is now

State of Generative AI | Interactive Survey Results

Portal26’s Guide To Preventing Data Exfiltration

In today’s data driven world, data can be considered one of the most valuable assets an enterprise’s possession. A vast majority of security controls deployed in an organization serve to keep its data secure and private and so one could argue that an organization’s security posture can be assessed by the quality of its data protection strategy. Knowing the different angles attackers may use to access data and the attack paths they could use to steal it, should be a central point of consideration when designing the organization’s approach to data protection.

This is a blog about how attackers typically go about stealing data and effective methods organizations can use to prevent it.

What is data exfiltration?

Data exfiltration is another term for data theft. Data exfiltration typically occurs when an unauthorized user or malware attack infiltrates a network, gains access to data and copies, transfers, or retrieves it. The primary goal of data exfiltration is to access as much data as possible, as quickly as possible without detection.

Data exfiltration is one of the most profitable aspects of modern cyberattacks and provides attackers with vast amounts of leverage over cyberattack victims. When attackers exfiltrate sensitive data, especially data belonging to customers, they are able to compel victim organizations to pay millions of dollars in ransom to avoid this data being leaked. Often attackers threaten to extort customers directly. In addition, Data Exfiltration enables attackers to utilize stolen data to launch future attacks on both the original victim, as well as entities identified in the stolen data set.

Interestingly, many organizations find that exfiltrated data eventually gets leaked even after they make the ransom payment, which reinforces the need to keep data from being exfiltrated in the first place. Also, the implications of real peoples’ sensitive data being leaked or the value an organization could lose without their information, are also large.

Portal26’s State of Data Exfiltration and Extortion 2022 report revealed that the nature of cyberattacks has changed to include data exfiltration in a majority of the attacks. Over 70% of organizations admitted to suffering a ransomware attack in the report. Of that number, 68% of those included data exfiltration, and 60% were extorted and forced to give in to ransom demands.

Read The Report >

How do hackers exfiltrate data?

Cyberattackers aiming to capture organizational data often have the opportunity to physically access a computer with all necessary credentials or use inside assistance to break into company networks using an automated approach quickly.

On the organizational side, this means that the form of cyberattack can be incredibly difficult to detect and defend against since at the time it happens, it is already too late to defend. On the technical side, the action is frequently misconstrued as ordinary because the stolen data merely travels inside and outside an organization’s network using trusted paths.

But, once the data has been successfully exfiltrated, criminals can do anything they want. This includes seriously harming a company’s reputation, demanding an outrageous ransom for the data, or performing other extortion techniques. While many businesses opt to use audits to identify any potential vulnerabilities, this is not a holistic approach to defend against data exfiltration.

A study from McAfee in 2019 revealed the preferred methodologies of data exfiltration perpetrators. Database leaks accounted for 38% of extortion tactics, network traffic 37%, with file shares and corporate email tied at 36% each. These tactics are distributed evenly enough, meaning these are the four most popular ways hackers have extorted data overall.

Data Exfiltration Techniques 

Let’s dive into what these techniques look like and what your organization could be seeing within these events.

  • Database leaks: Databases are frequently attacked by inside and outside attackers due to the value of the data they store. There are many kinds of databases and some are more vulnerable than others. Relational stores, object stores, document databases, enterprise search platforms, and so on. All databases have administrator or privileged user roles and these are what attackers aim to compromise. Once an attacker assumes the role of an administrator, they have the keys to the kingdom and are in a position to access and exfiltrate large volumes of data from inside the database. (See how Portal26 addresses this risk in the section below)
  • Network traffic: Network traffic is another umbrella that attacks can fall within, it describes what can happen when bad actors enter the network and perform unauthorized activity. For example, malware or ransomware can be introduced upon entering a network. Often bad actors persist on networks for a long time, observing traffic and activity and using it to identify high value resources. Once enough information has been gathered, they make their move.
  • File shares: File shares top the list of data exfiltration methods in North America and for good reason. One of the most common ransomware attack patterns is when attackers infiltrate networks and move laterally until they find a file share. Once inside they steal unstructured data i.e. documents, intellectual property, spreadsheets, pdfs etc. and use these to extort victims and/or leak the data ro ruin the victim’s reputation. (See how Portal26 addresses this risk in the section below)
  • Corporate email: “Phishing” emails may be sent to employees within an organization in the hopes that they will fall for the bait, click a link and allow the bad actors entrance into their system. Once in the system, attackers treat it like another avenue to go after what they want: your data.

Data Exfiltration Prevention

What are some effective practical strategies to defend against exfiltration attacks?

Data exfiltration detection can be challenging and is greatly influenced by the attack tactic. As discussed above, there are many avenues depending on whether the cyber criminal is using an insider or is coming from the outside to exfiltrate data.

However, when they are inside, analysts and cybersecurity pros may falsely classify the traffic from data exfiltration as typical network traffic. On the detection side, more and more enterprises are adopting automated tools that instantly identify suspicious or abnormal traffic to detect a malicious actor’s presence.

One such instrument with real-time network traffic monitoring capabilities is the Security Information and Event Management System (SIEM). Even malware used to communicate within network servers can be found in some SIEM solutions. SIEMs are one of the most popular tools currently utilized to detect ongoing data exfiltration attacks.

However, in a vast majority of cases, when attackers steal privileged credentials they are able to disguise data exfiltration as normal behavior for the admin or privileged user. For this reason it is very important for organizations to deploy a set of controls to keep valuable data secure when attackers do manage to break in and gain access to data repositories.

Data Exfiltration Defense

For cases when this happens enterprises can choose from the following types of solutions:

1. DLP (Data Loss Prevention)

One common strategy to prevent data exfiltration that many organizations rely on is a data loss prevention (DLP) solution. DLP tools are useful when companies know what data could be exfiltrated and are able to make policies in accordance with them. Generally speaking,  DLP solutions frequently fail to identify data exfiltration and do not provide significant  immunity to ransomware or other large scale data-focused attacks.

2. Portal26 Data Security Platform

Portal26 is a powerful offering that enables organizations to secure existing systems against data exfiltration and extortion as well as  build new ransomware and data exfiltration-resistant products from scratch.

According to Gartner “Portal26 provides substantial reduction in risk from ransomware and other data focused attacks.”

Portal26 utilizes high-performance encryption-in-use along with nine privacy preserving techniques to ensure that encrypted data can be queried and analyzed without decryption and data can be utilized by applications and analytics platforms without exposing clear text. By doing this, Portal26 ensures that attackers cannot abuse admin or privileged credentials to exfiltrate data in clear text and attackers do not gain data related leverage that they can use to extort victim organizations.

Portal26 is an efficient and effective answer for day-to-day data security and privacy enforcement but it is also a very effective control in the most challenging attack scenarios such as when attackers successfully breach datastores and bypass all other security controls.

Another important benefit of Portal26 is that the solution provides evidence that valuable data retained encryption during an attack. This type of evidence is very helpful to organizations as they are able to demonstrate compliance, ensure that stolen data cannot be used against them, and avoid ransom payments.

Portal26 plugin can be used to secure enterprise search platforms, Portal26 Vault can be used to secure all types of databases, Portal26 Proxy can be used to secure object stores and file shares and Portal26 API/Translation service can be used to program strong data security into applications from the ground up. Portal26 also offers a studio to manage all Portal26 modules as well as for reporting.

Data Protection Solutions 

The following is a list of Portal26’s offerings:

Portal26 FileShare Security: Portal26 provides always-on encryption for file servers and other file-sharing platforms. Portal26 ensures that all files are always secured with NIST FIPS 140-2 validated strong encryption and unencrypted data is not available directly from the file share regardless of privilege. Since data is encrypted before it lands, ransomware actors cannot access unencrypted data even if they are inside the firewall and moving laterally without restriction. The data release is strongly governed via policy, can be released in a number of private formats, can be rate limited, and can be plugged into other access controls as required.

Portal26 Object Store Proxy: Portal26 Proxy provides transparent application-level NIST FIPS 140-2 validated encryption for cloud object stores. Whereas native cloud platform encryption secures data from compromise on the cloud provider, encrypting with Portal26 ensures ransomware protection and complete data security if the enterprise themselves are victims of an attack. Portal26 supports privacy-enabled data release in nine secure and private formats as well as full-featured searches on encrypted data. The Portal26 Proxy bolts onto the non-extensible legacy, or fragile, systems and transparently directs sensitive data in and out according to security or privacy policy. Portal26 Proxy is available for both AWS and Azure environments.

Portal26 Vault: Portal26 Vault is a stand-alone data vault that can store and analyze structured and unstructured data, all while retaining strong NIST FIPS140-2 encryption without decrypting data at any time, including in memory or under the hood. With backup in place and strong encryption-in-use, Portal26 Vault is immune to cyberattacks, including ransomware. The Portal26 Vault also wins against traditional data tokenization solutions by providing all the capabilities of tokenization with the added benefit of rich data usability. If used for data tokenization, the Portal26 Vault can secure any type of existing data store or applications and build ground-up systems natively immune to data compromise. Data can be released from the Vault in nine different privacy-preserving formats to protect downstream systems from ransomware attacks and insider threats.

Portal26 Plugin: Portal26 Plugin protects sensitive data inside major enterprise search platforms without limiting full-featured search capabilities or deprecating search performance. Portal26 Plugin is available for all versions of Elasticsearch, OpenDistro, and OpenSearch on AWS/Azure. The Portal26 plugin can run on enormous big-data clusters within hours. Data inside the Portal26-protected platforms cannot be exfiltrated in clear text, even if the cluster is compromised during a ransomware attack, insider attack, or left exposed by accident.

Portal26 API/Translation service: Portal26’s API service can stand alone or integrate with any of the other Portal26 products to yield a high-performing data translation service. The Portal26 Translation Service can be used independently to make existing applications resistant to ransomware and other data-related cyberattacks. It can also ensure that protected data leaving other Portal26 products can be easily translated into clear text or other private formats by downstream applications. From the nine secure and private formats (including searchable encryption) and types of data, including keywords, text, numbers, dates, IP Addresses, Binary and PII-specific data types, the Portal26 API enables other Portal26-protected systems to be completely locked down, aligned with the Zero Trust Data security standard.

Portal26 Studio: Finally, the Studio provides an interface for managing other Portal26 products. It provides dashboards, reports, and granular compliance certifications in the event of a successful attack. Uniquely, the Portal26 Studio gives CISOs critical post-attack documentation as they can use Portal26 Studio reports as auditable evidence that their data retained encryption throughout the attack.

To get a demo of Portal26’s data exfiltration prevention capabilities, schedule a demo today!

Schedule a Demo >

Related Resources