Prevent Data Exfiltration with Network Traffic Analytics

prevent data exfiltration with network traffic analytics

When it comes to company data, you need to protect it at all costs. But it is hard to defend what you can’t see.

This blog post will explore techniques threat actors commonly use to illegally copy an organization’s data, and how your team can eliminate blind spots to detect and stop data exfiltration.

What is Data Exfiltration?

Data exfiltration is the loss of data due to unauthorized copying, transfer or retrieval of data from a computer or server. Data loss can occur unintentionally through user error, or when a threat actor intentionally steals data for malicious purposes.

Data loss remains a growing threat for organizations of any size. In 2019, there were more than 3,800 reported data breaches, with 52 percent more records exposed than in 2018.[1] And the outlook appears bleak for the remainder of 2020. There have already been a number of high-profile breaches in the first half of 2020 and the estimated cost of a data breach in 2020 is over $150 million.[2]

Common Data Exfiltration Techniques

Once threat actors have successfully penetrated an organization’s network and established persistent control, they use a variety of techniques to remain undetected while they exfiltrate data. So, why is it challenging to detect data exfiltration? To start, it is difficult for teams to detect data that is transferred in or out of their organization’s network because it can often look like normal network traffic. In these cases, the data loss can occur over periods of time until threat actors have fully completed the exfiltration without ever being detected in the network. For this reason, early detection is critical to preventing threat actors from exfiltrating valuable data.

To successfully exfiltrate data, threat actors will typically use a predetermined protocol to transmit data over the internet or a network. Below are examples of how these protocols are used for data theft.

File Transfer Protocol Exfiltration

File transfer protocol (FTP) is a network protocol used for transferring files between a client and a server on a computer network. Because FTP is a plain text protocol, most network monitoring solutions should be able to detect sensitive data attributes if they are being exfiltrated. However, it becomes more difficult to detect when threat actors encrypt the data before transferring it over the network. For this reason, encrypted data could be an indicator of suspicious activity. Security teams should monitor encrypted data being transferred over a typically unencrypted channel, and if encryption is detected, teams should block the transfer and investigate further. Unfortunately, this method can cause security analysts to spend precious time searching through an endless amount of network traffic only to lead them to a false positive.

Hypertext Transfer Protocol Exfiltration

The Hypertext Transfer Protocol (HTTP) is another protocol used for transmitting data between a client and a server. Because HTTP is common in most networks, threat actors will leverage the protocol to mimic normal traffic and steal data while remaining undetected. This technique can be challenging to detect because exfiltrated data can easily blend in with the high volume of HTTP traffic going through most organization’s networks.

Threat actors typically send data to a server by submitting POST requests. By using this method, threat actors can send large data files all at once or using several POST requests while blending in with a network traffic.

If security teams observe POST requests to unknown servers, then it may be an indicator data is being sent to a suspicious location. This strategy can also lead to false positives that make the task tedious for teams. Another option is to whitelist domain names and IP addresses that are known for your organization and require extra permissions for users to access new websites.

Domain Name System Exfiltration

Domain Name System (DNS) protocol maps domain names to numerical IP addresses to direct internet traffic to the correct location. DNS tunneling is a method threat actors will use to successfully encode and steal the data they are after. The technique involves transmitting data to a server by disguising it in the subdomain of DNS queries.

Teams can detect DNS tunneling by looking for any unusual DNS types, or unusual characters or hostnames. A sudden spike in DNS queries to the same domain with unique sub domains all coming from the same host can also indicate a compromised host.

Early Detection with Network Traffic Analytics (NTA)

The reality for most security teams is that their current security tools do not adequately pick up on early signs of data exfiltration making it nearly impossible to stop threat actors from compromising their networks. The advancement and spread of networks today present a challenge for organizations using traditional perimeter security tools.

Security teams face a sea of different network devices and traffic that make it almost impossible to spot activity that points to data exfiltration. The best way for teams to stop data exfiltration is knowing what is going on in a network at all times, and network traffic analytics (NTA) can help teams do just that. According to ESG research, 43 percent of organizations say NTA is a first line of defense for detecting and responding to threats.[1]

NTA solutions can detect infected devices, track account activity, and locate data that appears to be prepped for exfiltration. An ideal NTA solution will use a combination of the following to help detect malicious actors on a network:

Machine Learning to Detect Abnormal Activity

By recording network baseline data over time and applying advanced machine learning models, network traffic analytics can detect even the smallest deviation from expected behavior.

Behavioral Analytics to Find New Threats

NTA solutions create a behavioral baseline for devices and applications on a network and compares new observations against baselines to provide information about threats that have never been seen on your network.

Securely Decrypt Traffic to Obtain More Context

Earlier, we described how encrypted traffic can be a sign of suspicious activity, but can often produce false positives that can be frustrating for security teams. NTA solutions make it realistic for teams to detect and investigate encrypted traffic by decrypting it for analysis without compromising the privacy of the data’s owner.

LogRhythm NetworkXDR for Better Detection and Response

Many network forensics solutions require security staff with advanced knowledge of network analytics to properly use the solution and involve manual responses that most teams don’t have the resources to handle.

Teams need a solution that incorporates automation and integrated workflows to quickly identify and respond to network-borne threats.

LogRhythm NetworkXDR goes beyond network traffic analysis with an integrated set of capabilities and workflows for detecting, qualifying, investigating, and responding to advanced threats hidden in network traffic data. LogRhythm NetworkXDR can help detect unknown network-borne threats like data exfiltration and help teams remediate and contain an issue quickly with automated response features.

Early detection is the best way to prevent data theft. With the right solution in place, security teams can gain visibility into their organization’s network traffic and take quick and appropriate action against threats actors targeting valuable data.

Learn more about LogRhythm NetworkXDR and other network security use cases in “Network Detection and Response: Making the Impossible, Possible.”

[1] Network Traffic Analytics (NTA): A Cybersecurity ‘Quick Win’, Enterprise Strategy Group, Feb. 2020

[1] Data Breach Expose 4.1 Billion Records in First Six Months of 2019, Forbes, April 2019

[2] 81 Eye-Opening Data Breach Statistics for 2020, PhoenixNAP, January 2020