defend against data exfiltration.

A study from McAfee in 2019 revealed the preferred methodologies of data exfiltration perpetrators. Database leaks accounted for 38% of extortion tactics, network traffic 37%, with file shares and corporate email tied at 36% each. These tactics are distributed evenly enough, meaning these are the four most popular ways hackers have extorted data overall.

Data Exfiltration Techniques 

Let’s dive into what these techniques look like and what your organization could be seeing within these events.

  • Database leaks: Databases are frequently attacked by inside and outside attackers due to the value of the data they store. There are many kinds of databases and some are more vulnerable than others. Relational stores, object stores, document databases, enterprise search platforms, and so on. All databases have administrator or privileged user roles and these are what attackers aim to compromise. Once an attacker assumes the role of an administrator, they have the keys to the kingdom and are in a position to access and exfiltrate large volumes of data from inside the database. (See how Portal26 addresses this risk in the section below)
  • Network traffic: Network traffic is another umbrella that attacks can fall within, it describes what can happen when bad actors enter the network and perform unauthorized activity. For example, malware or ransomware can be introduced upon entering a network. Often bad actors persist on networks for a long time, observing traffic and activity and using it to identify high value resources. Once enough information has been gathered, they make their move.
  • File shares: File shares top the list of data exfiltration methods in North America and for good reason. One of the most common ransomware attack patterns is when attackers infiltrate networks and move laterally until they find a file share. Once inside they steal unstructured data i.e. documents, intellectual property, spreadsheets, pdfs etc. and use these to extort victims and/or leak the data ro ruin the victim’s reputation. (See how Portal26 addresses this risk in the section below)
  • Corporate email: “Phishing” emails may be sent to employees within an organization in the hopes that they will fall for the bait, click a link and allow the bad actors entrance into their system. Once in the system, attackers treat it like another avenue to go after what they want: your data.

Data Exfiltration Prevention

What are some effective practical strategies to defend against exfiltration attacks?

Data exfiltration detection can be challenging and is greatly influenced by the attack tactic. As discussed above, there are many avenues depending on whether the cyber criminal is using an insider or is coming from the outside to exfiltrate data.

However, when they are inside, analysts and cybersecurity pros may falsely classify the traffic from data exfiltration as typical network traffic. On the detection side, more and more enterprises are adopting automated tools that instantly identify suspicious or abnormal traffic to detect a malicious actor’s presence.

One such instrument with real-time network traffic monitoring capabilities is the Security Information and Event Management System (SIEM). Even malware used to communicate within network servers can be found in some SIEM solutions. SIEMs are one of the most popular tools currently utilized to detect ongoing data exfiltration attacks.

However, in a vast majority of cases, when attackers steal privileged credentials they are able to disguise data exfiltration as normal behavior for the admin or privileged user. For this reason it is very important for organizations to deploy a set of controls to keep valuable data secure when attackers do manage to break in and gain access to data repositories.

Data Exfiltration Defense

For cases when this happens enterprises can choose from the following types of solutions:

1. DLP (Data Loss Prevention)

One common strategy to prevent data exfiltration that many organizations rely on is a data loss prevention (DLP) solution. DLP tools are useful when companies know what data could be exfiltrated and are able to make policies in accordance with them. Generally speaking,  DLP solutions frequently fail to identify data exfiltration and do not provide significant  immunity to ransomware or other large scale data-focused attacks.

2. Portal26 Data Security Platform

Portal26 is a powerful offering that enables organizations to secure existing systems against data exfiltration and extortion as well as  build new ransomware and data exfiltration-resistant products from scratch.

According to Gartner “Portal26 provides substantial reduction in risk from ransomware and other data focused attacks.”

Portal26 utilizes high-performance encryption-in-use along with nine privacy preserving techniques to ensure that encrypted data can be queried and analyzed without decryption and data can be utilized by applications and analytics platforms without exposing clear text. By doing this, Portal26 ensures that attackers cannot abuse admin or privileged credentials to exfiltrate data in clear text and attackers do not gain data related leverage that they can use to extort victim organizations.

Portal26 is an efficient and effective answer for day-to-day data security and privacy enforcement but it is also a very effective control in the most challenging attack scenarios such as when attackers successfully breach datastores and bypass all other security controls.

Another important benefit of Portal26 is that the solution provides evidence that valuable data retained encryption during an attack. This type of evidence is very helpful to organizations as they are able to demonstrate compliance, ensure that stolen data cannot be used against them, and avoid ransom payments.

Portal26 plugin can be used to secure enterprise search platforms, Portal26 Vault can be used to secure all types of databases, Portal26 Proxy can be used to secure object stores and file shares and Portal26 API/Translation service can be used to program strong data security into applications from the ground up. Portal26 also offers a studio to manage all Portal26 modules as well as for reporting.

Data Exfiltration solutions 

Our award-winning data security platform not only offers advanced data security controls, but a wealth of traditional controls and key based controls such as BYOK/HYOK and data tokenization, in one single solution. All of Portal26’s cryptographic algorithms are NIST FIPS 140-2 validated and provide granular field level evidence of encryption for day-to-day scenarios and for incident investigations.

To get a demo of Portal26’s data exfiltration prevention capabilities, schedule a demo today!

Schedule a Demo >

Related Resources